CA2335082A1 - Method and arrangement for implementing ipsec policy management using filter code - Google Patents
Method and arrangement for implementing ipsec policy management using filter code Download PDFInfo
- Publication number
- CA2335082A1 CA2335082A1 CA002335082A CA2335082A CA2335082A1 CA 2335082 A1 CA2335082 A1 CA 2335082A1 CA 002335082 A CA002335082 A CA 002335082A CA 2335082 A CA2335082 A CA 2335082A CA 2335082 A1 CA2335082 A1 CA 2335082A1
- Authority
- CA
- Canada
- Prior art keywords
- packet
- filter code
- processing
- processing system
- data processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0464—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
A data processing system implements a security protocol based on processing data in packets. The data processing system comprises packet processing mean s (301) for storing filter code (304) and processing data packets according to stored filter code, and policy managing means (305) for generating filter co de and communicating generated filter code to the packet processing means (301) . The packet processing means (301) is arranged to examine, whether the stored filter code is applicable for processing a certain packet. If the stored filter code is not applicable for the processing of a packet, the packet is communicated to the policy managing means (305), which generates filter code applicable for the processing of the packet and communicates the generated filter code to the packet processing means (301).
Claims (20)
1. A data processing system for implementing a security protocol based on processing data in packets, characterized in that said data processing system comprises:
- packet processing means (308) for storing filter code (304) and processing data packets (301) according to stored filter code, and - policy managing means (305) for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine (503, 504, 505), whether the stored filter code is applicable for processing a certain packet, and to communicate (507) such packets for the processing of which the stored filter code is not applicable to said policy managing means, and said policy managing means is arranged to, as a response to receiving a packet from said packet processing means, either (508, 509) - generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means, or - process the packet by said policy managing means, or - process the packet by said policy managing means and generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means.
- packet processing means (308) for storing filter code (304) and processing data packets (301) according to stored filter code, and - policy managing means (305) for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine (503, 504, 505), whether the stored filter code is applicable for processing a certain packet, and to communicate (507) such packets for the processing of which the stored filter code is not applicable to said policy managing means, and said policy managing means is arranged to, as a response to receiving a packet from said packet processing means, either (508, 509) - generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means, or - process the packet by said policy managing means, or - process the packet by said policy managing means and generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means.
2. A data processing system according to claim 1, characterized in that it further comprises a policy database (306) for storing a plurality of policy rules, wherein said policy database is implemented as a part of said policy managing means (305).
3. A data processing system according to claim 2, characterized in that it further comprises key management means (307) for implementing the key management functions according to said security protocol, wherein said key management means is arranged to communicate with said policy managing means (305).
4. A data processing system according to claim 3, characterized in that said key management means (307) and said policy managing means (305) are arranged to generate and maintain a plurality of security associations as specific applications of said policy rules and key management functions to certain communications.
5. A data processing system according to claim 4, characterized in that said policy managing means (305) is arranged to generate filter code on the basis of the information contained within said policy rules and said security associations.
6. A data processing system according to claim 5, characterized in that said policy managing means (305) is arranged to communicate information about said security associations to said packet processing means (301) in addition to the generated filter code, and said packet processing means (301) is arranged to perform cryptographic transformations on packets, said cryptographic transformations being based on said filter code and said information about said security associations.
7. A data processing system according to claim 6, characterized in that said policy managing means (305) is arranged to communicate information about only a fraction of the security associations known to said policy managing means (305) to said packet processing means (301).
8. A data processing system according to claim 6, characterized in that said packet processing means (301) is arranged to store the filter code (304) separately from said information about said security associations.
9. A data processing system according to claim 1, characterized in that it further comprises packet intercepting means (303) for separating data packets for the processing of which said security protocol is applicable from a general stream of packets, wherein said packet intercepting means (303) is arranged to communicate with said packet processing means (301).
10. A data processing system according to claim 1, characterized in that it further comprises a kernel space (604) and a user-mode process space (605), wherein said packet processing means (301) resides in said kernel space (604) and said policy managing means (305) resides in said user-mode process space (605).
11. A data processing system according to claim 1, characterized in that it further comprises a kernel space (604) and a user-mode process space (605), wherein said packet processing means (301) and said policy managing means (305) reside in said user-mode process space (605).
12. A data processing system according to claim 1, characterized in that it further comprises at least two network interfaces (651, 652), wherein said packet processing means (301) is arranged to store separate filter cade for each network interface.
13. A data processing system according to claim 1, characterized in that said packet processing means (301) is arranged to process incoming and outgoing packets and store separate filter code for the processing of incoming and outgoing packets.
14. A data processing system according to claim 1, characterized in that said filter code does not contain any backward jumps.
15. A data processing system according to claim 1, characterized in that said filter code includes the operations of dropping a packet (504), passing a packet through (505), and referring the packet to the policy managing means (507).
16. A data processing system according to claim 15, characterized in that said filter code additionally includes the operation of applying a transformation to a packet (506).
17. A data processing system according to claim 1, characterized in that said packet processing means (301) is arranged to process packets in fragments, applying said filter code to the processing of the first fragment of a packet before receiving the other fragments and processing any remaining fragments of the packet separately using the actions determined for the first fragment.
18. A data processing system according to claim 17, characterized in that said filter code contains an instruction to require, as a response to receiving a fragment, a full packet before processing can continue.
19. A data processing system according to claim 1, characterized in that said filter code consists of actual compiled processor instructions.
20. A method for implementing a security protocol based on processing data in packets, characterized in that it comprises the steps of:
a) examining (502, 504, 505), whether a piece of stored filter code is applicable for processing a certain packet in a packet processing means, whereby a positive result means that a a piece of stored filter code is applicable for processing a certain packet and a negative result means that a piece of stored filter code is not applicable for processing a certain packet, b) following a positive result in step a), processing (503, 506) the packet in said packet processing means according to the stored filter code, 16~
c) following a negative result in step a), communicating (507) the packet into a policy managing means and examining (508), whether filter code should be generated and communicated to said packet processing means for the processing of the packet in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, d) following a positive result in step c), generating (509) filter code applicable for the processing of the packet and communicating the generated filter code to said packet processing means, e) following a negative result in step c), examining, whether filter code should be generated and communicated to said packet processing means for the processing of further similar packets in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, f) following a positive result in step e), processing the packet in the policy managing means and generating filter code applicable for the processing of further similar packet and communicating the generated filter code to said packet processing means, and g) following a negative result in step e), processing the packet in the policy managing means.
a) examining (502, 504, 505), whether a piece of stored filter code is applicable for processing a certain packet in a packet processing means, whereby a positive result means that a a piece of stored filter code is applicable for processing a certain packet and a negative result means that a piece of stored filter code is not applicable for processing a certain packet, b) following a positive result in step a), processing (503, 506) the packet in said packet processing means according to the stored filter code, 16~
c) following a negative result in step a), communicating (507) the packet into a policy managing means and examining (508), whether filter code should be generated and communicated to said packet processing means for the processing of the packet in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, d) following a positive result in step c), generating (509) filter code applicable for the processing of the packet and communicating the generated filter code to said packet processing means, e) following a negative result in step c), examining, whether filter code should be generated and communicated to said packet processing means for the processing of further similar packets in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, f) following a positive result in step e), processing the packet in the policy managing means and generating filter code applicable for the processing of further similar packet and communicating the generated filter code to said packet processing means, and g) following a negative result in step e), processing the packet in the policy managing means.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/100,272 | 1998-06-19 | ||
US09/100,272 US6253321B1 (en) | 1998-06-19 | 1998-06-19 | Method and arrangement for implementing IPSEC policy management using filter code |
PCT/FI1999/000536 WO1999067930A2 (en) | 1998-06-19 | 1999-06-18 | Method and arrangement for implementing ipsec policy management using filter code |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2335082A1 true CA2335082A1 (en) | 1999-12-29 |
CA2335082C CA2335082C (en) | 2009-11-17 |
Family
ID=22278931
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002335082A Expired - Lifetime CA2335082C (en) | 1998-06-19 | 1999-06-18 | Method and arrangement for implementing ipsec policy management using filter code |
Country Status (10)
Country | Link |
---|---|
US (1) | US6253321B1 (en) |
EP (1) | EP1145520B1 (en) |
JP (1) | JP4771390B2 (en) |
KR (1) | KR100641279B1 (en) |
AT (1) | ATE254371T1 (en) |
AU (1) | AU4786299A (en) |
CA (1) | CA2335082C (en) |
DE (1) | DE69912846T2 (en) |
IL (1) | IL140263A (en) |
WO (1) | WO1999067930A2 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101547203B (en) * | 2000-06-26 | 2015-08-05 | 英特尔公司 | Internet protocol security policies is used to set up network security |
Families Citing this family (178)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6158010A (en) | 1998-10-28 | 2000-12-05 | Crosslogix, Inc. | System and method for maintaining security in a distributed computer network |
US7673323B1 (en) | 1998-10-28 | 2010-03-02 | Bea Systems, Inc. | System and method for maintaining security in a distributed computer network |
US6418130B1 (en) * | 1999-01-08 | 2002-07-09 | Telefonaktiebolaget L M Ericsson (Publ) | Reuse of security associations for improving hand-over performance |
DE69937464T2 (en) * | 1999-01-14 | 2008-08-21 | Nokia Corp. | METHOD AND DEVICE FOR HEARING |
US6738377B1 (en) * | 1999-01-29 | 2004-05-18 | International Business Machines Corporation | System and method for dynamic micro placement of IP connection filters |
US7370348B1 (en) * | 1999-07-30 | 2008-05-06 | Intel Corporation | Technique and apparatus for processing cryptographic services of data in a network system |
US6754832B1 (en) * | 1999-08-12 | 2004-06-22 | International Business Machines Corporation | Security rule database searching in a network security environment |
US7023863B1 (en) * | 1999-10-29 | 2006-04-04 | 3Com Corporation | Apparatus and method for processing encrypted packets in a computer network device |
US6915431B1 (en) * | 1999-12-22 | 2005-07-05 | Intel Corporation | System and method for providing security mechanisms for securing network communication |
US6941377B1 (en) * | 1999-12-31 | 2005-09-06 | Intel Corporation | Method and apparatus for secondary use of devices with encryption |
JP2001298449A (en) * | 2000-04-12 | 2001-10-26 | Matsushita Electric Ind Co Ltd | Security communication method, communication system and its unit |
US7215637B1 (en) * | 2000-04-17 | 2007-05-08 | Juniper Networks, Inc. | Systems and methods for processing packets |
US7688727B1 (en) | 2000-04-17 | 2010-03-30 | Juniper Networks, Inc. | Filtering and route lookup in a switching device |
US6798777B1 (en) | 2000-04-17 | 2004-09-28 | Juniper Networks, Inc. | Filtering and route lookup in a switching device |
US6772348B1 (en) * | 2000-04-27 | 2004-08-03 | Microsoft Corporation | Method and system for retrieving security information for secured transmission of network communication streams |
GB2365717B (en) * | 2000-05-24 | 2004-01-21 | Ericsson Telefon Ab L M | IPsec processing |
AU2001265035A1 (en) * | 2000-05-25 | 2001-12-03 | Thomas R Markham | Distributed firewall system and method |
JP3736293B2 (en) * | 2000-05-31 | 2006-01-18 | 日本電信電話株式会社 | Service quality control method and device service quality control program in encrypted communication |
US7028332B1 (en) * | 2000-06-13 | 2006-04-11 | Intel Corporation | Method and apparatus for preventing packet retransmissions during IPsec security association establishment |
US7917647B2 (en) | 2000-06-16 | 2011-03-29 | Mcafee, Inc. | Method and apparatus for rate limiting |
US20020093527A1 (en) * | 2000-06-16 | 2002-07-18 | Sherlock Kieran G. | User interface for a security policy system and method |
AU2001269870A1 (en) * | 2000-06-16 | 2002-01-02 | Securify, Inc. | System and method for security policy |
US7131137B1 (en) * | 2000-06-29 | 2006-10-31 | Intel Corporation | Communication system including a security system |
US7991917B1 (en) | 2000-07-05 | 2011-08-02 | Mcafee, Inc. | High performance packet processing using a general purpose processor |
ES2312483T3 (en) * | 2000-07-14 | 2009-03-01 | Irdeto Access B.V. | ARCHITECTURE OF SECURE DATA DISSEMINATION BY PACKAGES. |
US7836498B2 (en) * | 2000-09-07 | 2010-11-16 | Riverbed Technology, Inc. | Device to protect victim sites during denial of service attacks |
US7051069B2 (en) * | 2000-09-28 | 2006-05-23 | Bea Systems, Inc. | System for managing logical process flow in an online environment |
FI20002377A (en) * | 2000-10-27 | 2002-04-28 | Ssh Comm Security Corp | A method for managing a reverse filter code |
US6915437B2 (en) * | 2000-12-20 | 2005-07-05 | Microsoft Corporation | System and method for improved network security |
KR100404321B1 (en) * | 2000-12-27 | 2003-11-01 | 한국전자통신연구원 | System and method for security evaluation of internet host system |
US7080120B2 (en) * | 2001-01-19 | 2006-07-18 | Digital Orchid, Inc. | System and method for collaborative processing of distributed applications |
US6996842B2 (en) * | 2001-01-30 | 2006-02-07 | Intel Corporation | Processing internet protocol security traffic |
FI20010293A (en) * | 2001-02-15 | 2002-08-16 | Ssh Comm Security Corp | Procedure for setting up insured connections |
FI20010511A0 (en) * | 2001-03-14 | 2001-03-14 | Stonesoft Oy | Processing of data packets |
US7739497B1 (en) * | 2001-03-21 | 2010-06-15 | Verizon Corporate Services Group Inc. | Method and apparatus for anonymous IP datagram exchange using dynamic network address translation |
US20030041050A1 (en) * | 2001-04-16 | 2003-02-27 | Greg Smith | System and method for web-based marketing and campaign management |
US7499948B2 (en) | 2001-04-16 | 2009-03-03 | Bea Systems, Inc. | System and method for web-based personalization and ecommerce management |
US7296155B1 (en) * | 2001-06-08 | 2007-11-13 | Cisco Technology, Inc. | Process and system providing internet protocol security without secure domain resolution |
US7392546B2 (en) | 2001-06-11 | 2008-06-24 | Bea Systems, Inc. | System and method for server security and entitlement processing |
US7194766B2 (en) * | 2001-06-12 | 2007-03-20 | Corrent Corporation | Method and system for high-speed processing IPSec security protocol packets |
US20020188871A1 (en) * | 2001-06-12 | 2002-12-12 | Corrent Corporation | System and method for managing security packet processing |
US7017042B1 (en) * | 2001-06-14 | 2006-03-21 | Syrus Ziai | Method and circuit to accelerate IPSec processing |
US6851113B2 (en) | 2001-06-29 | 2005-02-01 | International Business Machines Corporation | Secure shell protocol access control |
US7231665B1 (en) * | 2001-07-05 | 2007-06-12 | Mcafee, Inc. | Prevention of operating system identification through fingerprinting techniques |
US7904454B2 (en) | 2001-07-16 | 2011-03-08 | International Business Machines Corporation | Database access security |
US7209962B2 (en) * | 2001-07-30 | 2007-04-24 | International Business Machines Corporation | System and method for IP packet filtering based on non-IP packet traffic attributes |
WO2003036609A1 (en) * | 2001-10-24 | 2003-05-01 | Bea Systems, Inc. | Portal administration tool |
KR100487221B1 (en) | 2001-11-23 | 2005-05-03 | 삼성전자주식회사 | Method and apparatus for controlling the transmission power of control information in a mobile communication system |
US20030105830A1 (en) * | 2001-12-03 | 2003-06-05 | Duc Pham | Scalable network media access controller and methods |
US7350226B2 (en) * | 2001-12-13 | 2008-03-25 | Bea Systems, Inc. | System and method for analyzing security policies in a distributed computer network |
KR100447681B1 (en) * | 2001-12-27 | 2004-09-08 | 한국전자통신연구원 | method and recorded media for union key management using IPsec |
KR100470915B1 (en) * | 2001-12-28 | 2005-03-08 | 한국전자통신연구원 | Method for controlling internet information security system in ip packet level |
US7743415B2 (en) * | 2002-01-31 | 2010-06-22 | Riverbed Technology, Inc. | Denial of service attacks characterization |
US7650634B2 (en) | 2002-02-08 | 2010-01-19 | Juniper Networks, Inc. | Intelligent integrated network security device |
US7734752B2 (en) * | 2002-02-08 | 2010-06-08 | Juniper Networks, Inc. | Intelligent integrated network security device for high-availability applications |
US8370936B2 (en) | 2002-02-08 | 2013-02-05 | Juniper Networks, Inc. | Multi-method gateway-based network security systems and methods |
US6839338B1 (en) | 2002-03-20 | 2005-01-04 | Utstarcom Incorporated | Method to provide dynamic internet protocol security policy service |
US7203957B2 (en) * | 2002-04-04 | 2007-04-10 | At&T Corp. | Multipoint server for providing secure, scaleable connections between a plurality of network devices |
US7188365B2 (en) * | 2002-04-04 | 2007-03-06 | At&T Corp. | Method and system for securely scanning network traffic |
US8161539B2 (en) * | 2002-04-19 | 2012-04-17 | International Business Machines Corporation | IPSec network adapter verifier |
US7082477B1 (en) * | 2002-04-30 | 2006-07-25 | Cisco Technology, Inc. | Virtual application of features to electronic messages |
US7590855B2 (en) * | 2002-04-30 | 2009-09-15 | Tippingpoint Technologies, Inc. | Steganographically authenticated packet traffic |
US20040010598A1 (en) * | 2002-05-01 | 2004-01-15 | Bea Systems, Inc. | Portal setup wizard |
US7496687B2 (en) | 2002-05-01 | 2009-02-24 | Bea Systems, Inc. | Enterprise application platform |
US7725560B2 (en) | 2002-05-01 | 2010-05-25 | Bea Systems Inc. | Web service-enabled portlet wizard |
US9088494B2 (en) * | 2002-06-26 | 2015-07-21 | Avaya Communication Israel Ltd. | Packet fragmentation prevention |
US7334124B2 (en) * | 2002-07-22 | 2008-02-19 | Vormetric, Inc. | Logical access block processing protocol for transparent secure file storage |
US6678828B1 (en) * | 2002-07-22 | 2004-01-13 | Vormetric, Inc. | Secure network file access control system |
US6931530B2 (en) | 2002-07-22 | 2005-08-16 | Vormetric, Inc. | Secure network file access controller implementing access control and auditing |
NL1021300C2 (en) * | 2002-08-19 | 2004-03-01 | Tno | Computer network security. |
JP4159328B2 (en) | 2002-09-11 | 2008-10-01 | Necインフロンティア株式会社 | Network, IPsec setting server device, IPsec processing device, and IPsec setting method used therefor |
US7143288B2 (en) | 2002-10-16 | 2006-11-28 | Vormetric, Inc. | Secure file system server architecture and methods |
US7062566B2 (en) * | 2002-10-24 | 2006-06-13 | 3Com Corporation | System and method for using virtual local area network tags with a virtual private network |
US20040088425A1 (en) * | 2002-10-31 | 2004-05-06 | Comverse, Ltd. | Application level gateway based on universal parser |
US7574738B2 (en) | 2002-11-06 | 2009-08-11 | At&T Intellectual Property Ii, L.P. | Virtual private network crossovers based on certificates |
TW589832B (en) * | 2002-11-12 | 2004-06-01 | Inst Information Industry | QoS router for effectively processing fragmented packets and method thereof |
US20040123139A1 (en) * | 2002-12-18 | 2004-06-24 | At&T Corp. | System having filtering/monitoring of secure connections |
US7653930B2 (en) * | 2003-02-14 | 2010-01-26 | Bea Systems, Inc. | Method for role and resource policy management optimization |
US7591000B2 (en) | 2003-02-14 | 2009-09-15 | Oracle International Corporation | System and method for hierarchical role-based entitlements |
US6917975B2 (en) * | 2003-02-14 | 2005-07-12 | Bea Systems, Inc. | Method for role and resource policy management |
US7840614B2 (en) | 2003-02-20 | 2010-11-23 | Bea Systems, Inc. | Virtual content repository application program interface |
US7415478B2 (en) | 2003-02-20 | 2008-08-19 | Bea Systems, Inc. | Virtual repository complex content model |
US7562298B2 (en) | 2003-02-20 | 2009-07-14 | Bea Systems, Inc. | Virtual content repository browser |
US20040167880A1 (en) * | 2003-02-20 | 2004-08-26 | Bea Systems, Inc. | System and method for searching a virtual repository content |
US7483904B2 (en) * | 2003-02-20 | 2009-01-27 | Bea Systems, Inc. | Virtual repository content model |
US20040167871A1 (en) * | 2003-02-20 | 2004-08-26 | Bea Systems, Inc. | Content mining for virtual content repositories |
US7293286B2 (en) | 2003-02-20 | 2007-11-06 | Bea Systems, Inc. | Federated management of content repositories |
US20040230917A1 (en) * | 2003-02-28 | 2004-11-18 | Bales Christopher E. | Systems and methods for navigating a graphical hierarchy |
US7810036B2 (en) | 2003-02-28 | 2010-10-05 | Bea Systems, Inc. | Systems and methods for personalizing a portal |
US20040230557A1 (en) * | 2003-02-28 | 2004-11-18 | Bales Christopher E. | Systems and methods for context-sensitive editing |
CN100349398C (en) * | 2003-03-18 | 2007-11-14 | 华为技术有限公司 | User identification method based on safety command interpretive protocol |
US7814310B2 (en) * | 2003-04-12 | 2010-10-12 | Cavium Networks | IPsec performance optimization |
US7398386B2 (en) * | 2003-04-12 | 2008-07-08 | Cavium Networks, Inc. | Transparent IPSec processing inline between a framer and a network component |
US7308711B2 (en) * | 2003-06-06 | 2007-12-11 | Microsoft Corporation | Method and framework for integrating a plurality of network policies |
US20050097353A1 (en) * | 2003-10-10 | 2005-05-05 | Bea Systems, Inc. | Policy analysis tool |
US20050097352A1 (en) * | 2003-10-10 | 2005-05-05 | Bea Systems, Inc. | Embeddable security service module |
US7594224B2 (en) | 2003-10-10 | 2009-09-22 | Bea Systems, Inc. | Distributed enterprise security system |
US20050262362A1 (en) * | 2003-10-10 | 2005-11-24 | Bea Systems, Inc. | Distributed security system policies |
US7644432B2 (en) | 2003-10-10 | 2010-01-05 | Bea Systems, Inc. | Policy inheritance through nested groups |
CN1301612C (en) * | 2003-10-20 | 2007-02-21 | 中兴通讯股份有限公司 | IPSEC nesting strategy match correcting method |
US20050125443A1 (en) * | 2003-12-05 | 2005-06-09 | Biplav Srivastava | Automated interpretation of codes |
US8074267B1 (en) * | 2003-12-18 | 2011-12-06 | Symantec Corporation | Computer communications monitor |
US8176545B1 (en) * | 2003-12-19 | 2012-05-08 | Nvidia Corporation | Integrated policy checking system and method |
US20050149720A1 (en) * | 2004-01-07 | 2005-07-07 | Shimon Gruper | Method for speeding up the pass time of an executable through a checkpoint |
US20050188295A1 (en) * | 2004-02-25 | 2005-08-25 | Loren Konkus | Systems and methods for an extensible administration tool |
US7774601B2 (en) | 2004-04-06 | 2010-08-10 | Bea Systems, Inc. | Method for delegated administration |
US7246138B2 (en) * | 2004-04-13 | 2007-07-17 | Bea Systems, Inc. | System and method for content lifecycles in a virtual content repository that integrates a plurality of content repositories |
US7240076B2 (en) * | 2004-04-13 | 2007-07-03 | Bea Systems, Inc. | System and method for providing a lifecycle for information in a virtual content repository |
US7580953B2 (en) * | 2004-04-13 | 2009-08-25 | Bea Systems, Inc. | System and method for schema lifecycles in a virtual content repository that integrates a plurality of content repositories |
US20050228784A1 (en) * | 2004-04-13 | 2005-10-13 | Bea Systems, Inc. | System and method for batch operations in a virtual content repository |
US7475091B2 (en) * | 2004-04-13 | 2009-01-06 | Bea Systems, Inc. | System and method for viewing a virtual content repository |
US7236989B2 (en) | 2004-04-13 | 2007-06-26 | Bea Systems, Inc. | System and method for providing lifecycles for custom content in a virtual content repository |
US20050240714A1 (en) * | 2004-04-13 | 2005-10-27 | Bea Systems, Inc. | System and method for virtual content repository deployment |
US7236990B2 (en) * | 2004-04-13 | 2007-06-26 | Bea Systems, Inc. | System and method for information lifecycle workflow integration |
US7236975B2 (en) * | 2004-04-13 | 2007-06-26 | Bea Systems, Inc. | System and method for controlling access to anode in a virtual content repository that integrates a plurality of content repositories |
US20050261970A1 (en) * | 2004-05-21 | 2005-11-24 | Wayport, Inc. | Method for providing wireless services |
US20050283604A1 (en) * | 2004-06-21 | 2005-12-22 | Ipolicy Networks, Inc., A Delaware Corporation | Security association configuration in virtual private networks |
US20060041935A1 (en) * | 2004-08-17 | 2006-02-23 | Conley James W | Methodology for configuring network firewall |
US9454440B2 (en) | 2004-12-31 | 2016-09-27 | Emc Corporation | Versatile information management |
US8260753B2 (en) * | 2004-12-31 | 2012-09-04 | Emc Corporation | Backup information management |
US20060272005A1 (en) * | 2005-05-24 | 2006-11-30 | International Business Machines Corporation | Security optimization techniques for web applications |
US7970788B2 (en) * | 2005-08-02 | 2011-06-28 | International Business Machines Corporation | Selective local database access restriction |
US7746862B1 (en) | 2005-08-02 | 2010-06-29 | Juniper Networks, Inc. | Packet processing in a multiple processor system |
US9026512B2 (en) * | 2005-08-18 | 2015-05-05 | Emc Corporation | Data object search and retrieval |
US20070043705A1 (en) * | 2005-08-18 | 2007-02-22 | Emc Corporation | Searchable backups |
US7953734B2 (en) * | 2005-09-26 | 2011-05-31 | Oracle International Corporation | System and method for providing SPI extensions for content management system |
US7917537B2 (en) | 2005-09-26 | 2011-03-29 | Oracle International Corporation | System and method for providing link property types for content management |
US7483893B2 (en) | 2005-09-26 | 2009-01-27 | Bae Systems, Inc. | System and method for lightweight loading for managing content |
US7818344B2 (en) | 2005-09-26 | 2010-10-19 | Bea Systems, Inc. | System and method for providing nested types for content management |
US7752205B2 (en) * | 2005-09-26 | 2010-07-06 | Bea Systems, Inc. | Method and system for interacting with a virtual content repository |
US7933923B2 (en) | 2005-11-04 | 2011-04-26 | International Business Machines Corporation | Tracking and reconciling database commands |
US8122492B2 (en) * | 2006-04-21 | 2012-02-21 | Microsoft Corporation | Integration of social network information and network firewalls |
US8079073B2 (en) * | 2006-05-05 | 2011-12-13 | Microsoft Corporation | Distributed firewall implementation and control |
US8176157B2 (en) * | 2006-05-18 | 2012-05-08 | Microsoft Corporation | Exceptions grouping |
US7966655B2 (en) * | 2006-06-30 | 2011-06-21 | At&T Intellectual Property Ii, L.P. | Method and apparatus for optimizing a firewall |
US8463852B2 (en) | 2006-10-06 | 2013-06-11 | Oracle International Corporation | Groupware portlets for integrating a portal with groupware systems |
US8141100B2 (en) | 2006-12-20 | 2012-03-20 | International Business Machines Corporation | Identifying attribute propagation for multi-tier processing |
CN100555991C (en) * | 2006-12-29 | 2009-10-28 | 华为技术有限公司 | The method of message access control, forwarding engine device and communication equipment |
US8495367B2 (en) | 2007-02-22 | 2013-07-23 | International Business Machines Corporation | Nondestructive interception of secure data in transit |
US8131994B2 (en) * | 2007-06-01 | 2012-03-06 | Cisco Technology, Inc. | Dual cryptographic keying |
US8261327B2 (en) | 2007-07-12 | 2012-09-04 | Wayport, Inc. | Device-specific authorization at distributed locations |
US20090216875A1 (en) * | 2008-02-26 | 2009-08-27 | Barracuda Inc. | Filtering secure network messages without cryptographic processes method |
US8261326B2 (en) | 2008-04-25 | 2012-09-04 | International Business Machines Corporation | Network intrusion blocking security overlay |
US8429715B2 (en) * | 2008-08-08 | 2013-04-23 | Microsoft Corporation | Secure resource name resolution using a cache |
JP5294761B2 (en) * | 2008-08-29 | 2013-09-18 | パナソニック株式会社 | Secure communication device, secure communication method, and program |
US8826366B2 (en) * | 2010-07-15 | 2014-09-02 | Tt Government Solutions, Inc. | Verifying access-control policies with arithmetic quantifier-free form constraints |
US9191327B2 (en) | 2011-02-10 | 2015-11-17 | Varmour Networks, Inc. | Distributed service processing of network gateways using virtual machines |
US8838999B1 (en) | 2011-05-17 | 2014-09-16 | Applied Micro Circuits Corporation | Cut-through packet stream encryption/decryption |
US9258275B2 (en) * | 2012-04-11 | 2016-02-09 | Varmour Networks, Inc. | System and method for dynamic security insertion in network virtualization |
KR101478228B1 (en) * | 2013-12-31 | 2015-01-06 | 주식회사 시큐아이 | Computer device and for method for searching policy thereof |
US9973472B2 (en) | 2015-04-02 | 2018-05-15 | Varmour Networks, Inc. | Methods and systems for orchestrating physical and virtual switches to enforce security boundaries |
US10091238B2 (en) | 2014-02-11 | 2018-10-02 | Varmour Networks, Inc. | Deception using distributed threat detection |
US10264025B2 (en) | 2016-06-24 | 2019-04-16 | Varmour Networks, Inc. | Security policy generation for virtualization, bare-metal server, and cloud computing environments |
US9294442B1 (en) | 2015-03-30 | 2016-03-22 | Varmour Networks, Inc. | System and method for threat-driven security policy controls |
US10193929B2 (en) | 2015-03-13 | 2019-01-29 | Varmour Networks, Inc. | Methods and systems for improving analytics in distributed networks |
US9380027B1 (en) | 2015-03-30 | 2016-06-28 | Varmour Networks, Inc. | Conditional declarative policies |
US10009381B2 (en) | 2015-03-30 | 2018-06-26 | Varmour Networks, Inc. | System and method for threat-driven security policy controls |
US9525697B2 (en) | 2015-04-02 | 2016-12-20 | Varmour Networks, Inc. | Delivering security functions to distributed networks |
US10191758B2 (en) | 2015-12-09 | 2019-01-29 | Varmour Networks, Inc. | Directing data traffic between intra-server virtual machines |
KR101720702B1 (en) * | 2015-12-15 | 2017-04-10 | 주식회사 시큐아이 | Security device and driving method thereof |
US9680852B1 (en) | 2016-01-29 | 2017-06-13 | Varmour Networks, Inc. | Recursive multi-layer examination for computer network security remediation |
US9762599B2 (en) | 2016-01-29 | 2017-09-12 | Varmour Networks, Inc. | Multi-node affinity-based examination for computer network security remediation |
US9521115B1 (en) | 2016-03-24 | 2016-12-13 | Varmour Networks, Inc. | Security policy generation using container metadata |
US10755334B2 (en) | 2016-06-30 | 2020-08-25 | Varmour Networks, Inc. | Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors |
US10812135B2 (en) * | 2017-02-28 | 2020-10-20 | Texas Instruments Incorporated | Independent sequence processing to facilitate security between nodes in wireless networks |
US10609008B2 (en) | 2017-06-08 | 2020-03-31 | Nxp Usa, Inc. | Securing an electronically transmitted communication |
US11863580B2 (en) | 2019-05-31 | 2024-01-02 | Varmour Networks, Inc. | Modeling application dependencies to identify operational risk |
US11711374B2 (en) | 2019-05-31 | 2023-07-25 | Varmour Networks, Inc. | Systems and methods for understanding identity and organizational access to applications within an enterprise environment |
US11290493B2 (en) | 2019-05-31 | 2022-03-29 | Varmour Networks, Inc. | Template-driven intent-based security |
US11310284B2 (en) | 2019-05-31 | 2022-04-19 | Varmour Networks, Inc. | Validation of cloud security policies |
US11575563B2 (en) | 2019-05-31 | 2023-02-07 | Varmour Networks, Inc. | Cloud security management |
US11290494B2 (en) | 2019-05-31 | 2022-03-29 | Varmour Networks, Inc. | Reliability prediction for cloud security policies |
US11588798B1 (en) * | 2020-03-12 | 2023-02-21 | Government Of The United States, As Represented By The National Security Agency | Protocol free encrypting device |
US11329956B2 (en) | 2020-07-28 | 2022-05-10 | Bank Of America Corporation | Scalable encryption framework using virtualization and adaptive sampling |
US11818152B2 (en) | 2020-12-23 | 2023-11-14 | Varmour Networks, Inc. | Modeling topic-based message-oriented middleware within a security system |
US11876817B2 (en) | 2020-12-23 | 2024-01-16 | Varmour Networks, Inc. | Modeling queue-based message-oriented middleware relationships in a security system |
US11777978B2 (en) | 2021-01-29 | 2023-10-03 | Varmour Networks, Inc. | Methods and systems for accurately assessing application access risk |
US11734316B2 (en) | 2021-07-08 | 2023-08-22 | Varmour Networks, Inc. | Relationship-based search in a computing environment |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4715030A (en) * | 1986-08-04 | 1987-12-22 | General Electric Company | Local area network bridge |
US5172111A (en) * | 1987-08-31 | 1992-12-15 | Olivo Jr John W | Stored media screening device |
DE69316009T2 (en) * | 1992-06-12 | 1998-04-23 | Dow Chemical Co | SAFE FRONT END CONNECTION SYSTEM AND METHOD FOR PROCESS CONTROLLER |
US5448698A (en) * | 1993-04-05 | 1995-09-05 | Hewlett-Packard Company | Inter-processor communication system in which messages are stored at locations specified by the sender |
WO1997000471A2 (en) | 1993-12-15 | 1997-01-03 | Check Point Software Technologies Ltd. | A system for securing the flow of and selectively modifying packets in a computer network |
US5615340A (en) * | 1994-07-21 | 1997-03-25 | Allied Telesyn Int'l Corp. | Network interfacing apparatus and method using repeater and cascade interface with scrambling |
US5761424A (en) | 1995-12-29 | 1998-06-02 | Symbios, Inc. | Method and apparatus for programmable filtration and generation of information in packetized communication systems |
US5848233A (en) | 1996-12-09 | 1998-12-08 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
US6092110A (en) * | 1997-10-23 | 2000-07-18 | At&T Wireless Svcs. Inc. | Apparatus for filtering packets using a dedicated processor |
-
1998
- 1998-06-19 US US09/100,272 patent/US6253321B1/en not_active Expired - Lifetime
-
1999
- 1999-06-18 DE DE69912846T patent/DE69912846T2/en not_active Expired - Lifetime
- 1999-06-18 AU AU47862/99A patent/AU4786299A/en not_active Abandoned
- 1999-06-18 WO PCT/FI1999/000536 patent/WO1999067930A2/en active IP Right Grant
- 1999-06-18 JP JP2000556485A patent/JP4771390B2/en not_active Expired - Lifetime
- 1999-06-18 CA CA002335082A patent/CA2335082C/en not_active Expired - Lifetime
- 1999-06-18 IL IL14026399A patent/IL140263A/en not_active IP Right Cessation
- 1999-06-18 AT AT99931309T patent/ATE254371T1/en not_active IP Right Cessation
- 1999-06-18 EP EP99931309A patent/EP1145520B1/en not_active Expired - Lifetime
- 1999-06-18 KR KR1020007014445A patent/KR100641279B1/en not_active IP Right Cessation
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101547203B (en) * | 2000-06-26 | 2015-08-05 | 英特尔公司 | Internet protocol security policies is used to set up network security |
Also Published As
Publication number | Publication date |
---|---|
KR20010071528A (en) | 2001-07-28 |
DE69912846T2 (en) | 2004-09-02 |
WO1999067930A2 (en) | 1999-12-29 |
AU4786299A (en) | 2000-01-10 |
EP1145520B1 (en) | 2003-11-12 |
JP2002524891A (en) | 2002-08-06 |
CA2335082C (en) | 2009-11-17 |
DE69912846D1 (en) | 2003-12-18 |
ATE254371T1 (en) | 2003-11-15 |
WO1999067930A3 (en) | 2001-10-04 |
KR100641279B1 (en) | 2006-10-31 |
JP4771390B2 (en) | 2011-09-14 |
EP1145520A2 (en) | 2001-10-17 |
IL140263A (en) | 2005-07-25 |
EP1145520A3 (en) | 2001-11-28 |
IL140263A0 (en) | 2002-02-10 |
US6253321B1 (en) | 2001-06-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2335082A1 (en) | Method and arrangement for implementing ipsec policy management using filter code | |
US8190734B2 (en) | System and method for network monitoring of internet protocol (IP) networks | |
US10212135B2 (en) | Locked down network interface | |
CA2401577C (en) | System, device and method for rapid packet filtering and processing | |
DE60036284T2 (en) | APPARATUS FOR CLASSIFICATION IN A CRYPTOGRAPHIC ACCELERATION SCHIP | |
US6772348B1 (en) | Method and system for retrieving security information for secured transmission of network communication streams | |
US20040039940A1 (en) | Hardware-based packet filtering accelerator | |
EP3160083A1 (en) | Policy conflict resolution method and device | |
US9356844B2 (en) | Efficient application recognition in network traffic | |
US20060173989A1 (en) | Method for synchronization of policy cache with various policy-based applications | |
KR960012819A (en) | System for unsigned transmission and reception of data packets between computer networks | |
Abadi et al. | Authentication primitives and their compilation | |
CN101409677B (en) | Access control method and apparatus | |
US7409542B2 (en) | Security association management through the use of lookup tables | |
CN101605136B (en) | A method and an apparatus for Internet protocol security IPSec processing to packets | |
CN101529434B (en) | Method and transmitting device for securely creating and sending an electronic message and method and receiving device for securely receiving and processing an electronic message | |
CN105939284A (en) | Message control strategy matching method and device | |
US11818099B2 (en) | Efficient matching of feature-rich security policy with dynamic content using user group matching | |
CN101741818B (en) | Independent network safety encryption isolator arranged on network cable and isolation method thereof | |
US20060013397A1 (en) | Channel adapter managed trusted queue pairs | |
CN107168812A (en) | Obtain the method and device of process data | |
US20200145379A1 (en) | Efficient matching of feature-rich security policy with dynamic content using incremental precondition changes | |
US10965647B2 (en) | Efficient matching of feature-rich security policy with dynamic content | |
US11328057B2 (en) | Detection of malicious data in a containerized environment | |
CN117424749A (en) | Network transparent encryption and decryption method, device, system, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKEX | Expiry |
Effective date: 20190618 |