System and method for improved network security
First Claim
1. A system that establishes a secure link between one individual user of multiple users of a single machine and a remote machine, the system comprising:
- a security subsystem that filters traffic so that traffic for each user is separate and is adapted to establish the secure link by;
exchanging authentication information for the single machine between the single machine and the remote machine during a machine authentication process to authenticate the single machine to the remote machine;
exchanging authentication information for the individual user between the single machine and the remote machine during a user authentication process to authenticate the individual user to the remote machine, wherein the authentication information for the individual user is exchanged over a link secured using security information derived during the machine authentication process; and
using security information derived during the user authentication process to communicate securely between the single machine and the remote machine to generate at least one Security Association (SA) for the secure link between the single machine and the remote machine, generating the at least one SA with at least one filter that corresponds to the individual user, and employing the at least one SA to establish the secure link.
2 Assignments
0 Petitions
Accused Products
Abstract
A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).
24 Citations
31 Claims
-
1. A system that establishes a secure link between one individual user of multiple users of a single machine and a remote machine, the system comprising:
a security subsystem that filters traffic so that traffic for each user is separate and is adapted to establish the secure link by; exchanging authentication information for the single machine between the single machine and the remote machine during a machine authentication process to authenticate the single machine to the remote machine; exchanging authentication information for the individual user between the single machine and the remote machine during a user authentication process to authenticate the individual user to the remote machine, wherein the authentication information for the individual user is exchanged over a link secured using security information derived during the machine authentication process; and using security information derived during the user authentication process to communicate securely between the single machine and the remote machine to generate at least one Security Association (SA) for the secure link between the single machine and the remote machine, generating the at least one SA with at least one filter that corresponds to the individual user, and employing the at least one SA to establish the secure link. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
16. A system that establishes a secure link between a first machine and an individual service of multiple services on a second machine, the system comprising:
a security subsystem adapted to establish the secure link by; exchanging authentication information for the first machine between the first machine and the second machine during a machine authentication process to authenticate the first machine to the second machine; exchanging authentication information for the individual service between the first machine and the second machine during a service authentication process to authenticate the individual service to the first machine, wherein the authentication information for the individual service is exchanged over a link secured using security information derived during the machine authentication process; and using security information derived during the service authentication process to communicate securely between the first machine and the second machine to generate at least one Security Association (SA) for the secure link between the first machine and the second machine, generating the at least one SA, and employing the at least one SA to establish the secure link. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
26. A method for establishing secure links between each of multiple users of a single machine and a remote machine, the method comprising:
-
during a machine authentication process, transmitting first machine authentication information for the single machine to the remote machine to authenticate the single machine to the remote machine, and receiving second machine authentication information for the remote machine from the remote machine to authenticate the remote machine to the single machine; for a first individual user of the multiple users; during a first user authentication process, transmitting first user authentication information for the first individual user to the remote machine to authenticate the first individual user to the remote machine and receiving second user authentication information for a remote user of the remote machine to authenticate the remote user to the single machine; using security information during the first user authentication process to communicate securely between the single machine and the remote machine to generate at least one first Security Association (SA) for a first secure link between the single machine and the remote machine; generating the at least one first SA with at least one first filter corresponding to the first individual user; and employing the at least one first SA to establish the first secure link for the first individual user; and for a second individual user of the multiple users; during a second user authentication process, transmitting first user authentication information for the second individual user to the remote machine to authenticate the second individual user to the remote machine and receiving second user authentication information for a remote user of the remote machine to authenticate the remote user to the single machine; using security information during the second user authentication process to communicate securely between the single machine and the remote machine to generate at least one second Security Association (SA) for a second secure link between the single machine and the remote machine; generating the at least one second SA with at least one second filter corresponding to the first individual user; and employing the at least one second SA to establish the second secure link for the second individual user; using the at least one first filter of each at least one first SA and the at least one second filter of each of the at least one second SA to filter traffic so that traffic for the first individual user is separate from traffic for the second individual user.
-
-
27. A method for establishing a first secure link and a second secure link between a first machine and multiple services on a second machine, the method comprising:
-
during a first machine authentication process, transmitting second machine authentication information for the second machine to the first machine to authenticate the second machine to the first machine, and receiving first machine authentication information for the first machine from the first machine to authenticate the first machine to the second machine; for a first service of the multiple services; during a first service authentication process, transmitting first service authentication information for the first service to the first machine to authenticate the first service to the first machine, wherein the first service authentication information for the first service is transmitted over a link secured using first security information derived during the first machine authentication process; using second security information during the first service authentication process to communicate securely between the first machine and the second machine to generate at least one first Security Association (SA) for the first secure link between the first machine and the second machine; generating the at least one first SA with at least one first filter corresponding to the first service; and employing the at least one first SA to establish the secure link;
for a second service of the multiple services;during a second service authentication process, transmitting second service authentication information for the second service to the first machine to authenticate the second service to the first machine, wherein the second service authentication information for the first service is transmitted over a link secured using third security information derived during the first machine authentication process; using fourth security information derived during the second service authentication process to communicate securely between the first machine and the second machine to generate at least one second SA for the second secure link between the first machine and the second machine; generating the at least one second SA with at least one second filter corresponding to the second service; and employing the at least one second SA to establish the second secure link; applying to the at least one first filter and the at least one second filter to traffic received at the second machine such that traffic for the first service and traffic for the second service is separated; and when the first machine authentication information or the second machine authentication information or the first machine authentication information and the second machine authentication information expires, repeating the first service authentication process and the second service authentication process.
-
-
28. A system that establishes a secure link between multiple users of a single machine and a remote machine, the system comprising:
-
means for authenticating the single machine and each individual user of the multiple users by; exchanging authentication information for the single machine between the single machine and the remote machine during a machine authentication process to authenticate the single machine to the remote machine, and exchanging authentication information for the individual user between the single machine and the remote machine during a user authentication process to authenticate the individual user to the remote machine, wherein the authentication information for the individual user is exchanged over a link secured using security information derived during the machine authentication process; means for using security information derived during the machine authentication process and during a user authentication process for each individual user to communicate securely between the single machine and the remote machine to generate at least one Security Association (SA) for the secure link between the single machine and the remote machine and for generating, for each individual user, the at least one SA with at least one filter corresponding to the individual user; means for employing the at least one SA to establish the secure link; and means for applying the at least one filter of each at least one SA to filter traffic so that traffic for each individual user is separate.
-
-
29. A system that establishes a secure link between a first machine and an individual service of multiple services on a second machine, the system comprising:
-
means for authenticating the first machine and the individual service by; exchanging authentication information for the first machine between the first machine and the second machine during a machine authentication process to authenticate the first machine to the second machine; exchanging authentication information for the individual service between the first machine and the second machine during a service authentication process to authenticate the individual service to the first machine, wherein the authentication information for the individual service is exchanged over a link secured using security information derived during the machine authentication process; means for using security information derived during the machine authentication process and during the service authentication process to communicate securely between the first machine and the second machine to generate at least one Security Association (SA) for the secure link between the first machine and the second machine, generating the SA; and means for employing the SA to establish the secure link.
-
-
30. A computer readable storage medium having stored thereon computer executable instructions that, when executed by a computer, cause the computer to carry out a method for establishing a secure link between an individual user of a first machine having multiple users and a second machine, the method comprising:
-
during a machine authentication process, transmitting first machine authentication information for the first machine to the second machine to authenticate the first machine to the second machine, and receiving second machine authentication information for the second machine from the second machine to authenticate the second machine to the first machine; during a user authentication process, transmitting first user authentication information for the individual user to the second machine to authenticate the individual user to the second machine and receiving second user authentication information for a remote user of the second machine to authenticate the remote user to the first machine; using security information derived during the user authentication process to communicate securely between the first machine and the second machine to generate at least one Security Association (SA) for the secure link between the first machine and the second machine; employing the SA to establish a secure link between the first and second machines; and when the first machine authentication information or the second machine authentication information or the first machine authentication information and the second machine authentication information expires, repeating the user authentication process, wherein the computer readable storage medium does not consist of a propagating signal.
-
-
31. A computer readable medium having stored thereon computer executable instructions that, when executed by a computer, cause the computer to carry out a method between an individual service of a first machine having multiple services and a second machine, the method comprising:
-
during a machine authentication process, transmitting second machine authentication information for the second machine to the first machine to authenticate the second machine to the first machine, and receiving first machine authentication information for the first machine from the first machine to authenticate the first machine to the second machine; during a service authentication process, transmitting second service authentication information for the individual service to the first machine to authenticate the individual service to the first machine and receiving first service authentication information for a first service of the first machine to authenticate the first service to the second machine; using security information derived during the service authentication process to communicate securely between the single machine and the remote machine to generate at least one Security Association (SA) for the secure link between the first machine and the second machine; employing the SA to establish a secure link between the first and second machines; and when the first machine authentication information or the second machine authentication information or the first machine authentication information and the second machine authentication information expires, repeating the service authentication process, wherein the computer readable medium does not consist of a propagating signal.
-
Specification