Method and apparatus for providing network security using role-based access control

US 9,237,158 B2
Filed: 02/24/2014
Issued: 01/12/2016
Est. Priority Date: 09/10/2003
Status: Active Grant

First Claim

Patent Images

1. An network apparatus for performing packet processing in a network, in order to secure the network, comprising:

a first network device, whereinthe first network device is configured toretrieve source user group information from a forwarding table by looking up the source user group information in the forwarding table using packet contents of a packet, using a hardware processor of the first network device, whereinthe forwarding table is stored in a computer-readable storage medium coupled to the hardware processor, andthe source user group information is configured to be compared with destination user group information,insert the source user group information to the packet, using the hardware processor, andforward the packet to a second network device of the network via a network interface, whereinthe network interface is coupled to the hardware processor, andthe source user group information is configured to identify a source user group,the destination user group information is configured to identify a destination user group,the packet comprises a source address and a destination address,the source address is a network address of a source of the packet,the destination address is a network address of a destination of the packet,the source of the packet is a member of the source user group,the destination is a member of the destination user group, andthe source user group is assigned to the source of the packet based, at least in part, on a role of a user of the network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Citations

22 Claims

1. An network apparatus for performing packet processing in a network, in order to secure the network, comprising:
- a first network device, whereinthe first network device is configured toretrieve source user group information from a forwarding table by looking up the source user group information in the forwarding table using packet contents of a packet, using a hardware processor of the first network device, whereinthe forwarding table is stored in a computer-readable storage medium coupled to the hardware processor, andthe source user group information is configured to be compared with destination user group information,insert the source user group information to the packet, using the hardware processor, andforward the packet to a second network device of the network via a network interface, whereinthe network interface is coupled to the hardware processor, andthe source user group information is configured to identify a source user group,the destination user group information is configured to identify a destination user group,the packet comprises a source address and a destination address,the source address is a network address of a source of the packet,the destination address is a network address of a destination of the packet,the source of the packet is a member of the source user group,the destination is a member of the destination user group, andthe source user group is assigned to the source of the packet based, at least in part, on a role of a user of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The network apparatus of claim 1, whereinthe first network device is further configured togenerate the packet, andthe first network device is the source of the packet.
  - 3. The network apparatus of claim 1, whereinthe first network device is further configured toreceive the packet from another network device via the network interface, andthe another network device is the source of the packet.
  - 4. The network apparatus of claim 3, whereinthe forwarding table comprisesa plurality of forwarding table entries, andat least one forwarding table entry of the forwarding table entries comprises a user group field.
  - 5. The network apparatus of claim 4, wherein the at least one forwarding table entry further comprises:
    - a port identifier field, whereina port identifier stored in the port identifier field identifies a port,the packet is received on the port, anda user group, identified by a user group identifier stored in the user group field, is associated with the port.
  - 6. The network apparatus of claim 3, whereinthe source user group information comprisesa source user group identifier.
  - 7. The network apparatus of claim 6, whereinthe first network device is further configured toreceive the source user group identifier from an authentication server.
  - 8. The network apparatus of claim 6, whereinthe destination user group is assigned to the destination based on a role of the destination.
  - 9. The network apparatus of claim 1, further comprising:
    - the second network device, whereinthe second network device is configured to receive the packet,the second network device comprisesan access control list,the access control list comprisesan access control list entry,the access control list entry comprisesa source user group field, andthe second network device is further configured toidentify the access control list entry, based, at least in part, on a comparison between a source group identifier stored in the source user group field and the source user group information.
  - 10. The network apparatus of claim 9, whereinthe access control list entry further comprisesa destination user group field, andthe second network device is further configured todetermine a destination user group identifier for a destination of the packet,whereinthe destination user group identifier is configured to identify a user group of the destination of the packet, andperform access control processing on the packet by virtue of being configured to perform a comparison between the destination user group identifier and a destination group identifier stored in the destination user group field.
  - 11. The network apparatus of claim 10, whereinthe second network device is further configured toretrieve the destination user group identifier from a forwarding information base, andstore the destination user group identifier in the access control list entry.
  - 12. The network apparatus of claim 1, wherein the second network device is configured to:
    - compare the source user group information and the destination user group information using a role-based access control list.

13. A network device for performing packet processing in a network, in order to secure the network, comprising:
- a hardware processor;
  
  a network interface, coupled to the hardware processor;
  
  a computer-readable storage medium, coupled to the hardware processor; and
  
  a plurality of instructions, encoded in the computer-readable storage medium and configured to cause the hardware processor toretrieve source user group information from a forwarding table by looking up the source user group information in the forwarding table using packet contents of a packet, whereinthe source user group information is configured to be compared with destination user group information,insert the source user group information to the packet, andforward the packet to a second network device of the network via the network interface, whereinthe source user group information is configured to identify a source user group,the destination user group information is configured to identify a destination user group,the packet comprises a source address and a destination address,the source address is a network address of a source of the packet,the destination address is a network address of a destination of the packet,the source of the packet is a member of the source user group,the destination is a member of the destination user group, andthe source user group is assigned to the source of the packet based, at least in part, on a role of a user of the network.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The network device of claim 13, whereinthe instructions are further configured to cause the hardware processor togenerate the packet, andthe network device is the source of the packet.
  - 15. The network device of claim 13, whereinthe instructions are further configured to cause the hardware processor toreceive the packet from another network device via the network interface, andthe another network device is the source of the packet.
  - 16. The network device of claim 15, whereinthe forwarding table comprisesa plurality of forwarding table entries, andat least one forwarding table entry of the forwarding table entries comprisesa user group field.
  - 17. The network device of claim 16, wherein the at least one forwarding table entry further comprises:
    - a port identifier field, whereina port identifier stored in the port identifier field identifies a port,the packet is received on the port, anda user group, identified by a user group identifier stored in the user group field, is associated with the port.
  - 18. The network device of claim 15, whereinthe source user group information comprisesa source user group identifier, andthe instructions are further configured to cause the hardware processor toreceive the source user group identifier from an authentication server.
  - 19. The network device of claim 15, whereinthe destination user group is assigned to the destination based on a role of the destination.
  - 20. The network device of claim 13, whereinthe network device is configured to be coupled to the second network device via the network interface,the second network device is configured to receive the packet,the second network device comprises an access control list,the access control list comprisesan access control list entry,the access control list entry comprisesa source user group field, andthe second network device is further configured toidentify the access control list entry, based, at least in part, on a comparison between a source group identifier stored in the source user group field and the source user group information.
  - 21. The network device of claim 20, whereinthe access control list entry further comprisesa destination user group field, andthe second network device is configured todetermine a destination user group identifier for a destination of the packet,whereinthe destination user group identifier is configured to identify a user group of the destination of the packet, andperform access control processing on the packet by virtue of being configured to perform a comparison between the destination user group identifier and a destination group identifier stored in the destination user group field.

22. A network device for performing packet processing in a network, in order to secure the network, comprising:
- a hardware processor;
  
  a network interface, coupled to the hardware processor;
  
  a computer-readable storage medium, coupled to the hardware processor and configured to store a forwarding table;
  
  retrieving means for retrieving source user group information from the forwarding table,whereinthe retrieving means is coupled to the computer-readable storage medium,the retrieving means compriseslook up means for looking up the source user group information in the forwarding table using packet contents of a packet, andthe source user group information is configured to be compared with destination user group information;
  
  inserting means, coupled to the retrieving means, for inserting the source user group information to the packet; and
  
  forwarding means for forwarding the packet to a second network device of the network via the network interface, whereinthe forwarding means is coupled to the inserting means and the network interface,the source user group information is configured to identify a source user group,the destination user group information is configured to identify a destination user group,the packet comprises a source address and a destination address,the source address is a network address of a source of the packet,the destination address is a network address of a destination of the packet,the source of the packet is a member of the source user group,the destination is a member of the destination user group, andthe source user group is assigned to the source of the packet based, at least in part, on a role of a user of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.
Primary Examiner(s)
Chai, Longbit

Application Number

US14/188,227
Publication Number

US 20140173703A1
Time in Patent Office

687 Days
Field of Search

726/4
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 12/4645   Details on frame tagging ro...

H04L 12/4675   Dynamic sharing of VLAN inf...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/54   Organization of routing tables

H04L 45/7453   using hashing

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Method and apparatus for providing network security using role-based access control

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing network security using role-based access control

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links