WO2008021159B1 - Enforcing security groups in network of data processors - Google Patents
Enforcing security groups in network of data processorsInfo
- Publication number
- WO2008021159B1 WO2008021159B1 PCT/US2007/017686 US2007017686W WO2008021159B1 WO 2008021159 B1 WO2008021159 B1 WO 2008021159B1 US 2007017686 W US2007017686 W US 2007017686W WO 2008021159 B1 WO2008021159 B1 WO 2008021159B1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- original
- definition
- traffic
- kap
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
A technique for securing message traffic in a data network using various methods for distributing security policies and keys, where policy definition is determined in a Management and Policy (MAP) functional layer that is responsible for policy distribution; a separate Key Authority Point (KAP) that is responsible for key generation, key distribution, and policy distribution; and a separate Policy Enforcement Point (PEP) which is responsible for enforcing the policies and applying the keys.
Claims
1. (currently amended) A method for securing message traffic in a data network using a security protocol, comprising the steps of: at a Management and Policy Server (MAP) within a network, determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic; at a Key Authority Point (KAP) within the network, receiving at least one security policy definition from the MAP; generating one or more keys to be used in securing the traffic according to the policy definition; and distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and at a PEP within the network, receiving the security policy definition and the keys from the KAP; receiving a network traffic packet; determining if the network traffic packet falls within the definition of traffic to be secured; and applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition, wherein the MAP, KAP and PEP communication provides for secure encrypted network communication based on the security policy.
2. (original) The method of claim 1, wherein the security policy definition includes a definition of groups/communities of interest.
3. (original) The method of claim 1, wherein the security policy definition includes a definition of membership and permissions of groups.
4. (original) The method of claim 1, further comprising the step of: at the MAP, authenticating each KAP and PEP.
5. (original) The method of claim 1, further comprising the step of: at the MAP, providing a visualization of security groups.
6. (original) The method of claim 1, wherein distributing the security policy definition and the keys to two or more peer PEPs includes distributing the security policy definition and the keys using IPsec.
7. (original) The method of claim 1, wherein distributing the security policy definition and the keys to two or more peer PEPs includes communicating with the peer PEPs via an application programming interface (API).
8. (original) The method of claim 1, wherein the KAP monitors operation of the peer PEPs.
9. (original) The method of claim 1, wherein the MAP and the KAP are centralized on a single physical machine.
10. (original) The method of claim 1, wherein applying security processing to the network traffic packet includes encrypting the packet if it is an outbound packet and decrypting the packet if it is an inbound packet.
11. (original) The method of claim 1 , further comprising the step of; at the PEP, storing and processing security packet index (SPI) data associated with the packet
12. (original) The method of claim 1 , wherein the PEP is embedded in a network connected device.
13. (original) The method of claim 1, wherein the PEP is implemented as a process running on a network appliance.
14. (currently amended) A system for securing message traffic in a data network using a security protocol, comprising: a Management and Policy Server (MAP) within a network, the MAP comprising: a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic; a Key Authority Point (KAP) within the network, the KAP comprising: means for receiving at least one security policy definition from the MAP; means for generating one or more keys to be used in securing the traffic according to the policy definition; and means for distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and a PEP within the network, the PEP comprising: means for receiving the security policy definition and the keys from the KAP; means for receiving a network traffic packet; means for determining if the network traffic packet falls within the definition of traffic to be secured; and means for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition, wherein the MAP, KAP and PEP communication provides for secure encrypted network communication based on the security policy.
15. (original) The system of claim 14, wherein the security policy definition includes a definition of groups/communities of interest
16. (original) The system of claim 14. wherein the security policy definition includes a definition of membership and permissions of groups.
17. (original) The system of claim 14, wherein the MAP further comprises: means for authenticating each KAP and PEP.
18. (original) The system of claim 14, wherein the MAP further comprises: means for providing a visualization of security groups.
19. (original) The system of claim 14, wherein the means for distributing the security policy definition and the keys to two or more peer PEPs includes distributing the security policy definition and the keys using iPsec.
20. (original) The system of claim 14, further comprising an application programming interface
(API) used for communicating between the KAP and the peer PEPs.
21. (original) The system of claim 14, wherein the KAP further comprises: means for monitoring operation of the peer PEPs.
22. (original) The system of claim 14, wherein the MAP and the KAP are centralized on a single physical machine.
23. (original) The system of claim 14, wherein the means for applying security processing to the network traffic packet includes encrypting the packet if it is an outbound packet and decrypting the packet if it is an inbound packet.
24. (original) The system of claim 14, wherein the PEP further comprises: means for storing and processing security packet index (SPI) data associated with the packet.
25. (original) The system of claim 14, wherein the PEP is embedded in a network connected device.
26. (original) The system of claim 14, wherein the PEP is implemented as a process running on a network appliance.
27. (currently amended) A computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network using a security protocol, the computer readable medium program codes performing functions comprising: a routine for determining, at a Management and Policy Server (MAP) within a network, a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic; a routine for receiving, at a Key Authority Point (KAP) within the network, at least one security policy definition from the MAP; a routine for generating, at the KAP, one or more keys to be used in securing the traffic according to the policy definition; a routine for distributing the security policy definition and the keys from the KAP to two or more peer Policy Enforcement Points (PEPs); a routine for receiving, at a PEP within the network, the security policy definition and the keys from the KAP; a routine for receiving, at the PEP, a network traffic packet; a routine for determining if the network traffic packet falls within the definition of traffic to be secured; and a routine for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition, wherein the MAP, KAP and PEP communication, provides for secure encrypted network communication based on the security policy.
Applications Claiming Priority (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US83741006P | 2006-08-11 | 2006-08-11 | |
US60/837,410 | 2006-08-11 | ||
US11/649,336 US20070186281A1 (en) | 2006-01-06 | 2007-01-03 | Securing network traffic using distributed key generation and dissemination over secure tunnels |
US11/649,336 | 2007-01-03 | ||
US11/880,890 US8082574B2 (en) | 2006-08-11 | 2007-07-23 | Enforcing security groups in network of data processors |
US11/880,890 | 2007-07-23 |
Publications (3)
Publication Number | Publication Date |
---|---|
WO2008021159A2 WO2008021159A2 (en) | 2008-02-21 |
WO2008021159A3 WO2008021159A3 (en) | 2008-10-16 |
WO2008021159B1 true WO2008021159B1 (en) | 2008-11-20 |
Family
ID=39082588
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2007/017686 WO2008021159A2 (en) | 2006-08-11 | 2007-08-09 | Enforcing security groups in network of data processors |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2008021159A2 (en) |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020069356A1 (en) * | 2000-06-12 | 2002-06-06 | Kwang Tae Kim | Integrated security gateway apparatus |
US7120156B2 (en) * | 2001-07-16 | 2006-10-10 | Telefonaktiebolaget Lm Ericsson (Publ) | Policy information transfer in 3GPP networks |
US7191331B2 (en) * | 2002-06-13 | 2007-03-13 | Nvidia Corporation | Detection of support for security protocol and address translation integration |
US7779247B2 (en) * | 2003-01-09 | 2010-08-17 | Jericho Systems Corporation | Method and system for dynamically implementing an enterprise resource policy |
US20050102514A1 (en) * | 2003-11-10 | 2005-05-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Method, apparatus and system for pre-establishing secure communication channels |
-
2007
- 2007-08-09 WO PCT/US2007/017686 patent/WO2008021159A2/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
WO2008021159A2 (en) | 2008-02-21 |
WO2008021159A3 (en) | 2008-10-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110069918B (en) | Efficient double-factor cross-domain authentication method based on block chain technology | |
CN103427998B (en) | The authentication of a kind of Internet data distribution and data ciphering method | |
CN101094394A (en) | Method for guaranteeing safe transmission of video data, and video monitoring system | |
DE102018216915A1 (en) | System and method for secure communications between controllers in a vehicle network | |
EP2544117A1 (en) | Method and system for sharing or storing personal data without loss of privacy | |
WO2016061819A1 (en) | Resource access method and apparatus | |
CN104063334A (en) | Encryption method and system based on data attributions | |
CN103634265B (en) | Method, equipment and the system of safety certification | |
IL158309A (en) | Centralized network control | |
CN108259407B (en) | Symmetric encryption method and system based on timestamp | |
CN103684798B (en) | Authentication method used in distributed user service | |
CN105072125A (en) | HTTP communication system and method | |
CA2403488A1 (en) | Automatic identity protection system with remote third party monitoring | |
CN108174151A (en) | Video monitoring system and control method, the call method of video information | |
CN113872760A (en) | SM9 key infrastructure and security system | |
CN1917424A (en) | Method for upgrading function of creditable calculation modules | |
CN104125239A (en) | Network authentication method and system based on data link encryption transmission | |
CN116545706B (en) | Data security transmission control system, method and device and electronic equipment | |
CN106992978A (en) | Network safety managing method and server | |
CN113922974A (en) | Information processing method and system, front end, server and storage medium | |
CN113055160B (en) | Intelligent education safety protection method and system based on Kerberos identity authentication protocol | |
US9419800B2 (en) | Secure network systems and methods | |
CN112069487B (en) | Intelligent equipment network communication safety implementation method based on Internet of things | |
KR20140004703A (en) | Controlled security domains | |
CN111132136B (en) | Mobile application information security system application system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07836644 Country of ref document: EP Kind code of ref document: A2 |
|
NENP | Non-entry into the national phase in: |
Ref country code: DE |
|
NENP | Non-entry into the national phase in: |
Ref country code: RU |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07836644 Country of ref document: EP Kind code of ref document: A2 |