WO2007106687A3 - Role aware network security enforcement - Google Patents
Role aware network security enforcement Download PDFInfo
- Publication number
- WO2007106687A3 WO2007106687A3 PCT/US2007/063458 US2007063458W WO2007106687A3 WO 2007106687 A3 WO2007106687 A3 WO 2007106687A3 US 2007063458 W US2007063458 W US 2007063458W WO 2007106687 A3 WO2007106687 A3 WO 2007106687A3
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- binding
- filter node
- user
- source address
- roles
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5076—Update or notification mechanisms, e.g. DynDNS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/088—Access security using filters or firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Abstract
Generating a binding between a source address and one or more roles of a user (102) accessing the network (108) and distributing the binding to a filter node (140). The source address is currently assigned to the device (104). The binding may be generated by one or more nodes on an ingress path used during authentication of the user (102). The binding may be distributed to the filter node (140) on demand or without any request from the filter node (140). Responsive to a determination that the user (102) is associated with a new source address, a new binding is generated to associate a now source address with the one or more roles for the user. The new binding distributed to the filter node (140). Another aspect is a method of enforcing a role based security policy at a filter node (140), using bindings of source addresses to roles.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP07758046.2A EP1994673B1 (en) | 2006-03-10 | 2007-03-07 | Role aware network security enforcement |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/373,727 US7814311B2 (en) | 2006-03-10 | 2006-03-10 | Role aware network security enforcement |
US11/373,727 | 2006-03-10 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2007106687A2 WO2007106687A2 (en) | 2007-09-20 |
WO2007106687A3 true WO2007106687A3 (en) | 2008-10-30 |
Family
ID=38480298
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2007/063458 WO2007106687A2 (en) | 2006-03-10 | 2007-03-07 | Role aware network security enforcement |
Country Status (3)
Country | Link |
---|---|
US (2) | US7814311B2 (en) |
EP (1) | EP1994673B1 (en) |
WO (1) | WO2007106687A2 (en) |
Families Citing this family (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8769604B2 (en) * | 2006-05-15 | 2014-07-01 | Oracle International Corporation | System and method for enforcing role membership removal requirements |
US8418241B2 (en) * | 2006-11-14 | 2013-04-09 | Broadcom Corporation | Method and system for traffic engineering in secured networks |
US8561166B2 (en) * | 2007-01-07 | 2013-10-15 | Alcatel Lucent | Efficient implementation of security applications in a networked environment |
US7792942B1 (en) * | 2007-01-31 | 2010-09-07 | Alcatel Lucent | DHCP server synchronization with DHCP proxy |
US8281371B1 (en) * | 2007-04-30 | 2012-10-02 | Juniper Networks, Inc. | Authentication and authorization in network layer two and network layer three |
US20080295145A1 (en) * | 2007-05-23 | 2008-11-27 | Motorola, Inc. | Identifying non-orthogonal roles in a role based access control system |
US8606887B2 (en) * | 2007-06-13 | 2013-12-10 | Qualcomm Incorporated | Method and apparatus for verification of dynamic host configuration protocol (DHCP) release message |
CN101378358B (en) * | 2008-09-19 | 2010-12-15 | 成都市华为赛门铁克科技有限公司 | Method, system and server for safety access control |
CN101741817B (en) * | 2008-11-21 | 2013-02-13 | 中国移动通信集团安徽有限公司 | System, device and method for multi-network integration |
US8042150B2 (en) * | 2008-12-08 | 2011-10-18 | Motorola Mobility, Inc. | Automatic generation of policies and roles for role based access control |
US8086713B2 (en) * | 2009-01-28 | 2011-12-27 | Juniper Networks, Inc. | Determining a subscriber device has failed gracelessly without issuing a DHCP release message and automatically releasing resources reserved for the subscriber device within a broadband network upon determining that another subscriber device requesting the reservation of a network address has the same context information as the failed subscriber device |
US8285875B2 (en) * | 2009-01-28 | 2012-10-09 | Juniper Networks, Inc. | Synchronizing resource bindings within computer network |
US9032478B2 (en) | 2009-01-29 | 2015-05-12 | Hewlett-Packard Development Company, L.P. | Managing security in a network |
US8826366B2 (en) * | 2010-07-15 | 2014-09-02 | Tt Government Solutions, Inc. | Verifying access-control policies with arithmetic quantifier-free form constraints |
US8260902B1 (en) | 2010-01-26 | 2012-09-04 | Juniper Networks, Inc. | Tunneling DHCP options in authentication messages |
US8560658B2 (en) * | 2010-03-23 | 2013-10-15 | Juniper Networks, Inc. | Managing distributed address pools within network devices |
US8631100B2 (en) | 2010-07-20 | 2014-01-14 | Juniper Networks, Inc. | Automatic assignment of hardware addresses within computer networks |
US9363290B2 (en) * | 2010-09-27 | 2016-06-07 | Nec Corporation | Access control information generating system |
US8782211B1 (en) | 2010-12-21 | 2014-07-15 | Juniper Networks, Inc. | Dynamically scheduling tasks to manage system load |
RU2013143020A (en) * | 2011-02-21 | 2015-03-27 | Нек Корпорейшн | COMMUNICATION SYSTEM, DATABASE, CONTROL DEVICE, COMMUNICATION METHOD AND PROGRAM |
US8881258B2 (en) * | 2011-08-24 | 2014-11-04 | Mcafee, Inc. | System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy |
CN107730240B (en) * | 2011-09-09 | 2021-03-26 | 成都天钥科技有限公司 | Multi-factor multi-channel ID authentication and transaction control and multi-option payment system and method |
US8887243B2 (en) | 2012-01-30 | 2014-11-11 | Cisco Technology, Inc. | Integrated security platform |
US8886230B2 (en) * | 2012-08-08 | 2014-11-11 | Intel Corporation | Systems and methods for service set identifier-based location detection |
US9197498B2 (en) | 2012-08-31 | 2015-11-24 | Cisco Technology, Inc. | Method for automatically applying access control policies based on device types of networked computing devices |
US9154507B2 (en) * | 2012-10-15 | 2015-10-06 | International Business Machines Corporation | Automated role and entitlements mining using network observations |
US20160080316A1 (en) * | 2013-04-15 | 2016-03-17 | Nokia Solutions And Networks Oy | Subscriber Identification and Provisioning in IP Translation Environments |
US9712489B2 (en) | 2014-07-29 | 2017-07-18 | Aruba Networks, Inc. | Client device address assignment following authentication |
US20180139231A1 (en) * | 2015-06-10 | 2018-05-17 | Telefonaktiebolaget L M Ericsson (Publ) | Protecting iaps from ddos attacks |
US10992637B2 (en) | 2018-07-31 | 2021-04-27 | Juniper Networks, Inc. | Detecting hardware address conflicts in computer networks |
US11165744B2 (en) | 2018-12-27 | 2021-11-02 | Juniper Networks, Inc. | Faster duplicate address detection for ranges of link local addresses |
US10931628B2 (en) | 2018-12-27 | 2021-02-23 | Juniper Networks, Inc. | Duplicate address detection for global IP address or range of link local IP addresses |
CN111756630B (en) * | 2019-03-29 | 2022-06-17 | 中央电视台 | Method and device for realizing co-cutting of matrixes |
US10965637B1 (en) | 2019-04-03 | 2021-03-30 | Juniper Networks, Inc. | Duplicate address detection for ranges of global IP addresses |
US11552927B1 (en) | 2021-10-08 | 2023-01-10 | Hewlett Packard Enterprise Development Lp | Dynamic host configuration protocol lease allotment |
US20240039956A1 (en) * | 2022-07-28 | 2024-02-01 | Cisco Technology, Inc. | Identity-based policy enforcement in wide area networks |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030126468A1 (en) * | 2001-05-25 | 2003-07-03 | Markham Thomas R. | Distributed firewall system and method |
US20040199792A1 (en) * | 2002-11-04 | 2004-10-07 | Godfrey Tan | Role grouping |
US20050283608A1 (en) * | 2004-06-17 | 2005-12-22 | International Business Machines Corporation | User controlled anonymity when evaluating into a role |
Family Cites Families (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6092110A (en) * | 1997-10-23 | 2000-07-18 | At&T Wireless Svcs. Inc. | Apparatus for filtering packets using a dedicated processor |
US6073242A (en) * | 1998-03-19 | 2000-06-06 | Agorics, Inc. | Electronic authority server |
US6985953B1 (en) * | 1998-11-30 | 2006-01-10 | George Mason University | System and apparatus for storage and transfer of secure data on web |
US7020697B1 (en) * | 1999-10-01 | 2006-03-28 | Accenture Llp | Architectures for netcentric computing systems |
US20020026592A1 (en) * | 2000-06-16 | 2002-02-28 | Vdg, Inc. | Method for automatic permission management in role-based access control systems |
KR100422327B1 (en) * | 2001-03-09 | 2004-03-10 | 문지환 | Realtime Control System and Method of User Browser |
US6914894B2 (en) * | 2001-05-23 | 2005-07-05 | Pemstar, Inc. | Role-based IP multicast addressing in a wireless LAN |
US7130839B2 (en) * | 2001-05-29 | 2006-10-31 | Sun Microsystems, Inc. | Method and system for grouping entries in a directory server by group memberships defined by roles |
US7020796B1 (en) * | 2001-07-27 | 2006-03-28 | Ciena Corporation | High availability communication system |
GB2381423B (en) * | 2001-10-26 | 2004-09-15 | Ericsson Telefon Ab L M | Addressing mechanisms in mobile IP |
US7054944B2 (en) * | 2001-12-19 | 2006-05-30 | Intel Corporation | Access control management system utilizing network and application layer access control lists |
US6990592B2 (en) * | 2002-02-08 | 2006-01-24 | Enterasys Networks, Inc. | Controlling concurrent usage of network resources by multiple users at an entry point to a communications network based on identities of the users |
US7855972B2 (en) * | 2002-02-08 | 2010-12-21 | Enterasys Networks, Inc. | Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules |
US6892309B2 (en) * | 2002-02-08 | 2005-05-10 | Enterasys Networks, Inc. | Controlling usage of network resources by a user at the user's entry point to a communications network based on an identity of the user |
JP2004015143A (en) * | 2002-06-04 | 2004-01-15 | Fujitsu Ltd | Hand-over method in mobile communication system and router used for the mobile communication system |
US7308706B2 (en) * | 2002-10-28 | 2007-12-11 | Secure Computing Corporation | Associative policy model |
US7461404B2 (en) * | 2002-11-04 | 2008-12-02 | Mazu Networks, Inc. | Detection of unauthorized access in a network |
US8479057B2 (en) * | 2002-11-04 | 2013-07-02 | Riverbed Technology, Inc. | Aggregator for connection based anomaly detection |
US7664963B2 (en) * | 2002-11-04 | 2010-02-16 | Riverbed Technology, Inc. | Data collectors in connection-based intrusion detection |
US7292585B1 (en) * | 2002-12-20 | 2007-11-06 | Symantec Operating Corporation | System and method for storing and utilizing routing information in a computer network |
US7467194B1 (en) * | 2002-12-20 | 2008-12-16 | Symantec Operating Corporation | Re-mapping a location-independent address in a computer network |
US7406535B2 (en) * | 2002-12-20 | 2008-07-29 | Symantec Operating Corporation | Role-based message addressing for a computer network |
US7899934B2 (en) * | 2003-03-31 | 2011-03-01 | Symantec Corporation | Handling un-partitioning of a computer network |
US7530112B2 (en) * | 2003-09-10 | 2009-05-05 | Cisco Technology, Inc. | Method and apparatus for providing network security using role-based access control |
JP2005122831A (en) | 2003-10-17 | 2005-05-12 | Alps Electric Co Ltd | Magnetic head |
US7555527B1 (en) * | 2003-11-07 | 2009-06-30 | Symantec Operating Corporation | Efficiently linking storage object replicas in a computer network |
US8146148B2 (en) * | 2003-11-19 | 2012-03-27 | Cisco Technology, Inc. | Tunneled security groups |
US20050190758A1 (en) * | 2004-03-01 | 2005-09-01 | Cisco Technology, Inc. | Security groups for VLANs |
US7669244B2 (en) * | 2004-10-21 | 2010-02-23 | Cisco Technology, Inc. | Method and system for generating user group permission lists |
US7680955B2 (en) * | 2004-12-01 | 2010-03-16 | George Mason Intellectual Properties, Inc. | SCIT-DNS: critical infrastructure protection through secure DNS server dynamic updates |
EP1849267B1 (en) * | 2005-02-14 | 2009-01-14 | Telefonaktiebolaget LM Ericsson (publ) | Method and nodes for performing bridging of data traffic over an access domain |
US7813511B2 (en) * | 2005-07-01 | 2010-10-12 | Cisco Technology, Inc. | Facilitating mobility for a mobile station |
-
2006
- 2006-03-10 US US11/373,727 patent/US7814311B2/en not_active Expired - Fee Related
-
2007
- 2007-03-07 WO PCT/US2007/063458 patent/WO2007106687A2/en active Application Filing
- 2007-03-07 EP EP07758046.2A patent/EP1994673B1/en active Active
-
2010
- 2010-08-25 US US12/868,696 patent/US8156325B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030126468A1 (en) * | 2001-05-25 | 2003-07-03 | Markham Thomas R. | Distributed firewall system and method |
US20040199792A1 (en) * | 2002-11-04 | 2004-10-07 | Godfrey Tan | Role grouping |
US20050283608A1 (en) * | 2004-06-17 | 2005-12-22 | International Business Machines Corporation | User controlled anonymity when evaluating into a role |
Also Published As
Publication number | Publication date |
---|---|
EP1994673B1 (en) | 2014-11-12 |
EP1994673A2 (en) | 2008-11-26 |
US8156325B2 (en) | 2012-04-10 |
EP1994673A4 (en) | 2011-12-28 |
US7814311B2 (en) | 2010-10-12 |
WO2007106687A2 (en) | 2007-09-20 |
US20100322241A1 (en) | 2010-12-23 |
US20070214352A1 (en) | 2007-09-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2007106687A3 (en) | Role aware network security enforcement | |
WO2006068969A3 (en) | Method and device for publishing cross-network user behavioral data | |
WO2008076520A3 (en) | Digital rights management copy sharing system and method | |
WO2007044613A3 (en) | Apparatus system and method for real-time migration of data related to authentication | |
WO2007126835A3 (en) | Managing communications between computing nodes | |
GB2447390A (en) | Hierarchical trust based posture reporting and policy enforcement | |
WO2009091492A3 (en) | Preventing secure data from leaving a network perimeter | |
WO2010056936A3 (en) | Network nodes and methods for data authorization in distributed storage networks | |
WO2005062989A3 (en) | Authentication system for networked computer applications | |
WO2006117555A3 (en) | Digital rights management | |
WO2007040696A3 (en) | Content access rights management | |
WO2004003686A3 (en) | Single system user identity | |
WO2007131003A3 (en) | Location-specific content communication system | |
WO2005059717A3 (en) | Certificate based digital rights management | |
WO2006118829A3 (en) | Preventing fraudulent internet account access | |
WO2006124411A3 (en) | A digital publication system and apparatus | |
WO2007143312A8 (en) | Proactive credential distribution | |
WO2008017008A3 (en) | Systems and methods for policy based triggering of client-authentication of directory level granularity | |
WO2007021345A3 (en) | System and method for authenticating internetwork resource requests | |
WO2003058411A1 (en) | Content delivery method and content delivery system | |
TW200620930A (en) | Stsyem and method for managing access to protected content by untrusted applications | |
WO2008110955A3 (en) | Applying policies for managing a service flow | |
WO2007103449A3 (en) | System and method for generating a unified accounting record for a communication session | |
WO2007070273A3 (en) | Method and apparatus for selecting a codec in a packet-switched communication network | |
WO2006065633A3 (en) | Method and device for digital rights management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07758046 Country of ref document: EP Kind code of ref document: A2 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2007758046 Country of ref document: EP |