Deploying group VPNS and security groups over an end-to-end enterprise network
First Claim
Patent Images
1. A method for providing secure communication among members in a virtual private network comprising:
- defining a security group, the security group comprising identification of two or more members to be enabled to securely communicate with one another, the two or more members being protected by two or more respective policy enforcement points; and
upon request by a group member to communicate with other members of a security group,determining if the group member is authenticated using a virtual private network (VPN) authentication function; and
if the group member is authenticated by the VPN authentication function, presenting the group member with a security association to enable the member to carry out secure communication within the group, the security association being provided by a network overlay including (i) a key authority point, with respect to the policy enforcement points, that is triggered upon the authentication of the member to distribute the security association to the policy enforcement point associated with the member, and (ii) a management and policy server, separate from the key authority point, that (a) maintains information related to security group, (b) generates and distribute at least one security policy to the key authority point, and (c) triggers the key authority point, upon the authentication of the member, to provide to the policy enforcement point associated with the member at least one encryption key.
12 Assignments
0 Petitions
Accused Products
Abstract
Group Virtual Private Networks (Group VPNS) are provided for different types of machines in a data processing network. Security groups are defined by a security policy for each member. Security policies and encryption keys are deployed to members of a security group using an IPSec network infrastructure with authentication via VPN mechanisms. The group VPNs provide a trusted IP network that can leverage and co-exist with security access control technologies, such as endpoint security that controls client network access or application security that controls user access to enterprise applications.
70 Citations
26 Claims
-
1. A method for providing secure communication among members in a virtual private network comprising:
-
defining a security group, the security group comprising identification of two or more members to be enabled to securely communicate with one another, the two or more members being protected by two or more respective policy enforcement points; and upon request by a group member to communicate with other members of a security group, determining if the group member is authenticated using a virtual private network (VPN) authentication function; and if the group member is authenticated by the VPN authentication function, presenting the group member with a security association to enable the member to carry out secure communication within the group, the security association being provided by a network overlay including (i) a key authority point, with respect to the policy enforcement points, that is triggered upon the authentication of the member to distribute the security association to the policy enforcement point associated with the member, and (ii) a management and policy server, separate from the key authority point, that (a) maintains information related to security group, (b) generates and distribute at least one security policy to the key authority point, and (c) triggers the key authority point, upon the authentication of the member, to provide to the policy enforcement point associated with the member at least one encryption key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An apparatus for providing secure communication among members in a virtual private network (VPN) comprising:
-
a security group storage device, for storing a definition of a security group, the security group comprising an identification of two or more members of the VPN to be enabled to securely communicate with one another, the two or more members being protected by two or more respective policy enforcement points; a receiver, for receiving a request by a group member to communicate with other members of a security group; a virtual private network (VPN) authentication server, for determining if the group member is authenticated; and a security association interface, for receiving a security association to enable an authenticated member to carry out secure communication with other group members, the interface receiving the security association through a network overlay including (i) a key authority point, with respect to the policy enforcement points, that is triggered upon the authentication of the group member to distribute the security association to the policy enforcement point associated with the group member, and (ii) a management and policy server, separate from the key authority point, configured to (a) maintain information related to security group, (b) generate and distribute at least one security policy to the key authority point, and (c) trigger the key authority point, upon the authentication of the member, to provide to the policy enforcement point associated with the member at least one encryption key. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification