Enforcing security groups in network of data processors

US 20080040775A1
Filed: 07/23/2007
Published: 02/14/2008
Est. Priority Date: 08/11/2006
Status: Active Grant

First Claim

Patent Images

1. A method for securing message traffic in a data network using a security protocol, comprising the steps of:

at a Management and Policy Server (MAP) within a network, determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;

at a Key Authority Point (KAP) within the network, receiving at least one security policy definition from the MAP;

generating one or more keys to be used in securing the traffic according to the policy definition; and

distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and

at a PEP within the network, receiving the security policy definition and the keys from the KAP;

receiving a network traffic packet;

determining if the network traffic packet falls within the definition of traffic to be secured; and

applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for securing message traffic in a data network using various methods for distributing security policies and keys, where policy definition is determined in a Management and Policy (MAP) functional layer that is responsible for policy distribution; a separate Key Authority Point (KAP) that is responsible for key generation, key distribution, and policy distribution; and a separate Policy Enforcement Point (PEP) which is responsible for enforcing the policies and applying the keys.

124 Citations

View as Search Results

27 Claims

1. A method for securing message traffic in a data network using a security protocol, comprising the steps of:
- at a Management and Policy Server (MAP) within a network, determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
  
  at a Key Authority Point (KAP) within the network, receiving at least one security policy definition from the MAP;
  
  generating one or more keys to be used in securing the traffic according to the policy definition; and
  
  distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and
  
  at a PEP within the network, receiving the security policy definition and the keys from the KAP;
  
  receiving a network traffic packet;
  
  determining if the network traffic packet falls within the definition of traffic to be secured; and
  
  applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the security policy definition includes a definition of groups/communities of interest.
  - 3. The method of claim 1, wherein the security policy definition includes a definition of membership and permissions of groups.
  - 4. The method of claim 1, further comprising the step of:
    - at the MAP, authenticating each KAP and PEP.
  - 5. The method of claim 1, further comprising the step of:
    - at the MAP, providing a visualization of security groups.
  - 6. The method of claim 1, wherein distributing the security policy definition and the keys to two or more peer PEPs includes distributing the security policy definition and the keys using IPsec.
  - 7. The method of claim 1, wherein distributing the security policy definition and the keys to two or more peer PEPs includes communicating with the peer PEPs via an application programming interface (API).
  - 8. The method of claim 1, wherein the KAP monitors operation of the peer PEPs.
  - 9. The method of claim 1, wherein the MAP and the KAP are centralized on a single physical machine.
  - 10. The method of claim 1, wherein applying security processing to the network traffic packet includes encrypting the packet if it is an outbound packet and decrypting the packet if it is an inbound packet.
  - 11. The method of claim 1, further comprising the step of:
    - at the PEP, storing and processing security packet index (SPI) data associated with the packet.
  - 12. The method of claim 1, wherein the PEP is embedded in a network connected device.
  - 13. The method of claim 1, wherein the PEP is implemented as a process running on a network appliance.

14. A system for securing message traffic in a data network using a security protocol, comprising:
- a Management and Policy Server (MAP) within a network, the MAP comprising;
  
  a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
  
  a Key Authority Point (KAP) within the network, the KAP comprising;
  
  means for receiving at least one security policy definition from the MAP;
  
  means for generating one or more keys to be used in securing the traffic according to the policy definition; and
  
  means for distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and
  
  a PEP within the network, the PEP comprising;
  
  means for receiving the security policy definition and the keys from the KAP;
  
  means for receiving a network traffic packet;
  
  means for determining if the network traffic packet falls within the definition of traffic to be secured; and
  
  means for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein the security policy definition includes a definition of groups/communities of interest.
  - 16. The system of claim 14, wherein the security policy definition includes a definition of membership and permissions of groups.
  - 17. The system of claim 14, wherein the MAP further comprises:
    - means for authenticating each KAP and PEP.
  - 18. The system of claim 14, wherein the MAP further comprises:
    - means for providing a visualization of security groups.
  - 19. The system of claim 14, wherein the means for distributing the security policy definition and the keys to two or more peer PEPs includes distributing the security policy definition and the keys using IPsec.
  - 20. The system of claim 14, further comprising an application programming interface (API) used for communicating between the KAP and the peer PEPs.
  - 21. The system of claim 14, wherein the KAP further comprises:
    - means for monitoring operation of the peer PEPs.
  - 22. The system of claim 14, wherein the MAP and the KAP are centralized on a single physical machine.
  - 23. The system of claim 14, wherein the means for applying security processing to the network traffic packet includes encrypting the packet if it is an outbound packet and decrypting the packet if it is an inbound packet.
  - 24. The system of claim 14, wherein the PEP further comprises:
    - means for storing and processing security packet index (SPI) data associated with the packet.
  - 25. The system of claim 14, wherein the PEP is embedded in a network connected device.
  - 26. The system of claim 14, wherein the PEP is implemented as a process running on a network appliance.

27. A computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network using a security protocol, the computer readable medium program codes performing functions comprising:
- a routine for determining, at a Management and Policy Server (MAP) within a network, a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
  
  a routine for receiving, at a Key Authority Point (KAP) within the network, at least one security policy definition from the MAP;
  
  a routine for generating, at the KAP, one or more keys to be used in securing the traffic according to the policy definition;
  
  a routine for distributing the security policy definition and the keys from the KAP to two or more peer Policy Enforcement Points (PEPs);
  
  a routine for receiving, at a PEP within the network, the security policy definition and the keys from the KAP;
  
  a routine for receiving, at the PEP, a network traffic packet;
  
  a routine for determining if the network traffic packet falls within the definition of traffic to be secured; and
  
  a routine for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
Willis, Ronald, Starrett, Charles, Hoff, Brandon, McAlister, Donald

Granted Patent

US 8,082,574 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/062   for key distribution, e.g. ...

H04L 63/104   Grouping of entities

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Enforcing security groups in network of data processors

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

124 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing security groups in network of data processors

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

124 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links