Dynamically mapping network trust relationships

US 9,473,496 B2
Filed: 06/30/2015
Issued: 10/18/2016
Est. Priority Date: 11/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method for enhancing capabilities of a communications device to enable generating trust relationships based on dynamically created maps of network trust relationships established among network devices, the method comprising:

receiving, at a server computer, one or more authentication protocol messages from an authenticator computer device to authenticate a supplicant computer device;

transmitting, from the server computer, the one or more authentication protocol messages to an authentication computer server;

displaying on a digital computer display device a trust topology map as a graphical diagram and comprising information about trusted and untrusted links, encrypted and unencrypted links, authenticated and unauthenticated users, peer policies applied on the links, and roles associated with endpoints of the links;

after sending one or more corresponding response messages comprising one or more responses to the one or more authentication protocol messages, updating, based on the one or more responses, the trust topology map with information reflecting peer security policy data that indicates a secure link between the authenticator computer device and the supplicant computer device, and changes in one or more security trust relationships between the authenticator computer device and the supplicant computer device based on the authentication protocol messages and the response messages, and in which links and paths are coded according to encryption capabilities, security properties and other characteristics identified in the response and the peer security policy data.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, the method is comprising, receiving an access request, from an authenticator device, to grant a supplicant device access to a data network; transmitting the access request to an authentication server; after sending a response that the access request was granted, updating a trust topology map by including in the trust topology map information that has been obtained from the response and that indicates a secure link between the authenticator device and the supplicant device, and causing displaying the updated trust topology map as a logical map depicting one or more network devices and roles assigned to the one or more network devices; wherein the method is performed by one or more computing device.

19 Citations

20 Claims

1. A method for enhancing capabilities of a communications device to enable generating trust relationships based on dynamically created maps of network trust relationships established among network devices, the method comprising:
- receiving, at a server computer, one or more authentication protocol messages from an authenticator computer device to authenticate a supplicant computer device;
  
  transmitting, from the server computer, the one or more authentication protocol messages to an authentication computer server;
  
  displaying on a digital computer display device a trust topology map as a graphical diagram and comprising information about trusted and untrusted links, encrypted and unencrypted links, authenticated and unauthenticated users, peer policies applied on the links, and roles associated with endpoints of the links;
  
  after sending one or more corresponding response messages comprising one or more responses to the one or more authentication protocol messages, updating, based on the one or more responses, the trust topology map with information reflecting peer security policy data that indicates a secure link between the authenticator computer device and the supplicant computer device, and changes in one or more security trust relationships between the authenticator computer device and the supplicant computer device based on the authentication protocol messages and the response messages, and in which links and paths are coded according to encryption capabilities, security properties and other characteristics identified in the response and the peer security policy data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the authentication protocol messages are TrustSec extensions to known authentication protocols.
  - 3. The method of claim 1, comprising updating the trust topology map in response to recognizing a new device or a new link.
  - 4. The method of claim 1, comprising:
    - after sending an indication that an access request was not granted, updating the trust topology map by including, in the trust topology map, information indicating that no link has been established between the authenticator computer device and the supplicant computer device.
  - 5. The method of claim 1, comprising:
    - receiving a peer policy request, from the authenticator computer device or from the supplicant computer device, to obtain a peer policy for the supplicant computer device;
      
      after determining that the peer policy for the supplicant computer device is not received, updating the trust topology map by including, in the trust topology map, information indicating that the peer policy for the supplicant computer device is unavailable.
  - 6. The method of claim 4,wherein the supplicant computer device and the authenticator computer device are neighbors;
    - wherein the access request comprises identification information of the authenticator and supplicant computer devices.
  - 7. The method of claim 4,wherein the access request comprises information about a manner in which the authenticator computer device and the supplicant computer device communicate with each other.

8. An internetworking computer device comprising:
- one or more processors;
  
  an access unit coupled to the one or more processors and configured as a management computer device and configured to perform;
  
  receiving, at a server computer, one or more authentication protocol messages from an authenticator computer device to authenticate a supplicant computer device;
  
  transmitting, from the server computer, the one or more authentication protocol messages to an authentication computer server;
  
  displaying on a digital computer display device a trust topology map as a graphical diagram and comprising information about trusted and untrusted links, encrypted and unencrypted links, authenticated and unauthenticated users, policies applied on the links, and roles associated with endpoints of the links;
  
  after sending one or more corresponding response messages comprising one or more responses to the one or more authentication protocol messages, updating, based on the one or more responses, the trust topology map with information reflecting peer security policy data that indicates a secure link between the authenticator computer device and the supplicant computer device, and changes in one or more security trust relationships between the authenticator computer device and the supplicant computer device based on the authentication protocol messages and the response messages, and in which links and paths are coded according to encryption capabilities, security properties and other characteristics identified in the response and the peer security policy data.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The internetworking computer device of claim 8, wherein the authentication protocol messages are TrustSec extensions to known authentication protocols.
  - 10. The internetworking computer device of claim 8, wherein the access unit is configured to perform updating the trust topology map in response to recognizing a new device or a new link.
  - 11. The internetworking computer device of claim 8, wherein the access unit is configured to perform:
    - after sending an indication that an access request was not granted, updating the trust topology map by including, in the trust topology map, information indicating that no link has been established between the authenticator computer device and the supplicant computer device.
  - 12. The internetworking computer device of claim 8, wherein the access unit is configured to perform:
    - receiving a peer policy request, from the authenticator computer device or from the supplicant computer device, to obtain a peer policy for the supplicant computer device;
      
      after determining that the peer policy for the supplicant computer device is not received, updating the trust topology map by including, in the trust topology map, information indicating that the peer policy for the supplicant computer device is unavailable.
  - 13. The internetworking computer device of claim 11,wherein the supplicant computer device and the authenticator computer device are neighbors;
    - wherein the access request comprises identification information of the authenticator and supplicant computer devices.
  - 14. The internetworking computer device of claim 11,wherein the access request comprises information about a manner in which the authenticator computer device and the supplicant computer device communicate with each other.

15. A non-transitory computer-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors of a management computer device to perform:
- receiving, at a server computer, one or more authentication protocol messages from an authenticator computer device to authenticate a supplicant computer device;
  
  transmitting, from the server computer, the one or more authentication protocol messages to an authentication computer server;
  
  displaying on a digital computer display device a trust topology map as a graphical diagram and comprising information about trusted and untrusted links, encrypted and unencrypted links, authenticated and unauthenticated users, policies applied on the links, and roles associated with endpoints of the links;
  
  after sending one or more corresponding response messages comprising one or more responses to the one or more authentication protocol messages, updating, based on the one or more responses, the trust topology map with information reflecting peer security policy data that indicates a secure link between the authenticator computer device and the supplicant computer device, and changes in one or more security trust relationships between the authenticator computer device and the supplicant computer device based on the authentication protocol messages and the response messages, and in which links and paths are coded according to encryption capabilities, security properties and other characteristics identified in the response and the peer security policy data.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the authentication protocol messages are TrustSec extensions to known authentication protocols.
  - 17. The non-transitory computer-readable storage medium of claim 15, comprising additional instructions which, when executed, cause:
    - updating the trust topology map in response to recognizing a new device or a new link.
  - 18. The non-transitory computer-readable storage medium of claim 15, comprising additional instructions which, when executed, cause:
    - after sending an indication that an access request was not granted, updating the trust topology map by including, in the trust topology map, information indicating that no link has been established between the authenticator computer device and the supplicant computer device.
  - 19. The non-transitory computer-readable storage medium of claim 15, comprising additional instructions which, when executed, cause:
    - receiving a peer policy request, from the authenticator computer device or from the supplicant computer device, to obtain a peer policy for the supplicant computer device;
      
      after determining that the peer policy for the supplicant computer device is not received, updating the trust topology map by including, in the trust topology map, information indicating that the peer policy for the supplicant computer device is unavailable.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein the supplicant computer device and the authenticator computer device are neighbors;
    - wherein the access request comprises identification information of the authenticator and supplicant computer devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Burstein, Ori, Hershberg, Yehoshua, Koren, Dror
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US14/788,515
Publication Number

US 20150304327A1
Time in Patent Office

476 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/34   involving the use of extern...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/20   for managing network securi...

Dynamically mapping network trust relationships

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically mapping network trust relationships

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links