WO2007106687A3 - Role aware network security enforcement - Google Patents

Role aware network security enforcement Download PDF

Info

Publication number
WO2007106687A3
WO2007106687A3 PCT/US2007/063458 US2007063458W WO2007106687A3 WO 2007106687 A3 WO2007106687 A3 WO 2007106687A3 US 2007063458 W US2007063458 W US 2007063458W WO 2007106687 A3 WO2007106687 A3 WO 2007106687A3
Authority
WO
WIPO (PCT)
Prior art keywords
binding
filter node
user
source address
roles
Prior art date
Application number
PCT/US2007/063458
Other languages
French (fr)
Other versions
WO2007106687A2 (en
Inventor
Sean Convery
David R Oran
James Rivers
John Schnizlein
Ralph Droms
Mark Stapp
Original Assignee
Cisco Tech Inc
Sean Convery
David R Oran
James Rivers
John Schnizlein
Ralph Droms
Mark Stapp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Tech Inc, Sean Convery, David R Oran, James Rivers, John Schnizlein, Ralph Droms, Mark Stapp filed Critical Cisco Tech Inc
Priority to EP07758046.2A priority Critical patent/EP1994673B1/en
Publication of WO2007106687A2 publication Critical patent/WO2007106687A2/en
Publication of WO2007106687A3 publication Critical patent/WO2007106687A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5076Update or notification mechanisms, e.g. DynDNS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Abstract

Generating a binding between a source address and one or more roles of a user (102) accessing the network (108) and distributing the binding to a filter node (140). The source address is currently assigned to the device (104). The binding may be generated by one or more nodes on an ingress path used during authentication of the user (102). The binding may be distributed to the filter node (140) on demand or without any request from the filter node (140). Responsive to a determination that the user (102) is associated with a new source address, a new binding is generated to associate a now source address with the one or more roles for the user. The new binding distributed to the filter node (140). Another aspect is a method of enforcing a role based security policy at a filter node (140), using bindings of source addresses to roles.
PCT/US2007/063458 2006-03-10 2007-03-07 Role aware network security enforcement WO2007106687A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP07758046.2A EP1994673B1 (en) 2006-03-10 2007-03-07 Role aware network security enforcement

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/373,727 US7814311B2 (en) 2006-03-10 2006-03-10 Role aware network security enforcement
US11/373,727 2006-03-10

Publications (2)

Publication Number Publication Date
WO2007106687A2 WO2007106687A2 (en) 2007-09-20
WO2007106687A3 true WO2007106687A3 (en) 2008-10-30

Family

ID=38480298

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/063458 WO2007106687A2 (en) 2006-03-10 2007-03-07 Role aware network security enforcement

Country Status (3)

Country Link
US (2) US7814311B2 (en)
EP (1) EP1994673B1 (en)
WO (1) WO2007106687A2 (en)

Families Citing this family (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8769604B2 (en) * 2006-05-15 2014-07-01 Oracle International Corporation System and method for enforcing role membership removal requirements
US8418241B2 (en) * 2006-11-14 2013-04-09 Broadcom Corporation Method and system for traffic engineering in secured networks
US8561166B2 (en) * 2007-01-07 2013-10-15 Alcatel Lucent Efficient implementation of security applications in a networked environment
US7792942B1 (en) * 2007-01-31 2010-09-07 Alcatel Lucent DHCP server synchronization with DHCP proxy
US8281371B1 (en) * 2007-04-30 2012-10-02 Juniper Networks, Inc. Authentication and authorization in network layer two and network layer three
US20080295145A1 (en) * 2007-05-23 2008-11-27 Motorola, Inc. Identifying non-orthogonal roles in a role based access control system
US8606887B2 (en) * 2007-06-13 2013-12-10 Qualcomm Incorporated Method and apparatus for verification of dynamic host configuration protocol (DHCP) release message
CN101378358B (en) * 2008-09-19 2010-12-15 成都市华为赛门铁克科技有限公司 Method, system and server for safety access control
CN101741817B (en) * 2008-11-21 2013-02-13 中国移动通信集团安徽有限公司 System, device and method for multi-network integration
US8042150B2 (en) * 2008-12-08 2011-10-18 Motorola Mobility, Inc. Automatic generation of policies and roles for role based access control
US8086713B2 (en) * 2009-01-28 2011-12-27 Juniper Networks, Inc. Determining a subscriber device has failed gracelessly without issuing a DHCP release message and automatically releasing resources reserved for the subscriber device within a broadband network upon determining that another subscriber device requesting the reservation of a network address has the same context information as the failed subscriber device
US8285875B2 (en) * 2009-01-28 2012-10-09 Juniper Networks, Inc. Synchronizing resource bindings within computer network
US9032478B2 (en) 2009-01-29 2015-05-12 Hewlett-Packard Development Company, L.P. Managing security in a network
US8826366B2 (en) * 2010-07-15 2014-09-02 Tt Government Solutions, Inc. Verifying access-control policies with arithmetic quantifier-free form constraints
US8260902B1 (en) 2010-01-26 2012-09-04 Juniper Networks, Inc. Tunneling DHCP options in authentication messages
US8560658B2 (en) * 2010-03-23 2013-10-15 Juniper Networks, Inc. Managing distributed address pools within network devices
US8631100B2 (en) 2010-07-20 2014-01-14 Juniper Networks, Inc. Automatic assignment of hardware addresses within computer networks
US9363290B2 (en) * 2010-09-27 2016-06-07 Nec Corporation Access control information generating system
US8782211B1 (en) 2010-12-21 2014-07-15 Juniper Networks, Inc. Dynamically scheduling tasks to manage system load
RU2013143020A (en) * 2011-02-21 2015-03-27 Нек Корпорейшн COMMUNICATION SYSTEM, DATABASE, CONTROL DEVICE, COMMUNICATION METHOD AND PROGRAM
US8881258B2 (en) * 2011-08-24 2014-11-04 Mcafee, Inc. System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy
CN107730240B (en) * 2011-09-09 2021-03-26 成都天钥科技有限公司 Multi-factor multi-channel ID authentication and transaction control and multi-option payment system and method
US8887243B2 (en) 2012-01-30 2014-11-11 Cisco Technology, Inc. Integrated security platform
US8886230B2 (en) * 2012-08-08 2014-11-11 Intel Corporation Systems and methods for service set identifier-based location detection
US9197498B2 (en) 2012-08-31 2015-11-24 Cisco Technology, Inc. Method for automatically applying access control policies based on device types of networked computing devices
US9154507B2 (en) * 2012-10-15 2015-10-06 International Business Machines Corporation Automated role and entitlements mining using network observations
US20160080316A1 (en) * 2013-04-15 2016-03-17 Nokia Solutions And Networks Oy Subscriber Identification and Provisioning in IP Translation Environments
US9712489B2 (en) 2014-07-29 2017-07-18 Aruba Networks, Inc. Client device address assignment following authentication
US20180139231A1 (en) * 2015-06-10 2018-05-17 Telefonaktiebolaget L M Ericsson (Publ) Protecting iaps from ddos attacks
US10992637B2 (en) 2018-07-31 2021-04-27 Juniper Networks, Inc. Detecting hardware address conflicts in computer networks
US11165744B2 (en) 2018-12-27 2021-11-02 Juniper Networks, Inc. Faster duplicate address detection for ranges of link local addresses
US10931628B2 (en) 2018-12-27 2021-02-23 Juniper Networks, Inc. Duplicate address detection for global IP address or range of link local IP addresses
CN111756630B (en) * 2019-03-29 2022-06-17 中央电视台 Method and device for realizing co-cutting of matrixes
US10965637B1 (en) 2019-04-03 2021-03-30 Juniper Networks, Inc. Duplicate address detection for ranges of global IP addresses
US11552927B1 (en) 2021-10-08 2023-01-10 Hewlett Packard Enterprise Development Lp Dynamic host configuration protocol lease allotment
US20240039956A1 (en) * 2022-07-28 2024-02-01 Cisco Technology, Inc. Identity-based policy enforcement in wide area networks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030126468A1 (en) * 2001-05-25 2003-07-03 Markham Thomas R. Distributed firewall system and method
US20040199792A1 (en) * 2002-11-04 2004-10-07 Godfrey Tan Role grouping
US20050283608A1 (en) * 2004-06-17 2005-12-22 International Business Machines Corporation User controlled anonymity when evaluating into a role

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092110A (en) * 1997-10-23 2000-07-18 At&T Wireless Svcs. Inc. Apparatus for filtering packets using a dedicated processor
US6073242A (en) * 1998-03-19 2000-06-06 Agorics, Inc. Electronic authority server
US6985953B1 (en) * 1998-11-30 2006-01-10 George Mason University System and apparatus for storage and transfer of secure data on web
US7020697B1 (en) * 1999-10-01 2006-03-28 Accenture Llp Architectures for netcentric computing systems
US20020026592A1 (en) * 2000-06-16 2002-02-28 Vdg, Inc. Method for automatic permission management in role-based access control systems
KR100422327B1 (en) * 2001-03-09 2004-03-10 문지환 Realtime Control System and Method of User Browser
US6914894B2 (en) * 2001-05-23 2005-07-05 Pemstar, Inc. Role-based IP multicast addressing in a wireless LAN
US7130839B2 (en) * 2001-05-29 2006-10-31 Sun Microsystems, Inc. Method and system for grouping entries in a directory server by group memberships defined by roles
US7020796B1 (en) * 2001-07-27 2006-03-28 Ciena Corporation High availability communication system
GB2381423B (en) * 2001-10-26 2004-09-15 Ericsson Telefon Ab L M Addressing mechanisms in mobile IP
US7054944B2 (en) * 2001-12-19 2006-05-30 Intel Corporation Access control management system utilizing network and application layer access control lists
US6990592B2 (en) * 2002-02-08 2006-01-24 Enterasys Networks, Inc. Controlling concurrent usage of network resources by multiple users at an entry point to a communications network based on identities of the users
US7855972B2 (en) * 2002-02-08 2010-12-21 Enterasys Networks, Inc. Creating, modifying and storing service abstractions and role abstractions representing one or more packet rules
US6892309B2 (en) * 2002-02-08 2005-05-10 Enterasys Networks, Inc. Controlling usage of network resources by a user at the user's entry point to a communications network based on an identity of the user
JP2004015143A (en) * 2002-06-04 2004-01-15 Fujitsu Ltd Hand-over method in mobile communication system and router used for the mobile communication system
US7308706B2 (en) * 2002-10-28 2007-12-11 Secure Computing Corporation Associative policy model
US7461404B2 (en) * 2002-11-04 2008-12-02 Mazu Networks, Inc. Detection of unauthorized access in a network
US8479057B2 (en) * 2002-11-04 2013-07-02 Riverbed Technology, Inc. Aggregator for connection based anomaly detection
US7664963B2 (en) * 2002-11-04 2010-02-16 Riverbed Technology, Inc. Data collectors in connection-based intrusion detection
US7292585B1 (en) * 2002-12-20 2007-11-06 Symantec Operating Corporation System and method for storing and utilizing routing information in a computer network
US7467194B1 (en) * 2002-12-20 2008-12-16 Symantec Operating Corporation Re-mapping a location-independent address in a computer network
US7406535B2 (en) * 2002-12-20 2008-07-29 Symantec Operating Corporation Role-based message addressing for a computer network
US7899934B2 (en) * 2003-03-31 2011-03-01 Symantec Corporation Handling un-partitioning of a computer network
US7530112B2 (en) * 2003-09-10 2009-05-05 Cisco Technology, Inc. Method and apparatus for providing network security using role-based access control
JP2005122831A (en) 2003-10-17 2005-05-12 Alps Electric Co Ltd Magnetic head
US7555527B1 (en) * 2003-11-07 2009-06-30 Symantec Operating Corporation Efficiently linking storage object replicas in a computer network
US8146148B2 (en) * 2003-11-19 2012-03-27 Cisco Technology, Inc. Tunneled security groups
US20050190758A1 (en) * 2004-03-01 2005-09-01 Cisco Technology, Inc. Security groups for VLANs
US7669244B2 (en) * 2004-10-21 2010-02-23 Cisco Technology, Inc. Method and system for generating user group permission lists
US7680955B2 (en) * 2004-12-01 2010-03-16 George Mason Intellectual Properties, Inc. SCIT-DNS: critical infrastructure protection through secure DNS server dynamic updates
EP1849267B1 (en) * 2005-02-14 2009-01-14 Telefonaktiebolaget LM Ericsson (publ) Method and nodes for performing bridging of data traffic over an access domain
US7813511B2 (en) * 2005-07-01 2010-10-12 Cisco Technology, Inc. Facilitating mobility for a mobile station

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030126468A1 (en) * 2001-05-25 2003-07-03 Markham Thomas R. Distributed firewall system and method
US20040199792A1 (en) * 2002-11-04 2004-10-07 Godfrey Tan Role grouping
US20050283608A1 (en) * 2004-06-17 2005-12-22 International Business Machines Corporation User controlled anonymity when evaluating into a role

Also Published As

Publication number Publication date
EP1994673B1 (en) 2014-11-12
EP1994673A2 (en) 2008-11-26
US8156325B2 (en) 2012-04-10
EP1994673A4 (en) 2011-12-28
US7814311B2 (en) 2010-10-12
WO2007106687A2 (en) 2007-09-20
US20100322241A1 (en) 2010-12-23
US20070214352A1 (en) 2007-09-13

Similar Documents

Publication Publication Date Title
WO2007106687A3 (en) Role aware network security enforcement
WO2006068969A3 (en) Method and device for publishing cross-network user behavioral data
WO2008076520A3 (en) Digital rights management copy sharing system and method
WO2007044613A3 (en) Apparatus system and method for real-time migration of data related to authentication
WO2007126835A3 (en) Managing communications between computing nodes
GB2447390A (en) Hierarchical trust based posture reporting and policy enforcement
WO2009091492A3 (en) Preventing secure data from leaving a network perimeter
WO2010056936A3 (en) Network nodes and methods for data authorization in distributed storage networks
WO2005062989A3 (en) Authentication system for networked computer applications
WO2006117555A3 (en) Digital rights management
WO2007040696A3 (en) Content access rights management
WO2004003686A3 (en) Single system user identity
WO2007131003A3 (en) Location-specific content communication system
WO2005059717A3 (en) Certificate based digital rights management
WO2006118829A3 (en) Preventing fraudulent internet account access
WO2006124411A3 (en) A digital publication system and apparatus
WO2007143312A8 (en) Proactive credential distribution
WO2008017008A3 (en) Systems and methods for policy based triggering of client-authentication of directory level granularity
WO2007021345A3 (en) System and method for authenticating internetwork resource requests
WO2003058411A1 (en) Content delivery method and content delivery system
TW200620930A (en) Stsyem and method for managing access to protected content by untrusted applications
WO2008110955A3 (en) Applying policies for managing a service flow
WO2007103449A3 (en) System and method for generating a unified accounting record for a communication session
WO2007070273A3 (en) Method and apparatus for selecting a codec in a packet-switched communication network
WO2006065633A3 (en) Method and device for digital rights management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07758046

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2007758046

Country of ref document: EP