Securing network traffic by distributing policies in a hierarchy over secure tunnels
First Claim
Patent Images
1. A system for securing Internet Protocol (IP) traffic, the system comprising:
- a first security module, within a first local communication network, configured to apply a security policy to a network connection, the security policy including at least a definition of a security group, the security group includes at least a subset of a group of end nodes located at the first local communication network;
a first distribution point, located at the first local communication network, configured to determine the security policy and to forward the security policy to a first managing module;
the first managing module being associated with the first communication network and configured toa) upon receiving the security policy from the first distribution point, record an association between the security group and an identifier for the first distribution point; and
b) send a message to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point.
2 Assignments
0 Petitions
Accused Products
Abstract
A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy.
-
Citations
20 Claims
-
1. A system for securing Internet Protocol (IP) traffic, the system comprising:
-
a first security module, within a first local communication network, configured to apply a security policy to a network connection, the security policy including at least a definition of a security group, the security group includes at least a subset of a group of end nodes located at the first local communication network; a first distribution point, located at the first local communication network, configured to determine the security policy and to forward the security policy to a first managing module; the first managing module being associated with the first communication network and configured to a) upon receiving the security policy from the first distribution point, record an association between the security group and an identifier for the first distribution point; and b) send a message to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for securing message traffic in a data network by distributing security policies comprising the steps of:
-
at a first distributing point located at a first local communication network, determining a security policy to be applied to a network connection, the security policy including at least a definition of a security group and a network device that is assigned to the security group, the security group includes at least a subset of a group of end nodes located at the first local communication network; forwarding the security policy from the first distribution point to a first managing module associated with the first local communication network, at the first managing module, receiving the security policy from the first distribution point; recording a first association between the first security policy and an identifier for the first distribution point; sending a message to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point, and at the central managing module, receiving the first message; and generating a security group database entry based on the first message. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network by distributing security policies, the computer readable medium program codes performing functions comprising:
-
a routine for determining a security policy to be applied to a network connection at a first distributing point located at a first local communication network, the security policy including at least a definition of a security group and a network device that is assigned to the security group, the security group includes at least a subset of a group of end nodes located at the first local communication network; a routine for forwarding the security policy from the first distribution point to a first managing module associated with the first local communication network; a routine for receiving at the first managing module the security policy from the first distribution point; a routine for recording at the first managing module a first association between the security group and an identifier for the first distribution point; a routine for sending a message from the first managing module to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point; a routine for receiving the first message at the central managing module; and a routine for generating a security group database entry based on the first message at the central managing module.
-
Specification