Dynamically mapping network trust relationships

US 9,104,836 B2
Filed: 11/21/2011
Issued: 08/11/2015
Est. Priority Date: 11/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving one or more authentication protocol messages, from an authenticator device, to authenticate a supplicant device;

transmitting the one or more authentication protocol messages to an authentication server;

after sending one or more corresponding response messages comprising one or more positive responses to the one or more authentication protocol messages, updating a trust topology map as a diagram to include information reflecting security policy data that indicates a secure link between the authenticator device and the supplicant device, and changes in one or more security trust relationships between the authenticator device and the supplicant device based on the authentication protocol messages and the response messages, and in which links and paths are coded according to encryption capabilities, security properties and other characteristics identified in the response and the security policy data;

wherein the response pertains to one or more of;

access requests, responses to access requests, authentication/authorization requests, responses to authentication/authorization requests, responses to policy requests, security protocol interactions, communications related to trust relationships or security;

wherein the trust topology map comprises information about trusted and untrusted links, encrypted and unencrypted links, authenticated and unauthenticated users, policies applied on the links, and roles associated with endpoints of the links;

wherein the authentication protocol messages comprise any of an access request and a peer policy request;

wherein the method is performed by one or more processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, the method is comprising, receiving an access request, from an authenticator device, to grant a supplicant device access to a data network; transmitting the access request to an authentication server; after sending a response that the access request was granted, updating a trust topology map by including in the trust topology map information that has been obtained from the response and that indicates a secure link between the authenticator device and the supplicant device, and causing displaying the updated trust topology map as a logical map depicting one or more network devices and roles assigned to the one or more network devices; wherein the method is performed by one or more computing device.

Citations

12 Claims

1. A method comprising:
- receiving one or more authentication protocol messages, from an authenticator device, to authenticate a supplicant device;
  
  transmitting the one or more authentication protocol messages to an authentication server;
  
  after sending one or more corresponding response messages comprising one or more positive responses to the one or more authentication protocol messages, updating a trust topology map as a diagram to include information reflecting security policy data that indicates a secure link between the authenticator device and the supplicant device, and changes in one or more security trust relationships between the authenticator device and the supplicant device based on the authentication protocol messages and the response messages, and in which links and paths are coded according to encryption capabilities, security properties and other characteristics identified in the response and the security policy data;
  
  wherein the response pertains to one or more of;
  
  access requests, responses to access requests, authentication/authorization requests, responses to authentication/authorization requests, responses to policy requests, security protocol interactions, communications related to trust relationships or security;
  
  wherein the trust topology map comprises information about trusted and untrusted links, encrypted and unencrypted links, authenticated and unauthenticated users, policies applied on the links, and roles associated with endpoints of the links;
  
  wherein the authentication protocol messages comprise any of an access request and a peer policy request;
  
  wherein the method is performed by one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the authentication protocol messages are TrustSec extensions to known authentication protocols.
  - 3. The method of claim 1, further comprising updating the trust topology map in response to recognizing a new device or a new link.
  - 4. The method of claim 1, further comprising:
    - after sending an indication that the access request was not granted, updating the trust topology map by including in the trust topology map information indicating that no link has been established between the authenticator device and the supplicant device.
  - 5. The method of claim 1, further comprising:
    - receiving a peer policy request, from the authenticator device or from the supplicant device, to obtain a peer policy for the supplicant device;
      
      after determining that the peer policy for the supplicant device is not received, updating the trust topology map by including in the trust topology map information indicating that the peer policy for the supplicant device is unavailable.
  - 6. The method of claim 1,wherein the supplicant device and the authenticator device are neighbors;
    - wherein the access request comprises identification information of the authenticator and supplicant devices.
  - 7. The method of claim 1,wherein the access request comprises information about a manner in which the authenticator device and the supplicant device communicate with each other.

8. An internetworking device, comprising:
- one or more processors;
  
  an access unit coupled to the one or more processors and configured as a management device and configured to perform;
  
  receiving an access request, from an authenticator device, to grant a supplicant device access to a data network;
  
  transmitting the access request to an authentication server;
  
  after sending a confirmation that the access request was successfully granted and establishing a secure link between the authenticator device and the supplicant device, updating a trust topology map by including, in the trust topology map, information comprising security policy data and about the secure link;
  
  a policy unit coupled to the one or more processors and configured to perform;
  
  receiving a peer policy request, from the authenticator device, to obtain a peer policy for the supplicant device;
  
  after sending a response comprising the peer policy for the supplicant device, updating the trust topology map by including the peer policy in the trust topology map;
  
  wherein the response pertains to one or more of;
  
  access requests, responses to access requests, authentication/authorization requests, responses to authentication/authorization requests, responses to policy requests, security protocol interactions, communications related to trust relationships or security;
  
  a topology unit coupled to the one or more processors and configured to perform;
  
  displaying the updated trust topology map as a diagram depicting one or more network devices present in the data network and depicting roles that the one or more network devices play in the data network;
  
  wherein the links and paths in the diagram are coded according to encryption capabilities, security properties and other characteristics identified in the response and the security policy data;
  
  wherein the trust topology map is updated each time a new device joins the data network and a new link is added to the data network;
  
  wherein updating the trust topology map does not require generating or transmitting any additional traffic other than a TrustSec traffic.

9. An internetworking device comprising:
- one or more processors;
  
  an access unit coupled to the one or more processors and configured as a management device and configured to perform;
  
  receiving an access request, from an authenticator device, to grant a supplicant device access to a data network;
  
  transmitting the access request to an authentication server;
  
  after sending a confirmation that the access request was successfully granted and establishing a secure link between the authenticator device and the supplicant device, updating a trust topology map by including, in the trust topology map, information comprising security policy data and about the secure link;
  
  a policy unit coupled to the one or more processors and configured to perform;
  
  receiving a peer policy request, from the authenticator device, to obtain a peer policy for the supplicant device;
  
  after sending a response comprising the peer policy for the supplicant device, updating the trust topology map by including the peer policy in the trust topology map;
  
  wherein the response pertains to one or more of;
  
  access requests, responses to access requests, authentication/authorization requests, responses to authentication/authorization requests, responses to policy requests, security protocol interactions, communications related to trust relationships or security;
  
  a topology unit coupled to the one or more processors and configured to perform;
  
  displaying the updated trust topology map as a diagram depicting one or more network devices present in the data network and depicting roles that the one or more network devices play in the data network;
  
  wherein the links and paths in the diagram are coded according to encryption capabilities, security properties and other characteristics identified in the response and the security policy datawherein the trust topology map is updated each time a new device joins the data network and a new link is added to the data network;
  
  wherein updating the trust topology map does not require generating or transmitting any additional traffic other than a TrustSec traffic;
  
  wherein the supplicant device and the authenticator device are neighbors;
  
  wherein the access request comprises identification information of the authenticator and supplicant devices;
  
  wherein the access request is communicated wirelessly;
  
  wherein the access request comprises information about a manner in which the authenticator device and the supplicant device communicate with each other;
  
  wherein the authentication server is configured to perform one or more flexible authentication methods, including a IEEE 602.1X Web Authentication (WebAuth) method and a MAC Authentication Bypass (MAB) method.
- View Dependent Claims (10)
- - 10. The internetworking device of claim 9,wherein the access unit is further configured to perform:
    - after sending an indication that the access request was not granted, updating the trust topology map by including in the trust topology map information indicating that no link has been established between the authenticator device and the supplicant device;
      
      wherein the policy unit is further configured to perform;
      
      after determining that the peer policy for the supplicant device was not received, updating the trust topology map by including in the trust topology map information indicating that the peer policy for the supplicant device is unavailable.

11. A non-transitory computer-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors of a management device to perform:
- receiving an access request, from an authenticator device, to grant a supplicant device access to a data network;
  
  transmitting the access request to an authentication server;
  
  after sending a confirmation that the access request was successfully granted and establishing a secure link between the authenticator device and the supplicant device, updating a trust topology map by including, in the trust topology map, information that was obtained from a response and comprising security policy data that indicates that the secure link has been established;
  
  receiving a peer policy request, from the authenticator device, to obtain a peer policy for the supplicant device;
  
  after sending the peer policy for the supplicant device, updating the trust topology map by including the peer policy in the trust topology map;
  
  wherein the response pertains to one or more of;
  
  access requests, responses to access requests, authentication/authorization requests, responses to authentication/authorization requests, responses to policy requests, security protocol interactions, communications related to trust relationships or security;
  
  displaying the updated trust topology map as a diagram depicting one or more network devices present in the data network and depicting roles that the one or more network devices play in the data network and in which links and paths are coded according to encryption capabilities, security properties and other characteristics identified in the response and the security policy data;
  
  wherein the trust topology map is updated each time a new device joins the data network and a new link is added to the data network;
  
  wherein updating the trust topology map does not require generating or transmitting any additional traffic other than a TrustSec traffic.

12. A non-transitory computer-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors of a management device to perform:
- receiving an access request, from an authenticator device, to grant a supplicant device access to a data network;
  
  transmitting the access request to an authentication server;
  
  after sending a confirmation that the access request was successfully granted and establishing a secure link between the authenticator device and the supplicant device, updating a trust topology map by including, in the trust topology map, information that was obtained from a response and comprising security policy data that indicates that the secure link has been established;
  
  receiving a peer policy request, from the authenticator device, to obtain a peer policy for the supplicant device;
  
  after sending the peer policy for the supplicant device, updating the trust topology map by including the peer policy in the trust topology map;
  
  wherein the response pertains to one or more of;
  
  access requests, responses to access requests, authentication/authorization requests, responses to authentication/authorization requests, responses to policy requests, security protocol interactions, communications related to trust relationships or security;
  
  displaying the updated trust topology map as a diagram depicting one or more network devices present in the data network and depicting roles that the one or more network devices play in the data network and in which links and paths are coded according to encryption capabilities, security properties and other characteristics identified in the response and the security policy data;
  
  after sending an indication that the access request was not granted, updating the trust topology map by including in the trust topology map information indicating that no link has been established between the authenticator and supplicant devices;
  
  after determining that the peer policy for the supplicant device is not received, updating the trust topology map by including in the trust topology map information indicating that the peer policy for the supplicant device is unavailable;
  
  wherein the supplicant device and the authenticator device are neighbors;
  
  wherein the access request comprises identification information of the authenticator and the supplicant devices;
  
  wherein the access request is communicated wirelessly;
  
  wherein the access request comprises information about a manner in which the authenticator device and the supplicant device communicate with each other.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Hershberg, Yehoshua, Koren, Dror, Burstein, Ori
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US13/301,684
Publication Number

US 20130133023A1
Time in Patent Office

1,359 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/34   involving the use of extern...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/20   for managing network securi...

Dynamically mapping network trust relationships

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically mapping network trust relationships

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links