Method and apparatus for securing layer 2 networks

US 20090034738A1
Filed: 07/31/2007
Published: 02/05/2009
Est. Priority Date: 07/31/2007
Status: Abandoned Application

First Claim

Patent Images

1. A system for providing secure Layer 2 networks comprising:

a. a communication network having a network infrastructure;

the communication network spread over a geography such that nodes on the network that communicate using Layer 2 protocols such as Ethernet are grouped at Layer 2,b. at least one management and policy (MAP) server operable for communication within the network, wherein the MAP includes at least one policy for providing secure association (SA) within the network;

c. at least one key authority point (KAP);

d. a multiplicity of policy enforcement points (PEPs) having nodes distributed throughout the network;

wherein the KAP is operable to generate and manage key(s) communicated to the multiplicity of PEPs;

and wherein the multiplicity of PEPs enforce policies for secure communication between the nodes on the network and maintain transparency at Layer 2.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for using a shared key architecture to enable secure Layer 2 meshed network security.

60 Citations

View as Search Results

15 Claims

1. A system for providing secure Layer 2 networks comprising:
- a. a communication network having a network infrastructure;
  
  the communication network spread over a geography such that nodes on the network that communicate using Layer 2 protocols such as Ethernet are grouped at Layer 2,b. at least one management and policy (MAP) server operable for communication within the network, wherein the MAP includes at least one policy for providing secure association (SA) within the network;
  
  c. at least one key authority point (KAP);
  
  d. a multiplicity of policy enforcement points (PEPs) having nodes distributed throughout the network;
  
  wherein the KAP is operable to generate and manage key(s) communicated to the multiplicity of PEPs;
  
  and wherein the multiplicity of PEPs enforce policies for secure communication between the nodes on the network and maintain transparency at Layer 2.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein a group selected from the multiplicity of PEPs share a common security policy as defined by the MAP.
  - 3. The system of claim 2, wherein the group of PEPs share a common key.
  - 4. The system of claim 3, wherein the common keys are changed after a predetermined time interval.
  - 5. The system of claim 4, wherein the time interval is greater than 1 hour.
  - 6. The system of claim 1, wherein the PEPs encrypt network traffic originating from the nodes connected to them using the key generated by the KAP.
  - 7. The system of claim 1, wherein the PEPs decrypt network traffic destined to the nodes connected to them using the key generated by the KAP.
  - 8. The system of claim 1, wherein the communication over the network to be secured is broadcast content.
  - 9. The system of claim 1, wherein the communication over the network to be secure is multicast content.

10. A method for providing secure interactivity between points on a Layer 2 network comprising the steps of:
- providing a communication network having a network infrastructure and a secure network topography between a multiplicity of policy enforcement points (PEPs) having nodes with any form of encryption associated therewith;
  
  the nodes spread over a wide geographic area such that they form a metro ethernet network over Layer 2;
  
  a user providing at least one policy definition to a management and policy (MAP) server in communication with a key authority point (KAP);
  
  the KAP generating and distributing at least one key to the PEPs consistent with the MAP policy;
  
  the PEPs enforcing the policy at the nodes to provide secure communication across the network topography over the Layer 2 network.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the MAP policy defines two or more PEPs to exchange data such that the nodes associated with the two or more PEPs can communicate transparently with each other.
  - 12. The system of claim 11, wherein the two or more PEPs share a common cryptographic key.
  - 13. The system of claim 12, wherein the common key is used to encrypt network traffic originating from one or more nodes associated with the two or more PEPs;
    - the network traffic being transmitted to one or more other nodes associated with the two or more PEPs.
  - 14. The system of claim 13;
    - wherein the PEPs encrypt the network traffic to form encrypted frames which are transmitted between the two or more PEPs over the Layer 2 network.

15. A system for securing communication between at least two subnetworks that are spread over a geography, the system comprising:
- a. a multiplicity of nodes grouped to form at least two subnetworks such that the communication between subnetworks is carried out at Layer 2;
  
  b. a management and policy (MAP) server operable for communication with the at least two subnetworks, wherein the MAP includes at least one policy for providing secure association (SA) with the nodes on the subnetwork;
  
  c. at least one key authority point (KAP) operable for communication with the MAP;
  
  d. a multiplicity of policy enforcement points (PEPs);
  
  such that at least one PEP is associated with each of the at least one subnetworks;
  
  wherein the universal KAP is operable to generate and manage key(s) communicated to the multiplicity of PEPs; and
  
  wherein the multiplicity of PEPs encrypt the communication between the subnetworks such that the encrypted communication is transported over Layer 2 transparently.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
Starrett, Charles Rodney

Application Number

US11/888,097
Publication Number

US 20090034738A1
Time in Patent Office

Days
Field of Search
US Class Current

380/278
CPC Class Codes

H04L 63/06 for supporting key manageme...

H04L 63/162 at the data link layer

Method and apparatus for securing layer 2 networks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securing layer 2 networks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links