WO2008021159B1 - Enforcing security groups in network of data processors - Google Patents

Enforcing security groups in network of data processors

Info

Publication number
WO2008021159B1
WO2008021159B1 PCT/US2007/017686 US2007017686W WO2008021159B1 WO 2008021159 B1 WO2008021159 B1 WO 2008021159B1 US 2007017686 W US2007017686 W US 2007017686W WO 2008021159 B1 WO2008021159 B1 WO 2008021159B1
Authority
WO
WIPO (PCT)
Prior art keywords
network
original
definition
traffic
kap
Prior art date
Application number
PCT/US2007/017686
Other languages
French (fr)
Other versions
WO2008021159A2 (en
WO2008021159A3 (en
Inventor
Charles R Starrett
Ronald B Willis
Donald K Mcalister
Brandon L Hoff
Original Assignee
Cipheroptics Inc
Charles R Starrett
Ronald B Willis
Donald K Mcalister
Brandon L Hoff
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/649,336 external-priority patent/US20070186281A1/en
Priority claimed from US11/880,890 external-priority patent/US8082574B2/en
Application filed by Cipheroptics Inc, Charles R Starrett, Ronald B Willis, Donald K Mcalister, Brandon L Hoff filed Critical Cipheroptics Inc
Publication of WO2008021159A2 publication Critical patent/WO2008021159A2/en
Publication of WO2008021159A3 publication Critical patent/WO2008021159A3/en
Publication of WO2008021159B1 publication Critical patent/WO2008021159B1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

A technique for securing message traffic in a data network using various methods for distributing security policies and keys, where policy definition is determined in a Management and Policy (MAP) functional layer that is responsible for policy distribution; a separate Key Authority Point (KAP) that is responsible for key generation, key distribution, and policy distribution; and a separate Policy Enforcement Point (PEP) which is responsible for enforcing the policies and applying the keys.

Claims

AMENDED CLAIMS received by the International Bureau on 4 August 2008 (04.08.2008)
1. (currently amended) A method for securing message traffic in a data network using a security protocol, comprising the steps of: at a Management and Policy Server (MAP) within a network, determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic; at a Key Authority Point (KAP) within the network, receiving at least one security policy definition from the MAP; generating one or more keys to be used in securing the traffic according to the policy definition; and distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and at a PEP within the network, receiving the security policy definition and the keys from the KAP; receiving a network traffic packet; determining if the network traffic packet falls within the definition of traffic to be secured; and applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition, wherein the MAP, KAP and PEP communication provides for secure encrypted network communication based on the security policy.
2. (original) The method of claim 1, wherein the security policy definition includes a definition of groups/communities of interest.
3. (original) The method of claim 1, wherein the security policy definition includes a definition of membership and permissions of groups.
4. (original) The method of claim 1, further comprising the step of: at the MAP, authenticating each KAP and PEP.
5. (original) The method of claim 1, further comprising the step of: at the MAP, providing a visualization of security groups.
6. (original) The method of claim 1, wherein distributing the security policy definition and the keys to two or more peer PEPs includes distributing the security policy definition and the keys using IPsec.
7. (original) The method of claim 1, wherein distributing the security policy definition and the keys to two or more peer PEPs includes communicating with the peer PEPs via an application programming interface (API).
8. (original) The method of claim 1, wherein the KAP monitors operation of the peer PEPs.
9. (original) The method of claim 1, wherein the MAP and the KAP are centralized on a single physical machine.
10. (original) The method of claim 1, wherein applying security processing to the network traffic packet includes encrypting the packet if it is an outbound packet and decrypting the packet if it is an inbound packet.
11. (original) The method of claim 1 , further comprising the step of; at the PEP, storing and processing security packet index (SPI) data associated with the packet
12. (original) The method of claim 1 , wherein the PEP is embedded in a network connected device.
13. (original) The method of claim 1, wherein the PEP is implemented as a process running on a network appliance.
14. (currently amended) A system for securing message traffic in a data network using a security protocol, comprising: a Management and Policy Server (MAP) within a network, the MAP comprising: a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic; a Key Authority Point (KAP) within the network, the KAP comprising: means for receiving at least one security policy definition from the MAP; means for generating one or more keys to be used in securing the traffic according to the policy definition; and means for distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and a PEP within the network, the PEP comprising: means for receiving the security policy definition and the keys from the KAP; means for receiving a network traffic packet; means for determining if the network traffic packet falls within the definition of traffic to be secured; and means for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition, wherein the MAP, KAP and PEP communication provides for secure encrypted network communication based on the security policy.
15. (original) The system of claim 14, wherein the security policy definition includes a definition of groups/communities of interest
16. (original) The system of claim 14. wherein the security policy definition includes a definition of membership and permissions of groups.
17. (original) The system of claim 14, wherein the MAP further comprises: means for authenticating each KAP and PEP.
18. (original) The system of claim 14, wherein the MAP further comprises: means for providing a visualization of security groups.
19. (original) The system of claim 14, wherein the means for distributing the security policy definition and the keys to two or more peer PEPs includes distributing the security policy definition and the keys using iPsec.
20. (original) The system of claim 14, further comprising an application programming interface
(API) used for communicating between the KAP and the peer PEPs.
21. (original) The system of claim 14, wherein the KAP further comprises: means for monitoring operation of the peer PEPs.
22. (original) The system of claim 14, wherein the MAP and the KAP are centralized on a single physical machine.
23. (original) The system of claim 14, wherein the means for applying security processing to the network traffic packet includes encrypting the packet if it is an outbound packet and decrypting the packet if it is an inbound packet.
24. (original) The system of claim 14, wherein the PEP further comprises: means for storing and processing security packet index (SPI) data associated with the packet.
25. (original) The system of claim 14, wherein the PEP is embedded in a network connected device.
26. (original) The system of claim 14, wherein the PEP is implemented as a process running on a network appliance.
27. (currently amended) A computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network using a security protocol, the computer readable medium program codes performing functions comprising: a routine for determining, at a Management and Policy Server (MAP) within a network, a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic; a routine for receiving, at a Key Authority Point (KAP) within the network, at least one security policy definition from the MAP; a routine for generating, at the KAP, one or more keys to be used in securing the traffic according to the policy definition; a routine for distributing the security policy definition and the keys from the KAP to two or more peer Policy Enforcement Points (PEPs); a routine for receiving, at a PEP within the network, the security policy definition and the keys from the KAP; a routine for receiving, at the PEP, a network traffic packet; a routine for determining if the network traffic packet falls within the definition of traffic to be secured; and a routine for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition, wherein the MAP, KAP and PEP communication, provides for secure encrypted network communication based on the security policy.
PCT/US2007/017686 2006-08-11 2007-08-09 Enforcing security groups in network of data processors WO2008021159A2 (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US83741006P 2006-08-11 2006-08-11
US60/837,410 2006-08-11
US11/649,336 US20070186281A1 (en) 2006-01-06 2007-01-03 Securing network traffic using distributed key generation and dissemination over secure tunnels
US11/649,336 2007-01-03
US11/880,890 US8082574B2 (en) 2006-08-11 2007-07-23 Enforcing security groups in network of data processors
US11/880,890 2007-07-23

Publications (3)

Publication Number Publication Date
WO2008021159A2 WO2008021159A2 (en) 2008-02-21
WO2008021159A3 WO2008021159A3 (en) 2008-10-16
WO2008021159B1 true WO2008021159B1 (en) 2008-11-20

Family

ID=39082588

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/017686 WO2008021159A2 (en) 2006-08-11 2007-08-09 Enforcing security groups in network of data processors

Country Status (1)

Country Link
WO (1) WO2008021159A2 (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020069356A1 (en) * 2000-06-12 2002-06-06 Kwang Tae Kim Integrated security gateway apparatus
US7120156B2 (en) * 2001-07-16 2006-10-10 Telefonaktiebolaget Lm Ericsson (Publ) Policy information transfer in 3GPP networks
US7191331B2 (en) * 2002-06-13 2007-03-13 Nvidia Corporation Detection of support for security protocol and address translation integration
US7779247B2 (en) * 2003-01-09 2010-08-17 Jericho Systems Corporation Method and system for dynamically implementing an enterprise resource policy
US20050102514A1 (en) * 2003-11-10 2005-05-12 Telefonaktiebolaget Lm Ericsson (Publ) Method, apparatus and system for pre-establishing secure communication channels

Also Published As

Publication number Publication date
WO2008021159A2 (en) 2008-02-21
WO2008021159A3 (en) 2008-10-16

Similar Documents

Publication Publication Date Title
CN110069918B (en) Efficient double-factor cross-domain authentication method based on block chain technology
CN103427998B (en) The authentication of a kind of Internet data distribution and data ciphering method
CN101094394A (en) Method for guaranteeing safe transmission of video data, and video monitoring system
DE102018216915A1 (en) System and method for secure communications between controllers in a vehicle network
EP2544117A1 (en) Method and system for sharing or storing personal data without loss of privacy
WO2016061819A1 (en) Resource access method and apparatus
CN104063334A (en) Encryption method and system based on data attributions
CN103634265B (en) Method, equipment and the system of safety certification
IL158309A (en) Centralized network control
CN108259407B (en) Symmetric encryption method and system based on timestamp
CN103684798B (en) Authentication method used in distributed user service
CN105072125A (en) HTTP communication system and method
CA2403488A1 (en) Automatic identity protection system with remote third party monitoring
CN108174151A (en) Video monitoring system and control method, the call method of video information
CN113872760A (en) SM9 key infrastructure and security system
CN1917424A (en) Method for upgrading function of creditable calculation modules
CN104125239A (en) Network authentication method and system based on data link encryption transmission
CN116545706B (en) Data security transmission control system, method and device and electronic equipment
CN106992978A (en) Network safety managing method and server
CN113922974A (en) Information processing method and system, front end, server and storage medium
CN113055160B (en) Intelligent education safety protection method and system based on Kerberos identity authentication protocol
US9419800B2 (en) Secure network systems and methods
CN112069487B (en) Intelligent equipment network communication safety implementation method based on Internet of things
KR20140004703A (en) Controlled security domains
CN111132136B (en) Mobile application information security system application system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07836644

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

NENP Non-entry into the national phase in:

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07836644

Country of ref document: EP

Kind code of ref document: A2