Method and apparatus for providing network security using role-based access control
First Claim
Patent Images
1. An network apparatus for performing packet processing in a network, in order to secure the network, comprising:
- a first network device, whereinthe first network device is configured toretrieve source user group information from a forwarding table by looking up the source user group information in the forwarding table using packet contents of a packet, using a hardware processor of the first network device, whereinthe forwarding table is stored in a computer-readable storage medium coupled to the hardware processor, andthe source user group information is configured to be compared with destination user group information,insert the source user group information to the packet, using the hardware processor, andforward the packet to a second network device of the network via a network interface, whereinthe network interface is coupled to the hardware processor, andthe source user group information is configured to identify a source user group,the destination user group information is configured to identify a destination user group,the packet comprises a source address and a destination address,the source address is a network address of a source of the packet,the destination address is a network address of a destination of the packet,the source of the packet is a member of the source user group,the destination is a member of the destination user group, andthe source user group is assigned to the source of the packet based, at least in part, on a role of a user of the network.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.
-
Citations
22 Claims
-
1. An network apparatus for performing packet processing in a network, in order to secure the network, comprising:
a first network device, wherein the first network device is configured to retrieve source user group information from a forwarding table by looking up the source user group information in the forwarding table using packet contents of a packet, using a hardware processor of the first network device, wherein the forwarding table is stored in a computer-readable storage medium coupled to the hardware processor, and the source user group information is configured to be compared with destination user group information, insert the source user group information to the packet, using the hardware processor, and forward the packet to a second network device of the network via a network interface, wherein the network interface is coupled to the hardware processor, and the source user group information is configured to identify a source user group, the destination user group information is configured to identify a destination user group, the packet comprises a source address and a destination address, the source address is a network address of a source of the packet, the destination address is a network address of a destination of the packet, the source of the packet is a member of the source user group, the destination is a member of the destination user group, and the source user group is assigned to the source of the packet based, at least in part, on a role of a user of the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
13. A network device for performing packet processing in a network, in order to secure the network, comprising:
-
a hardware processor; a network interface, coupled to the hardware processor; a computer-readable storage medium, coupled to the hardware processor; and a plurality of instructions, encoded in the computer-readable storage medium and configured to cause the hardware processor to retrieve source user group information from a forwarding table by looking up the source user group information in the forwarding table using packet contents of a packet, wherein the source user group information is configured to be compared with destination user group information, insert the source user group information to the packet, and forward the packet to a second network device of the network via the network interface, wherein the source user group information is configured to identify a source user group, the destination user group information is configured to identify a destination user group, the packet comprises a source address and a destination address, the source address is a network address of a source of the packet, the destination address is a network address of a destination of the packet, the source of the packet is a member of the source user group, the destination is a member of the destination user group, and the source user group is assigned to the source of the packet based, at least in part, on a role of a user of the network. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A network device for performing packet processing in a network, in order to secure the network, comprising:
-
a hardware processor; a network interface, coupled to the hardware processor; a computer-readable storage medium, coupled to the hardware processor and configured to store a forwarding table; retrieving means for retrieving source user group information from the forwarding table, wherein the retrieving means is coupled to the computer-readable storage medium, the retrieving means comprises look up means for looking up the source user group information in the forwarding table using packet contents of a packet, and the source user group information is configured to be compared with destination user group information; inserting means, coupled to the retrieving means, for inserting the source user group information to the packet; and forwarding means for forwarding the packet to a second network device of the network via the network interface, wherein the forwarding means is coupled to the inserting means and the network interface, the source user group information is configured to identify a source user group, the destination user group information is configured to identify a destination user group, the packet comprises a source address and a destination address, the source address is a network address of a source of the packet, the destination address is a network address of a destination of the packet, the source of the packet is a member of the source user group, the destination is a member of the destination user group, and the source user group is assigned to the source of the packet based, at least in part, on a role of a user of the network.
-
Specification