Deploying group VPNS and security groups over an end-to-end enterprise network

US 20080127327A1
Filed: 09/27/2006
Published: 05/29/2008
Est. Priority Date: 09/27/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing secure communication among members in a virtual private network comprising:

defining a security group, the security group comprising identification of two or more members to be enabled to securely communicate with one another;

upon request by a group member to communicate with other members of a security group,determining if the group member is authenticated using a virtual private network (VPN) authentication function;

if the group member is authenticated by the VPN authentication function;

then, presenting the group member with a security association to enable the member to carry out secure communication within the group.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Group Virtual Private Networks (Group VPNS) are provided for different types of machines in a data processing network. Security groups are defined by a security policy for each member. Security policies and encryption keys are deployed to members of a security group using an IPSec network infrastructure with authentication via VPN mechanisms. The group VPNs provide a trusted IP network that can leverage and co-exist with security access control technologies, such as endpoint security that controls client network access or application security that controls user access to enterprise applications.

101 Citations

View as Search Results

28 Claims

1. A method for providing secure communication among members in a virtual private network comprising:
- defining a security group, the security group comprising identification of two or more members to be enabled to securely communicate with one another;
  
  upon request by a group member to communicate with other members of a security group,determining if the group member is authenticated using a virtual private network (VPN) authentication function;
  
  if the group member is authenticated by the VPN authentication function;
  
  then, presenting the group member with a security association to enable the member to carry out secure communication within the group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the security association comprises at least one of a security policy and an encryption key.
  - 3. The method of claim 1 wherein the security association is provided by a network overlay that provides security policies and encryption keys to members of the security group.
  - 4. The method of claim 3 wherein the network overlay additionally comprises:
    - a security policy layer; and
      
      an encryption key layer.
  - 5. The method of claim 1 wherein security groups are defined across physically distributed network sites without restriction on group members'"'"' physical locations.
  - 6. The method of claim 1 wherein secure communication between group members uses an IPSec protocol.
  - 7. The method of claim 6 wherein communication between group members uses IPsec packets where an original IP packet header is sent in the clear and an IP packet payload is sent in encrypted form.
  - 8. The method of claim 1 wherein security group members are defined by a method selected from a group consisting ofuser clients to user clients, as defined by subnets/IP addresses to subnets/IP addresses;
    - clients to host applications/datacenters, as defined by subnets/IP addresses to IP addresses;
      
      orhost applications/datacenters to applications/datacenters, as defined by IP addresses to IP addresses.
  - 9. The method of claim 1 wherein security groups are defined as internal, external or remote.
  - 10. The method of claim 1 wherein a group member can belong to more than one security group.
  - 11. The method of claim 1 wherein the step of determining if the user is authenticated is additionally integrated with Group VPN access control.
  - 12. The method of claim 1 wherein security groups are integrated with enterprise security policies for users and applications, for organizational, or for functional groups.
  - 13. The method of claim 1 wherein the step of determining if the group member is authenticated further comprises:
    - forwarding an authentication request to a Network Access Control (NAC) server.
  - 14. The method of claim 13 further comprising:
    - at the NAC, accessing a RADIUS server, to authenticate the group member to the VPN.

15. An apparatus for providing secure communication among members in a virtual private network (VPN) comprising:
- a security group storage device, for storing a definition of a security group, the security group comprising an identification of two or more members of the VPN to be enabled to securely communicate with one another;
  
  a receiver, for receiving a request by a group member to communicate with other members of a security group,a virtual private network (VPN) authentication server, for determining if the group member is authenticated;
  
  a security association interface, for receiving a security association to enable an authenticated member to carry out secure communication with other group members.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The apparatus of claim 15 wherein the security association comprises at least one of a security policy and an encryption key.
  - 17. The apparatus of claim 15 wherein the security association interface is connected to a network overlay that provides security policies and encryption keys to members of the security group.
  - 18. The apparatus of claim 17 wherein the network overlay additionally comprises:
    - a Management Authority Point (MAP) that provides a security policy layer; and
      
      a Key Authority Point (KAP) that provides an encryption key layer.
  - 19. The apparatus of claim 15 wherein security groups are defined across physically distributed network sites without restriction on group members'"'"' physical locations.
  - 20. The apparatus of claim 15 wherein secure communication between group members uses an IPSec protocol.
  - 21. The apparatus of claim 20 wherein communication between group members uses IPsec packets where an original IP packet header is sent in the clear and an IP packet payload is sent in encrypted form.
  - 22. The apparatus of claim 15 wherein security group members are selected from a group consisting ofuser clients to user clients, as defined by subnets/IP addresses to subnets/IP addresses;
    - clients to host applications/datacenters, as defined by subnets/IP addresses to IP addresses;
      
      orhost applications/datacenters to applications/datacenters, as defined by IP addresses to IP addresses.
  - 23. The apparatus of claim 15 wherein security groups are defined as internal, external or remote.
  - 24. The apparatus of claim 15 wherein a group member can belong to more than one security group.
  - 25. The apparatus of claim 15 wherein the VPN authentication server is additionally integrated with a Group VPN access controller.
  - 26. The apparatus of claim 15 wherein security groups are integrated with enterprise security policies for users and applications, for organizational, or for functional groups.
  - 27. The apparatus of claim 15 wherein VPN authentication server further comprises:
    - a Network Access Control (NAC) server.
  - 28. The apparatus of claim 15 further comprising:
    - a RADIUS server, to authenticate the group member to the NAC.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
Carrasco, Serge-Paul

Granted Patent

US 8,607,301 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/08   Key distribution or managem...

Deploying group VPNS and security groups over an end-to-end enterprise network

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Deploying group VPNS and security groups over an end-to-end enterprise network

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others