Securing network traffic by distributing policies in a hierarchy over secure tunnels

US 8,327,437 B2
Filed: 08/10/2010
Issued: 12/04/2012
Est. Priority Date: 06/14/2006
Status: Active Grant

First Claim

Patent Images

1. A system for securing Internet Protocol (IP) traffic, the system comprising:

a first security module, within a first local communication network, configured to apply a security policy to a network connection, the security policy including at least a definition of a security group, the security group includes at least a subset of a group of end nodes located at the first local communication network;

a first distribution point, located at the first local communication network, configured to determine the security policy and to forward the security policy to a first managing module;

the first managing module being associated with the first communication network and configured toa) upon receiving the security policy from the first distribution point, record an association between the security group and an identifier for the first distribution point; and

b) send a message to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy.

Citations

20 Claims

1. A system for securing Internet Protocol (IP) traffic, the system comprising:
- a first security module, within a first local communication network, configured to apply a security policy to a network connection, the security policy including at least a definition of a security group, the security group includes at least a subset of a group of end nodes located at the first local communication network;
  
  a first distribution point, located at the first local communication network, configured to determine the security policy and to forward the security policy to a first managing module;
  
  the first managing module being associated with the first communication network and configured toa) upon receiving the security policy from the first distribution point, record an association between the security group and an identifier for the first distribution point; and
  
  b) send a message to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the communication network includes an Ethernet, an asynchronous transfer mode (ATM), one or more inter-networking or a wireless communication network.
  - 3. The system of claim 1, wherein the first group of end nodes include any of a personal computer, a workstation, a personal digital assistant, a digital mobile telephone, a wireless network, a server, a video set top boxes and a data processor.
  - 4. The system of claim 1, wherein the first security module is a Policy Enforcement Point.
  - 5. The system of claim 1, wherein the first distribution point is further configured to forward an updated version of the security policy to the first managing module according to a schedule.
  - 6. The system of claim 1, wherein the central managing module is configured to generate a security group database entry based on the message sent from the first managing module.
  - 7. The system of claim 6, wherein the security group database entry indicates that:
    - a) the security policy is located at the first managing module; and
      
      b) the security policy is controlled by the first distribution point.
  - 8. The system of claim 6, wherein the first managing module and the central managing module are in a hierarchy, the hierarchy comprising at least a second managing module, wherein:
    - the second managing module is associated with a second local communication network and configured to send a message to the central managing module that indicates the second managing module has additional information associated with the definition of the security group.
  - 9. The system of claim 8, wherein the central managing module is further configured to send a message to the first managing module that the second managing module has the additional information.
  - 10. The system of claim 9 further comprising a secure association formed between the first distribution point and the a second distribution point for exchanging keys for encryption and decryption of a data packet.
  - 11. The system of claim 10, wherein the first distribution point is further configured to distribute the exchanged keys to additional one or more security modules in the first local communications network.

12. A method for securing message traffic in a data network by distributing security policies comprising the steps of:
- at a first distributing point located at a first local communication network,determining a security policy to be applied to a network connection, the security policy including at least a definition of a security group and a network device that is assigned to the security group, the security group includes at least a subset of a group of end nodes located at the first local communication network;
  
  forwarding the security policy from the first distribution point to a first managing module associated with the first local communication network,at the first managing module,receiving the security policy from the first distribution point;
  
  recording a first association between the first security policy and an identifier for the first distribution point;
  
  sending a message to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point, andat the central managing module,receiving the first message; and
  
  generating a security group database entry based on the first message.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12 further comprising the step of:
    - at the central managing module,receiving additional messages associated with definitions of additional security groups from two or more additional managing modules associated with, respectively, two or more other local communication networks; and
      
      generating additional security group databases entry based on the additional information.
  - 14. The method of claim 13 further comprising:
    - at a second managing module associated with a second local communication network that includes a second distribution point,recording a second association between the security policy and an identifier for a the second distribution point.
  - 15. The method of claim 14 further comprising:
    - at the central managing module,receiving a message from the second managing module indicating that the second managing module has additional information associated with the definition of the security group; and
      
      updating the first security group database.
  - 16. The method of claim 15 further comprising:
    - at the central managing module;
      
      sending a message to the first managing module indicating that the second managing module has the additional information.
  - 17. The method of claim 16, wherein the message sent to the first managing module identifies the second distribution point, the method further comprising:
    - at the first managing module,sending a message to the first distribution point to add the second distributing point to the security group.
  - 18. The method of claim 17 further comprising a step of exchanging keys between the first and second distribution points via one or more secure tunnels.
  - 19. The method of claim 18 further comprising:
    - at the first location that includes one or more additional security components,distributing the exchanged keys to one or more security components in the first local communication network.

20. A non-transitory computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network by distributing security policies, the computer readable medium program codes performing functions comprising:
- a routine for determining a security policy to be applied to a network connection at a first distributing point located at a first local communication network, the security policy including at least a definition of a security group and a network device that is assigned to the security group, the security group includes at least a subset of a group of end nodes located at the first local communication network;
  
  a routine for forwarding the security policy from the first distribution point to a first managing module associated with the first local communication network;
  
  a routine for receiving at the first managing module the security policy from the first distribution point;
  
  a routine for recording at the first managing module a first association between the security group and an identifier for the first distribution point;
  
  a routine for sending a message from the first managing module to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point;
  
  a routine for receiving the first message at the central managing module; and
  
  a routine for generating a security group database entry based on the first message at the central managing module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
McAlister, Donald K.
Primary Examiner(s)
PEARSON, DAVID J

Application Number

US12/853,936
Publication Number

US 20110013776A1
Time in Patent Office

847 Days
Field of Search

None
US Class Current

726/15
CPC Class Codes

H04L 63/105   Multiple levels of security

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Securing network traffic by distributing policies in a hierarchy over secure tunnels

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securing network traffic by distributing policies in a hierarchy over secure tunnels

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links