Centralized secure offload of cryptographic security services for distributed security enforcement points

US 9,137,203 B2
Filed: 01/24/2007
Issued: 09/15/2015
Est. Priority Date: 01/24/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method within and by a security enforcement point located between a first zone of protection and a second zone of protection, comprising:

controlling communication flows between a device in the first zone and a device in the second zone;

performing a cryptographic security service on the communication flows; and

offloading a portion of the cryptographic security service to a security server in a third zone of protection, whereinthe third zone of protection isdisposed separately from the first and second zones of protection anda higher zone of protection than the first and second zones of protection,wherein the security server is connected to a plurality of security enforcement points and the security enforcement points define the boundaries of the zones.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention address deficiencies of the art in respect to network security and provide a method, system and computer program product for centralized secure offload of key exchange services for distributed security enforcement points. In one embodiment, a data processing system for centralized secure offload of key exchange services for distributed security enforcement points can be provided. The system can include a security enforcement point controlling communication flows between devices in different less trusted zones of protection, and a security server communicatively coupled to the security enforcement point and hosting key exchange services disposed in a more trusted zone of protection. The security enforcement point can include an interface to the key exchange services and program code enabled to offload at least one portion of a key exchange through the interface to the key exchange services disposed in the more trusted zone of protection.

25 Citations

15 Claims

1. A computer-implemented method within and by a security enforcement point located between a first zone of protection and a second zone of protection, comprising:
- controlling communication flows between a device in the first zone and a device in the second zone;
  
  performing a cryptographic security service on the communication flows; and
  
  offloading a portion of the cryptographic security service to a security server in a third zone of protection, whereinthe third zone of protection isdisposed separately from the first and second zones of protection anda higher zone of protection than the first and second zones of protection,wherein the security server is connected to a plurality of security enforcement points and the security enforcement points define the boundaries of the zones.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - establishing a secure session with the security server prior to the offloading.
  - 3. The method of claim 1, whereinthe first zone is a public internet zone,the second zone is a demilitarized zone, andthe third zone is an enterprise information system zone.
  - 4. The method of claim 1, whereinthe first zone is a demilitarized zone,the second zone is an application zone including an application server, andthe third zone is an enterprise information system zone.
  - 5. The method of claim 1, whereinthe cryptographic security service includes key public/private key services.

6. A security enforcement point located between a first zone of protection and a second zone of protection, comprising:
- at least one processor, wherein the at least one processor is configured to perform;
  
  controlling communication flows between a device in the first zone and a device in the second zone;
  
  performing a cryptographic security service on the communication flows; and
  
  offloading a portion of the cryptographic security service to a security server in a third zone of protection, whereinthe third zone of protection isdisposed separately from the first and second zones of protection and;
  
  a higher zone of protection than the first and second zones of protection,wherein the security server is connected to a plurality of security enforcement points and the security enforcement points define the boundaries of the zones.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the at least one processor is further configured to initiate and/or perform:
    - establishing a secure session with the security server prior to the offloading.
  - 8. The system of claim 6, whereinthe first zone is a public internet zone,the second zone is a demilitarized zone, andthe third zone is an enterprise information system zone.
  - 9. The system of claim 6, whereinthe first zone is a demilitarized zone,the second zone is an application zone including an application server, andthe third zone is an enterprise information system zone.
  - 10. The system of claim 6, whereinthe cryptographic security service includes key public/private key services.

11. A computer program product, comprising:
- a computer usable storage device having stored therein computer-readable program code, which when executed by a computer hardware system including a security enforcement point located between a first zone of protection and a second zone of protection, causes the security enforcement point to perform;
  
  controlling communication flows between a device in the first zone and a device in the second zone;
  
  performing a cryptographic security service on the communication flows; and
  
  offloading a portion of the cryptographic security service to a security server in a third zone of protection, whereinthe third zone of protection isdisposed separately from the first and second zones of protection anda higher zone of protection than the first and second zones of protection,wherein the computer usable storage device is not a transitory, propagating signal per se andwherein the security server is connected to a plurality of security enforcement points and the security enforcement points define the boundaries of the zones.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer program product of claim 11, wherein the computer-readable program code further causes the security enforcement point to perform:
    - establishing a secure session with the security server prior to the offloading.
  - 13. The computer program product of claim 11, whereinthe first zone is a public internet zone,the second zone is a demilitarized zone, andthe third zone is an enterprise information system zone.
  - 14. The computer program product of claim 11, whereinthe first zone is a demilitarized zone,the second zone is an application zone including an application server, andthe third zone is an enterprise information system zone.
  - 15. The computer program product of claim 11, whereinthe cryptographic security service includes key public/private key services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Gearhart, Curtis M., Meyer, Christopher, Overby, Linwood H. Jr., Wierbowski, David J.
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US11/626,513
Publication Number

US 20080175382A1
Time in Patent Office

3,156 Days
Field of Search

713/153, 726/11, 726/12
US Class Current

1/1
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0209   Architectural arrangements,...

H04L 63/04   for providing a confidentia...

H04L 63/0485   Networking architectures fo...

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

Centralized secure offload of cryptographic security services for distributed security enforcement points

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized secure offload of cryptographic security services for distributed security enforcement points

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links