Wireless network having multiple security interfaces

US 8,799,991 B2
Filed: 08/31/2012
Issued: 08/05/2014
Est. Priority Date: 02/07/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by a network device and upon receipt of network traffic at the network device, a source zone and a destination zone,the network device being associated with the source zone, the destination zone, and another source zone,the network traffic being received from the source zone and being intended for a network resource associated with the destination zone,the network resource being identified using a destination address included in the network traffic,the source zone being associated with a first wireless network and the destination zone being associated with a second wireless network, andthe first wireless network and the second wireless network being established between the network device and a plurality of devices prior to the network traffic being received;

identifying, by the network device, a first security policy and a second security policy to be applied to the network traffic,the first security policy being associated with the identified source zone,the second security policy being associated with the identified destination zone,the first security policy being different than the second security policy,a third security policy being associated with the other source zone;

applying, by the network device, the identified first security policy and the identified second security policy to the network traffic to determine whether to permit access to the network resource,the third security policy being applied to additional network traffic, associated with the other source zone and the destination zone, to determine whether the additional network traffic is to be forwarded to the network resource when the additional network traffic is received; and

selectively forwarding the network traffic to the network resource based on applying the identified first security policy and the identified second security policy to the network traffic.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A number of wireless networks are established by a network device, each wireless network having an identifier. Requests are received from client devices to establish wireless network sessions via the wireless networks using the identifiers. Network privileges of the client devices are segmented into discrete security interfaces based on the identifier used to establish each wireless network session.

Citations

20 Claims

1. A method comprising:
- identifying, by a network device and upon receipt of network traffic at the network device, a source zone and a destination zone,the network device being associated with the source zone, the destination zone, and another source zone,the network traffic being received from the source zone and being intended for a network resource associated with the destination zone,the network resource being identified using a destination address included in the network traffic,the source zone being associated with a first wireless network and the destination zone being associated with a second wireless network, andthe first wireless network and the second wireless network being established between the network device and a plurality of devices prior to the network traffic being received;
  
  identifying, by the network device, a first security policy and a second security policy to be applied to the network traffic,the first security policy being associated with the identified source zone,the second security policy being associated with the identified destination zone,the first security policy being different than the second security policy,a third security policy being associated with the other source zone;
  
  applying, by the network device, the identified first security policy and the identified second security policy to the network traffic to determine whether to permit access to the network resource,the third security policy being applied to additional network traffic, associated with the other source zone and the destination zone, to determine whether the additional network traffic is to be forwarded to the network resource when the additional network traffic is received; and
  
  selectively forwarding the network traffic to the network resource based on applying the identified first security policy and the identified second security policy to the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving, from a particular device of the plurality of devices and via the first wireless network, the network traffic during a network session established between the network device and the particular device.
  - 3. The method of claim 1, further comprising:
    - identifying, by the network device and upon receipt of particular network traffic at the network device, the other source zone and another destination zone,the other destination zone being associated with another network resource,the other network resource being identified using another destination address included in the particular network traffic;
      
      identifying, by the network device, at least one security policy to be applied to the particular network traffic,the at least one security policy being identified based on the identified other source zone and the identified other destination zone; and
      
      applying, by the network device, the at least one security policy to the particular network traffic to determine whether the particular network traffic is to be forwarded to the other network resource.
  - 4. The method of claim 1, further comprising:
    - identifying, by the network device and upon receipt of the additional network traffic at the network device, the other source zone and the destination zone,the other source zone being identified based on a source address included in the additional network traffic;
      
      identifying, by the network device, the third security policy to be applied to the additional network traffic,the third security policy being identified based on the identified other source zone; and
      
      applying, by the network device, the third security policy to the additional network traffic to determine whether the additional network traffic is to be forwarded to the network resource.
  - 5. The method of claim 4, where the network traffic and the additional network traffic are received by the network device during concurrent network sessions.
  - 6. The method of claim 4, where applying the third security policy comprises:
    - applying, by the network device, the third security policy to the additional network traffic to determine whether the applied third security policy permits access to the network resource, andwhere the method further comprises;
      
      permitting, by the network device and when the applied third security policy permits access to the additional network resource, the additional network traffic to be forwarded to the network resource; and
      
      preventing, by the network device and when the applied third security policy does not permit access to the network resource, the additional network traffic from being forwarded to the network resource.
  - 7. The method of claim 1, further comprising:
    - determining, by the network device, whether the applied first security policy and the applied second security policy permit access to the network resource;
      
      denying access to the network resource when the network device determines that the applied first security policy or the applied second security policy permit do not permit access to the network resource; and
      
      allowing access to the network resource when the network device determines that the applied first security policy and the applied second security policy permit access to the network resource.
  - 8. The method of claim 1, where applying the identified first security policy and the identified second security policy comprises:
    - applying, by the network device, the identified first security policy and the identified second security policy to the network traffic to determine whether the applied first security policy and the applied second security policy permit access to the network resource, andwhere selectively forwarding the network traffic includes;
      
      permitting, by the network device and when the applied first security policy and the applied second security policy permit access to the network resource, the network traffic to be forwarded to the network resource, andpreventing, by the network device and when the applied first security policy or the applied second security policy do not permit access to the network resource, the network traffic from being forwarded to the network resource.

9. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by a device, cause the device to receive data;
  
  one or more instructions which, when executed by the device, cause the device to identify, after receiving the data, a source zone and a destination zone,the data being received from the source zone and being intended for a network resource associated with the destination zone,the device being associated with the source zone, the destination zone, and another source zone, andthe network resource being identified using a destination address included in the data;
  
  one or more instructions which, when executed by the device, cause the device to identify a first security policy and a second security policy to be applied to the data,the first security policy being associated with the identified source zone,the second security policy being associated with the identified destination zone,the first security policy being different than the second security policy, anda third security policy being associated with the other source zone;
  
  one or more instructions which, when executed by the device, cause the device to apply the identified first security policy and the identified second security policy to the data to determine whether to permit access to the network resource,the third security policy being applied to additional data, associated with the other source zone and the destination zone, to determine whether the additional data is to be forwarded to the network resource when the additional data is received; and
  
  one or more instructions which, when executed by the device, cause the device to selectively forward the data to the network resource based on applying the identified first security policy and the identified second security policy to the data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable medium of claim 9, the instructions further comprising:
    - one or more instructions to determine whether the applied first security policy and the applied second security policy permit access to the network resource;
      
      one or more instructions to deny access to the network resource when the applied first security policy or the applied second security policy do not permit access to the network resource; and
      
      one or more instructions to allow access to the network resource when the applied first security policy and the applied second security policy permit access to the network resource.
  - 11. The non-transitory computer-readable medium of claim 9, where the one or more instructions to apply the identified first security policy and the identified second security policy include:
    - one or more instructions to apply the identified first security policy and the identified second security policy to the data to determine whether the applied first security policy and the applied second security policy permit access to the network resource, andwhere the one or more instructions to selectively forward the data include;
      
      one or more instructions to permit, when the applied first security policy and the applied second security policy permit access to the network resource, the data to be forwarded to the network resource, andone or more instructions to prevent, when the applied first security policy or the applied second security policy do not permit access to the network resource, the data from being forwarded to the network resource.
  - 12. The non-transitory computer-readable medium of claim 9, the instructions further comprising:
    - one or more instructions to receive the data during a network session between the device and another device.
  - 13. The non-transitory computer-readable medium of claim 9, the instructions further comprising:
    - one or more instructions to receive particular data;
      
      one or more instructions to identify, after receiving the particular data, the other source zone and another destination zone,the other destination zone being associated with another network resource, andthe other network resource being identified using another destination address included in the particular data;
      
      one or more instructions to identify the third security policy and a fourth security policy to be applied to the particular data,the third security policy being identified based on the identified other source zone, andthe fourth security policy being identified based on the identified other destination zone; and
      
      one or more instructions to apply the third security policy and the fourth security policy to the particular data to determine whether the additional data is to be forwarded to the other network resource.
  - 14. The non-transitory computer-readable medium of claim 9, the instructions further comprising:
    - one or more instructions to receive the additional data;
      
      one or more instructions to identify, after receiving the additional data, the other source zone and the destination zone,the other source zone being identified based on a source address included in the additional data;
      
      one or more instructions to identify the third security policy to be applied to the additional data,the third security policy being identified based on the identified other source zone; and
      
      one or more instructions to apply the third security policy to the additional data to determine whether the additional data is to be forwarded to the network resource.
  - 15. The non-transitory computer-readable medium of claim 14, where the data and the additional data are received by the device during concurrent network sessions.
  - 16. The non-transitory computer-readable medium of claim 14, where the one or more instructions to apply the third security policy include:
    - one or more instructions to apply the third security policy to the additional data to determine whether the applied third security policy permits access to the network resource, andwhere the instructions further comprise;
      
      one or more instructions to permit, when the applied third security policy permits access to the network resource, the additional data to be forwarded to the network resource, andone or more instructions to prevent, when the applied third security policy does not permit access to the network resource, the additional data from being forwarded to the network resource.

17. A device comprising:
- a memory to store instructions; and
  
  a processor to execute the instructions to;
  
  receive data;
  
  identify, after receiving the data, a source zone and a destination zone,the data being received from the source zone and being intended for a network resource associated with the destination zone,the source zone being associated with a first security policy,the destination zone being associated with a second security policy that is different than the first security policy,a third security policy being associated with another source zone, andthe network resource being identified using a destination address included in the data;
  
  identify the first security policy and the second security policy,the first security policy being identified based on the identified source zone,the second security policy being identified based on the identified destination zone;
  
  apply at least one of the identified first security policy or the identified second security policy to the data to determine whether to permit access to the network resource,the third security policy being applied to additional data, associated with the other source zone and the destination zone, to determine whether the additional data is to be forwarded to the network resource when the additional data is received; and
  
  selectively forward the data to the network resource based on applying the at least one of the identified first security policy or the identified second security policy to the data.
- View Dependent Claims (18, 19, 20)
- - 18. The device of claim 17, where the processor is further to execute the instructions to:
    - receive particular data;
      
      identify, after receiving the particular data, the other source zone and another destination zone,the other destination zone being associated with another network resource, andthe other network resource being identified using another destination address included in the particular data;
      
      identify the third security policy and a fourth security to be applied to the particular data,the third security policy being identified based on the identified other source zone, andthe fourth security policy being identified based on the identified other destination zone; and
      
      apply at least one of the third security policy or the fourth security policy to the particular data to determine whether the additional data is to be forwarded to the other network resource.
  - 19. The device of claim 17, where, when applying the at least one of the identified first security policy or the identified second security policy, the processor is to:
    - apply the at least one of the identified first security policy or the identified second security policy to the data to determine whether the at least one of the identified first security policy or the identified second security policy permits access to the network resource, andwhere, when selectively forwarding the data, the processor is to;
      
      permit, when the at least one of the identified first security policy or the identified second security policy permits access to the network resource, the data to be forwarded to the network resource, andprevent, when the at least one of the identified first security policy or the identified second security policy does not permit access to the network resource, the data from being forwarded to the network resource.
  - 20. The device of claim 17, where the processor is further to execute the instructions to:
    - receive the additional data;
      
      identify, after receiving the additional data, the other source zone and the destination zone,the other source zone being identified based on a source address included in the additional data;
      
      identify the third security policy to be applied to the additional data,the third security policy being identified based on the identified other source zone; and
      
      apply the third security policy to the additional data to determine whether the additional data is to be forwarded to the network resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Conway, Adam Michael, Klarich, Lee, Mo, Ning
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
SONG, HEE K

Application Number

US13/601,627
Publication Number

US 20120324533A1
Time in Patent Office

704 Days
Field of Search

726 1- 4, 455/410, 455/411, 709/227, 380/270, 370/235, 370/247
US Class Current

726/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/105   Multiple levels of security

H04L 67/14   Session management for real...

H04W 80/10   adapted for application ses...

Wireless network having multiple security interfaces

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Wireless network having multiple security interfaces

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links