Deploying group VPNS and security groups over an end-to-end enterprise network

US 8,607,301 B2
Filed: 09/27/2006
Issued: 12/10/2013
Est. Priority Date: 09/27/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing secure communication among members in a virtual private network comprising:

defining a security group, the security group comprising identification of two or more members to be enabled to securely communicate with one another, the two or more members being protected by two or more respective policy enforcement points; and

upon request by a group member to communicate with other members of a security group,determining if the group member is authenticated using a virtual private network (VPN) authentication function; and

if the group member is authenticated by the VPN authentication function, presenting the group member with a security association to enable the member to carry out secure communication within the group, the security association being provided by a network overlay including (i) a key authority point, with respect to the policy enforcement points, that is triggered upon the authentication of the member to distribute the security association to the policy enforcement point associated with the member, and (ii) a management and policy server, separate from the key authority point, that (a) maintains information related to security group, (b) generates and distribute at least one security policy to the key authority point, and (c) triggers the key authority point, upon the authentication of the member, to provide to the policy enforcement point associated with the member at least one encryption key.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Group Virtual Private Networks (Group VPNS) are provided for different types of machines in a data processing network. Security groups are defined by a security policy for each member. Security policies and encryption keys are deployed to members of a security group using an IPSec network infrastructure with authentication via VPN mechanisms. The group VPNs provide a trusted IP network that can leverage and co-exist with security access control technologies, such as endpoint security that controls client network access or application security that controls user access to enterprise applications.

70 Citations

View as Search Results

26 Claims

1. A method for providing secure communication among members in a virtual private network comprising:
- defining a security group, the security group comprising identification of two or more members to be enabled to securely communicate with one another, the two or more members being protected by two or more respective policy enforcement points; and
  
  upon request by a group member to communicate with other members of a security group,determining if the group member is authenticated using a virtual private network (VPN) authentication function; and
  
  if the group member is authenticated by the VPN authentication function, presenting the group member with a security association to enable the member to carry out secure communication within the group, the security association being provided by a network overlay including (i) a key authority point, with respect to the policy enforcement points, that is triggered upon the authentication of the member to distribute the security association to the policy enforcement point associated with the member, and (ii) a management and policy server, separate from the key authority point, that (a) maintains information related to security group, (b) generates and distribute at least one security policy to the key authority point, and (c) triggers the key authority point, upon the authentication of the member, to provide to the policy enforcement point associated with the member at least one encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein security groups are defined across physically distributed network sites without restriction on group members'"'"' physical locations.
  - 3. The method of claim 1 wherein secure communication between group members uses an IPSec protocol.
  - 4. The method of claim 3 wherein communication between group members uses IPsec packets where an original IP packet header is sent in the clear and an IP packet payload is sent in encrypted form.
  - 5. The method of claim 1 wherein security group members are defined by a method selected from a group consisting ofuser clients to user clients, as defined by subnets/IP addresses to subnets/IP addresses;
    - clients to host applications/datacenters, as defined by subnets/IP addresses to IP addresses;
      
      orhost applications/datacenters to applications/datacenters, as defined by IP addresses to IP addresses.
  - 6. The method of claim 1 wherein security groups are defined as internal, external or remote.
  - 7. The method of claim 1 wherein a group member belongs to more than one security group.
  - 8. The method of claim 1 wherein the step of determining if the group member is authenticated is additionally integrated with Group VPN access control.
  - 9. The method of claim 1 wherein security groups are integrated with enterprise security policies for users and applications, for organizational, or for functional groups.
  - 10. The method of claim 1 wherein determining if the group member is authenticated further comprises:
    - forwarding an authentication request to a Network Access Control (NAC) server.
  - 11. The method of claim 10 further comprising:
    - at the NAC, accessing a RADIUS server, to authenticate the group member to the VPN.
  - 12. The method of claim 1, wherein the security association is generated by the key authority point based at least in part on the at least one security policy distributed by the management and policy server.
  - 13. The method of claim 1, wherein the management and policy server further triggers the key authority point to exchange encryption keys for the security group with at least one other key authority point serving at least one group member of the security group.

14. An apparatus for providing secure communication among members in a virtual private network (VPN) comprising:
- a security group storage device, for storing a definition of a security group, the security group comprising an identification of two or more members of the VPN to be enabled to securely communicate with one another, the two or more members being protected by two or more respective policy enforcement points;
  
  a receiver, for receiving a request by a group member to communicate with other members of a security group;
  
  a virtual private network (VPN) authentication server, for determining if the group member is authenticated; and
  
  a security association interface, for receiving a security association to enable an authenticated member to carry out secure communication with other group members, the interface receiving the security association through a network overlay including (i) a key authority point, with respect to the policy enforcement points, that is triggered upon the authentication of the group member to distribute the security association to the policy enforcement point associated with the group member, and (ii) a management and policy server, separate from the key authority point, configured to (a) maintain information related to security group, (b) generate and distribute at least one security policy to the key authority point, and (c) trigger the key authority point, upon the authentication of the member, to provide to the policy enforcement point associated with the member at least one encryption key.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The apparatus of claim 14 wherein security groups are defined across physically distributed network sites without restriction on group members'"'"' physical locations.
  - 16. The apparatus of claim 14 wherein secure communication between group members uses an IPSec protocol.
  - 17. The apparatus of claim 16 wherein communication between group members uses IPsec packets where an original IP packet header is sent in the clear and an IP packet payload is sent in encrypted form.
  - 18. The apparatus of claim 14 wherein security group members are selected from a group consisting ofuser clients to user clients, as defined by subnets/IP addresses to subnets/IP addresses;
    - clients to host applications/datacenters, as defined by subnets/IP addresses to IP addresses;
      
      orhost applications/datacenters to applications/datacenters, as defined by IP addresses to IP addresses.
  - 19. The apparatus of claim 14 wherein security groups are defined as internal, external or remote.
  - 20. The apparatus of claim 14 wherein a group member belongs to more than one security group.
  - 21. The apparatus of claim 14 wherein the VPN authentication server is additionally integrated with a Group VPN access controller.
  - 22. The apparatus of claim 14 wherein security groups are integrated with enterprise security policies for users and applications, for organizational, or for functional groups.
  - 23. The apparatus of claim 14 wherein VPN authentication server further comprises:
    - a Network Access Control (NAC) server.
  - 24. The apparatus of claim 23 further comprising:
    - a RADIUS server, to authenticate the group member to the NAC.
  - 25. The apparatus of claim 14, wherein the security association is generated by the key authority point based at least in part on the at least one security policy distributed by the management and policy server.
  - 26. The apparatus of claim 14, wherein the management and policy server is configured to further trigger the key authority point to exchange encryption keys for the security group with at least one other key authority point serving at least one group member of the security group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
Carrasco, Serge-Paul
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US11/529,560
Publication Number

US 20080127327A1
Time in Patent Office

2,631 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/08   Key distribution or managem...

Deploying group VPNS and security groups over an end-to-end enterprise network

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Deploying group VPNS and security groups over an end-to-end enterprise network

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links