CA2335082A1 - Method and arrangement for implementing ipsec policy management using filter code - Google Patents

Method and arrangement for implementing ipsec policy management using filter code Download PDF

Info

Publication number
CA2335082A1
CA2335082A1 CA002335082A CA2335082A CA2335082A1 CA 2335082 A1 CA2335082 A1 CA 2335082A1 CA 002335082 A CA002335082 A CA 002335082A CA 2335082 A CA2335082 A CA 2335082A CA 2335082 A1 CA2335082 A1 CA 2335082A1
Authority
CA
Canada
Prior art keywords
packet
filter code
processing
processing system
data processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002335082A
Other languages
French (fr)
Other versions
CA2335082C (en
Inventor
Pekka Nikander
Tatu Ylonen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SSH Communications Security Oy
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2335082A1 publication Critical patent/CA2335082A1/en
Application granted granted Critical
Publication of CA2335082C publication Critical patent/CA2335082C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0464Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

A data processing system implements a security protocol based on processing data in packets. The data processing system comprises packet processing mean s (301) for storing filter code (304) and processing data packets according to stored filter code, and policy managing means (305) for generating filter co de and communicating generated filter code to the packet processing means (301) . The packet processing means (301) is arranged to examine, whether the stored filter code is applicable for processing a certain packet. If the stored filter code is not applicable for the processing of a packet, the packet is communicated to the policy managing means (305), which generates filter code applicable for the processing of the packet and communicates the generated filter code to the packet processing means (301).

Claims (20)

1. A data processing system for implementing a security protocol based on processing data in packets, characterized in that said data processing system comprises:
- packet processing means (308) for storing filter code (304) and processing data packets (301) according to stored filter code, and - policy managing means (305) for generating filter code and communicating generated filter code to said packet processing means, wherein said packet processing means is arranged to examine (503, 504, 505), whether the stored filter code is applicable for processing a certain packet, and to communicate (507) such packets for the processing of which the stored filter code is not applicable to said policy managing means, and said policy managing means is arranged to, as a response to receiving a packet from said packet processing means, either (508, 509) - generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means, or - process the packet by said policy managing means, or - process the packet by said policy managing means and generate filter code applicable for the processing of the packet and communicate the generated filter code to said packet processing means.
2. A data processing system according to claim 1, characterized in that it further comprises a policy database (306) for storing a plurality of policy rules, wherein said policy database is implemented as a part of said policy managing means (305).
3. A data processing system according to claim 2, characterized in that it further comprises key management means (307) for implementing the key management functions according to said security protocol, wherein said key management means is arranged to communicate with said policy managing means (305).
4. A data processing system according to claim 3, characterized in that said key management means (307) and said policy managing means (305) are arranged to generate and maintain a plurality of security associations as specific applications of said policy rules and key management functions to certain communications.
5. A data processing system according to claim 4, characterized in that said policy managing means (305) is arranged to generate filter code on the basis of the information contained within said policy rules and said security associations.
6. A data processing system according to claim 5, characterized in that said policy managing means (305) is arranged to communicate information about said security associations to said packet processing means (301) in addition to the generated filter code, and said packet processing means (301) is arranged to perform cryptographic transformations on packets, said cryptographic transformations being based on said filter code and said information about said security associations.
7. A data processing system according to claim 6, characterized in that said policy managing means (305) is arranged to communicate information about only a fraction of the security associations known to said policy managing means (305) to said packet processing means (301).
8. A data processing system according to claim 6, characterized in that said packet processing means (301) is arranged to store the filter code (304) separately from said information about said security associations.
9. A data processing system according to claim 1, characterized in that it further comprises packet intercepting means (303) for separating data packets for the processing of which said security protocol is applicable from a general stream of packets, wherein said packet intercepting means (303) is arranged to communicate with said packet processing means (301).
10. A data processing system according to claim 1, characterized in that it further comprises a kernel space (604) and a user-mode process space (605), wherein said packet processing means (301) resides in said kernel space (604) and said policy managing means (305) resides in said user-mode process space (605).
11. A data processing system according to claim 1, characterized in that it further comprises a kernel space (604) and a user-mode process space (605), wherein said packet processing means (301) and said policy managing means (305) reside in said user-mode process space (605).
12. A data processing system according to claim 1, characterized in that it further comprises at least two network interfaces (651, 652), wherein said packet processing means (301) is arranged to store separate filter cade for each network interface.
13. A data processing system according to claim 1, characterized in that said packet processing means (301) is arranged to process incoming and outgoing packets and store separate filter code for the processing of incoming and outgoing packets.
14. A data processing system according to claim 1, characterized in that said filter code does not contain any backward jumps.
15. A data processing system according to claim 1, characterized in that said filter code includes the operations of dropping a packet (504), passing a packet through (505), and referring the packet to the policy managing means (507).
16. A data processing system according to claim 15, characterized in that said filter code additionally includes the operation of applying a transformation to a packet (506).
17. A data processing system according to claim 1, characterized in that said packet processing means (301) is arranged to process packets in fragments, applying said filter code to the processing of the first fragment of a packet before receiving the other fragments and processing any remaining fragments of the packet separately using the actions determined for the first fragment.
18. A data processing system according to claim 17, characterized in that said filter code contains an instruction to require, as a response to receiving a fragment, a full packet before processing can continue.
19. A data processing system according to claim 1, characterized in that said filter code consists of actual compiled processor instructions.
20. A method for implementing a security protocol based on processing data in packets, characterized in that it comprises the steps of:
a) examining (502, 504, 505), whether a piece of stored filter code is applicable for processing a certain packet in a packet processing means, whereby a positive result means that a a piece of stored filter code is applicable for processing a certain packet and a negative result means that a piece of stored filter code is not applicable for processing a certain packet, b) following a positive result in step a), processing (503, 506) the packet in said packet processing means according to the stored filter code, 16~
c) following a negative result in step a), communicating (507) the packet into a policy managing means and examining (508), whether filter code should be generated and communicated to said packet processing means for the processing of the packet in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, d) following a positive result in step c), generating (509) filter code applicable for the processing of the packet and communicating the generated filter code to said packet processing means, e) following a negative result in step c), examining, whether filter code should be generated and communicated to said packet processing means for the processing of further similar packets in said packet processing means, whereby a positive result means that filter code should be generated and communicated to said packet processing means and a negative result means that filter code should not be generated and communicated to said packet processing means, f) following a positive result in step e), processing the packet in the policy managing means and generating filter code applicable for the processing of further similar packet and communicating the generated filter code to said packet processing means, and g) following a negative result in step e), processing the packet in the policy managing means.
CA002335082A 1998-06-19 1999-06-18 Method and arrangement for implementing ipsec policy management using filter code Expired - Lifetime CA2335082C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US09/100,272 1998-06-19
US09/100,272 US6253321B1 (en) 1998-06-19 1998-06-19 Method and arrangement for implementing IPSEC policy management using filter code
PCT/FI1999/000536 WO1999067930A2 (en) 1998-06-19 1999-06-18 Method and arrangement for implementing ipsec policy management using filter code

Publications (2)

Publication Number Publication Date
CA2335082A1 true CA2335082A1 (en) 1999-12-29
CA2335082C CA2335082C (en) 2009-11-17

Family

ID=22278931

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002335082A Expired - Lifetime CA2335082C (en) 1998-06-19 1999-06-18 Method and arrangement for implementing ipsec policy management using filter code

Country Status (10)

Country Link
US (1) US6253321B1 (en)
EP (1) EP1145520B1 (en)
JP (1) JP4771390B2 (en)
KR (1) KR100641279B1 (en)
AT (1) ATE254371T1 (en)
AU (1) AU4786299A (en)
CA (1) CA2335082C (en)
DE (1) DE69912846T2 (en)
IL (1) IL140263A (en)
WO (1) WO1999067930A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101547203B (en) * 2000-06-26 2015-08-05 英特尔公司 Internet protocol security policies is used to set up network security

Families Citing this family (178)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6158010A (en) 1998-10-28 2000-12-05 Crosslogix, Inc. System and method for maintaining security in a distributed computer network
US7673323B1 (en) 1998-10-28 2010-03-02 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
US6418130B1 (en) * 1999-01-08 2002-07-09 Telefonaktiebolaget L M Ericsson (Publ) Reuse of security associations for improving hand-over performance
DE69937464T2 (en) * 1999-01-14 2008-08-21 Nokia Corp. METHOD AND DEVICE FOR HEARING
US6738377B1 (en) * 1999-01-29 2004-05-18 International Business Machines Corporation System and method for dynamic micro placement of IP connection filters
US7370348B1 (en) * 1999-07-30 2008-05-06 Intel Corporation Technique and apparatus for processing cryptographic services of data in a network system
US6754832B1 (en) * 1999-08-12 2004-06-22 International Business Machines Corporation Security rule database searching in a network security environment
US7023863B1 (en) * 1999-10-29 2006-04-04 3Com Corporation Apparatus and method for processing encrypted packets in a computer network device
US6915431B1 (en) * 1999-12-22 2005-07-05 Intel Corporation System and method for providing security mechanisms for securing network communication
US6941377B1 (en) * 1999-12-31 2005-09-06 Intel Corporation Method and apparatus for secondary use of devices with encryption
JP2001298449A (en) * 2000-04-12 2001-10-26 Matsushita Electric Ind Co Ltd Security communication method, communication system and its unit
US7215637B1 (en) * 2000-04-17 2007-05-08 Juniper Networks, Inc. Systems and methods for processing packets
US7688727B1 (en) 2000-04-17 2010-03-30 Juniper Networks, Inc. Filtering and route lookup in a switching device
US6798777B1 (en) 2000-04-17 2004-09-28 Juniper Networks, Inc. Filtering and route lookup in a switching device
US6772348B1 (en) * 2000-04-27 2004-08-03 Microsoft Corporation Method and system for retrieving security information for secured transmission of network communication streams
GB2365717B (en) * 2000-05-24 2004-01-21 Ericsson Telefon Ab L M IPsec processing
AU2001265035A1 (en) * 2000-05-25 2001-12-03 Thomas R Markham Distributed firewall system and method
JP3736293B2 (en) * 2000-05-31 2006-01-18 日本電信電話株式会社 Service quality control method and device service quality control program in encrypted communication
US7028332B1 (en) * 2000-06-13 2006-04-11 Intel Corporation Method and apparatus for preventing packet retransmissions during IPsec security association establishment
US7917647B2 (en) 2000-06-16 2011-03-29 Mcafee, Inc. Method and apparatus for rate limiting
US20020093527A1 (en) * 2000-06-16 2002-07-18 Sherlock Kieran G. User interface for a security policy system and method
AU2001269870A1 (en) * 2000-06-16 2002-01-02 Securify, Inc. System and method for security policy
US7131137B1 (en) * 2000-06-29 2006-10-31 Intel Corporation Communication system including a security system
US7991917B1 (en) 2000-07-05 2011-08-02 Mcafee, Inc. High performance packet processing using a general purpose processor
ES2312483T3 (en) * 2000-07-14 2009-03-01 Irdeto Access B.V. ARCHITECTURE OF SECURE DATA DISSEMINATION BY PACKAGES.
US7836498B2 (en) * 2000-09-07 2010-11-16 Riverbed Technology, Inc. Device to protect victim sites during denial of service attacks
US7051069B2 (en) * 2000-09-28 2006-05-23 Bea Systems, Inc. System for managing logical process flow in an online environment
FI20002377A (en) * 2000-10-27 2002-04-28 Ssh Comm Security Corp A method for managing a reverse filter code
US6915437B2 (en) * 2000-12-20 2005-07-05 Microsoft Corporation System and method for improved network security
KR100404321B1 (en) * 2000-12-27 2003-11-01 한국전자통신연구원 System and method for security evaluation of internet host system
US7080120B2 (en) * 2001-01-19 2006-07-18 Digital Orchid, Inc. System and method for collaborative processing of distributed applications
US6996842B2 (en) * 2001-01-30 2006-02-07 Intel Corporation Processing internet protocol security traffic
FI20010293A (en) * 2001-02-15 2002-08-16 Ssh Comm Security Corp Procedure for setting up insured connections
FI20010511A0 (en) * 2001-03-14 2001-03-14 Stonesoft Oy Processing of data packets
US7739497B1 (en) * 2001-03-21 2010-06-15 Verizon Corporate Services Group Inc. Method and apparatus for anonymous IP datagram exchange using dynamic network address translation
US20030041050A1 (en) * 2001-04-16 2003-02-27 Greg Smith System and method for web-based marketing and campaign management
US7499948B2 (en) 2001-04-16 2009-03-03 Bea Systems, Inc. System and method for web-based personalization and ecommerce management
US7296155B1 (en) * 2001-06-08 2007-11-13 Cisco Technology, Inc. Process and system providing internet protocol security without secure domain resolution
US7392546B2 (en) 2001-06-11 2008-06-24 Bea Systems, Inc. System and method for server security and entitlement processing
US7194766B2 (en) * 2001-06-12 2007-03-20 Corrent Corporation Method and system for high-speed processing IPSec security protocol packets
US20020188871A1 (en) * 2001-06-12 2002-12-12 Corrent Corporation System and method for managing security packet processing
US7017042B1 (en) * 2001-06-14 2006-03-21 Syrus Ziai Method and circuit to accelerate IPSec processing
US6851113B2 (en) 2001-06-29 2005-02-01 International Business Machines Corporation Secure shell protocol access control
US7231665B1 (en) * 2001-07-05 2007-06-12 Mcafee, Inc. Prevention of operating system identification through fingerprinting techniques
US7904454B2 (en) 2001-07-16 2011-03-08 International Business Machines Corporation Database access security
US7209962B2 (en) * 2001-07-30 2007-04-24 International Business Machines Corporation System and method for IP packet filtering based on non-IP packet traffic attributes
WO2003036609A1 (en) * 2001-10-24 2003-05-01 Bea Systems, Inc. Portal administration tool
KR100487221B1 (en) 2001-11-23 2005-05-03 삼성전자주식회사 Method and apparatus for controlling the transmission power of control information in a mobile communication system
US20030105830A1 (en) * 2001-12-03 2003-06-05 Duc Pham Scalable network media access controller and methods
US7350226B2 (en) * 2001-12-13 2008-03-25 Bea Systems, Inc. System and method for analyzing security policies in a distributed computer network
KR100447681B1 (en) * 2001-12-27 2004-09-08 한국전자통신연구원 method and recorded media for union key management using IPsec
KR100470915B1 (en) * 2001-12-28 2005-03-08 한국전자통신연구원 Method for controlling internet information security system in ip packet level
US7743415B2 (en) * 2002-01-31 2010-06-22 Riverbed Technology, Inc. Denial of service attacks characterization
US7650634B2 (en) 2002-02-08 2010-01-19 Juniper Networks, Inc. Intelligent integrated network security device
US7734752B2 (en) * 2002-02-08 2010-06-08 Juniper Networks, Inc. Intelligent integrated network security device for high-availability applications
US8370936B2 (en) 2002-02-08 2013-02-05 Juniper Networks, Inc. Multi-method gateway-based network security systems and methods
US6839338B1 (en) 2002-03-20 2005-01-04 Utstarcom Incorporated Method to provide dynamic internet protocol security policy service
US7203957B2 (en) * 2002-04-04 2007-04-10 At&T Corp. Multipoint server for providing secure, scaleable connections between a plurality of network devices
US7188365B2 (en) * 2002-04-04 2007-03-06 At&T Corp. Method and system for securely scanning network traffic
US8161539B2 (en) * 2002-04-19 2012-04-17 International Business Machines Corporation IPSec network adapter verifier
US7082477B1 (en) * 2002-04-30 2006-07-25 Cisco Technology, Inc. Virtual application of features to electronic messages
US7590855B2 (en) * 2002-04-30 2009-09-15 Tippingpoint Technologies, Inc. Steganographically authenticated packet traffic
US20040010598A1 (en) * 2002-05-01 2004-01-15 Bea Systems, Inc. Portal setup wizard
US7496687B2 (en) 2002-05-01 2009-02-24 Bea Systems, Inc. Enterprise application platform
US7725560B2 (en) 2002-05-01 2010-05-25 Bea Systems Inc. Web service-enabled portlet wizard
US9088494B2 (en) * 2002-06-26 2015-07-21 Avaya Communication Israel Ltd. Packet fragmentation prevention
US7334124B2 (en) * 2002-07-22 2008-02-19 Vormetric, Inc. Logical access block processing protocol for transparent secure file storage
US6678828B1 (en) * 2002-07-22 2004-01-13 Vormetric, Inc. Secure network file access control system
US6931530B2 (en) 2002-07-22 2005-08-16 Vormetric, Inc. Secure network file access controller implementing access control and auditing
NL1021300C2 (en) * 2002-08-19 2004-03-01 Tno Computer network security.
JP4159328B2 (en) 2002-09-11 2008-10-01 Necインフロンティア株式会社 Network, IPsec setting server device, IPsec processing device, and IPsec setting method used therefor
US7143288B2 (en) 2002-10-16 2006-11-28 Vormetric, Inc. Secure file system server architecture and methods
US7062566B2 (en) * 2002-10-24 2006-06-13 3Com Corporation System and method for using virtual local area network tags with a virtual private network
US20040088425A1 (en) * 2002-10-31 2004-05-06 Comverse, Ltd. Application level gateway based on universal parser
US7574738B2 (en) 2002-11-06 2009-08-11 At&T Intellectual Property Ii, L.P. Virtual private network crossovers based on certificates
TW589832B (en) * 2002-11-12 2004-06-01 Inst Information Industry QoS router for effectively processing fragmented packets and method thereof
US20040123139A1 (en) * 2002-12-18 2004-06-24 At&T Corp. System having filtering/monitoring of secure connections
US7653930B2 (en) * 2003-02-14 2010-01-26 Bea Systems, Inc. Method for role and resource policy management optimization
US7591000B2 (en) 2003-02-14 2009-09-15 Oracle International Corporation System and method for hierarchical role-based entitlements
US6917975B2 (en) * 2003-02-14 2005-07-12 Bea Systems, Inc. Method for role and resource policy management
US7840614B2 (en) 2003-02-20 2010-11-23 Bea Systems, Inc. Virtual content repository application program interface
US7415478B2 (en) 2003-02-20 2008-08-19 Bea Systems, Inc. Virtual repository complex content model
US7562298B2 (en) 2003-02-20 2009-07-14 Bea Systems, Inc. Virtual content repository browser
US20040167880A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. System and method for searching a virtual repository content
US7483904B2 (en) * 2003-02-20 2009-01-27 Bea Systems, Inc. Virtual repository content model
US20040167871A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. Content mining for virtual content repositories
US7293286B2 (en) 2003-02-20 2007-11-06 Bea Systems, Inc. Federated management of content repositories
US20040230917A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for navigating a graphical hierarchy
US7810036B2 (en) 2003-02-28 2010-10-05 Bea Systems, Inc. Systems and methods for personalizing a portal
US20040230557A1 (en) * 2003-02-28 2004-11-18 Bales Christopher E. Systems and methods for context-sensitive editing
CN100349398C (en) * 2003-03-18 2007-11-14 华为技术有限公司 User identification method based on safety command interpretive protocol
US7814310B2 (en) * 2003-04-12 2010-10-12 Cavium Networks IPsec performance optimization
US7398386B2 (en) * 2003-04-12 2008-07-08 Cavium Networks, Inc. Transparent IPSec processing inline between a framer and a network component
US7308711B2 (en) * 2003-06-06 2007-12-11 Microsoft Corporation Method and framework for integrating a plurality of network policies
US20050097353A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy analysis tool
US20050097352A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Embeddable security service module
US7594224B2 (en) 2003-10-10 2009-09-22 Bea Systems, Inc. Distributed enterprise security system
US20050262362A1 (en) * 2003-10-10 2005-11-24 Bea Systems, Inc. Distributed security system policies
US7644432B2 (en) 2003-10-10 2010-01-05 Bea Systems, Inc. Policy inheritance through nested groups
CN1301612C (en) * 2003-10-20 2007-02-21 中兴通讯股份有限公司 IPSEC nesting strategy match correcting method
US20050125443A1 (en) * 2003-12-05 2005-06-09 Biplav Srivastava Automated interpretation of codes
US8074267B1 (en) * 2003-12-18 2011-12-06 Symantec Corporation Computer communications monitor
US8176545B1 (en) * 2003-12-19 2012-05-08 Nvidia Corporation Integrated policy checking system and method
US20050149720A1 (en) * 2004-01-07 2005-07-07 Shimon Gruper Method for speeding up the pass time of an executable through a checkpoint
US20050188295A1 (en) * 2004-02-25 2005-08-25 Loren Konkus Systems and methods for an extensible administration tool
US7774601B2 (en) 2004-04-06 2010-08-10 Bea Systems, Inc. Method for delegated administration
US7246138B2 (en) * 2004-04-13 2007-07-17 Bea Systems, Inc. System and method for content lifecycles in a virtual content repository that integrates a plurality of content repositories
US7240076B2 (en) * 2004-04-13 2007-07-03 Bea Systems, Inc. System and method for providing a lifecycle for information in a virtual content repository
US7580953B2 (en) * 2004-04-13 2009-08-25 Bea Systems, Inc. System and method for schema lifecycles in a virtual content repository that integrates a plurality of content repositories
US20050228784A1 (en) * 2004-04-13 2005-10-13 Bea Systems, Inc. System and method for batch operations in a virtual content repository
US7475091B2 (en) * 2004-04-13 2009-01-06 Bea Systems, Inc. System and method for viewing a virtual content repository
US7236989B2 (en) 2004-04-13 2007-06-26 Bea Systems, Inc. System and method for providing lifecycles for custom content in a virtual content repository
US20050240714A1 (en) * 2004-04-13 2005-10-27 Bea Systems, Inc. System and method for virtual content repository deployment
US7236990B2 (en) * 2004-04-13 2007-06-26 Bea Systems, Inc. System and method for information lifecycle workflow integration
US7236975B2 (en) * 2004-04-13 2007-06-26 Bea Systems, Inc. System and method for controlling access to anode in a virtual content repository that integrates a plurality of content repositories
US20050261970A1 (en) * 2004-05-21 2005-11-24 Wayport, Inc. Method for providing wireless services
US20050283604A1 (en) * 2004-06-21 2005-12-22 Ipolicy Networks, Inc., A Delaware Corporation Security association configuration in virtual private networks
US20060041935A1 (en) * 2004-08-17 2006-02-23 Conley James W Methodology for configuring network firewall
US9454440B2 (en) 2004-12-31 2016-09-27 Emc Corporation Versatile information management
US8260753B2 (en) * 2004-12-31 2012-09-04 Emc Corporation Backup information management
US20060272005A1 (en) * 2005-05-24 2006-11-30 International Business Machines Corporation Security optimization techniques for web applications
US7970788B2 (en) * 2005-08-02 2011-06-28 International Business Machines Corporation Selective local database access restriction
US7746862B1 (en) 2005-08-02 2010-06-29 Juniper Networks, Inc. Packet processing in a multiple processor system
US9026512B2 (en) * 2005-08-18 2015-05-05 Emc Corporation Data object search and retrieval
US20070043705A1 (en) * 2005-08-18 2007-02-22 Emc Corporation Searchable backups
US7953734B2 (en) * 2005-09-26 2011-05-31 Oracle International Corporation System and method for providing SPI extensions for content management system
US7917537B2 (en) 2005-09-26 2011-03-29 Oracle International Corporation System and method for providing link property types for content management
US7483893B2 (en) 2005-09-26 2009-01-27 Bae Systems, Inc. System and method for lightweight loading for managing content
US7818344B2 (en) 2005-09-26 2010-10-19 Bea Systems, Inc. System and method for providing nested types for content management
US7752205B2 (en) * 2005-09-26 2010-07-06 Bea Systems, Inc. Method and system for interacting with a virtual content repository
US7933923B2 (en) 2005-11-04 2011-04-26 International Business Machines Corporation Tracking and reconciling database commands
US8122492B2 (en) * 2006-04-21 2012-02-21 Microsoft Corporation Integration of social network information and network firewalls
US8079073B2 (en) * 2006-05-05 2011-12-13 Microsoft Corporation Distributed firewall implementation and control
US8176157B2 (en) * 2006-05-18 2012-05-08 Microsoft Corporation Exceptions grouping
US7966655B2 (en) * 2006-06-30 2011-06-21 At&T Intellectual Property Ii, L.P. Method and apparatus for optimizing a firewall
US8463852B2 (en) 2006-10-06 2013-06-11 Oracle International Corporation Groupware portlets for integrating a portal with groupware systems
US8141100B2 (en) 2006-12-20 2012-03-20 International Business Machines Corporation Identifying attribute propagation for multi-tier processing
CN100555991C (en) * 2006-12-29 2009-10-28 华为技术有限公司 The method of message access control, forwarding engine device and communication equipment
US8495367B2 (en) 2007-02-22 2013-07-23 International Business Machines Corporation Nondestructive interception of secure data in transit
US8131994B2 (en) * 2007-06-01 2012-03-06 Cisco Technology, Inc. Dual cryptographic keying
US8261327B2 (en) 2007-07-12 2012-09-04 Wayport, Inc. Device-specific authorization at distributed locations
US20090216875A1 (en) * 2008-02-26 2009-08-27 Barracuda Inc. Filtering secure network messages without cryptographic processes method
US8261326B2 (en) 2008-04-25 2012-09-04 International Business Machines Corporation Network intrusion blocking security overlay
US8429715B2 (en) * 2008-08-08 2013-04-23 Microsoft Corporation Secure resource name resolution using a cache
JP5294761B2 (en) * 2008-08-29 2013-09-18 パナソニック株式会社 Secure communication device, secure communication method, and program
US8826366B2 (en) * 2010-07-15 2014-09-02 Tt Government Solutions, Inc. Verifying access-control policies with arithmetic quantifier-free form constraints
US9191327B2 (en) 2011-02-10 2015-11-17 Varmour Networks, Inc. Distributed service processing of network gateways using virtual machines
US8838999B1 (en) 2011-05-17 2014-09-16 Applied Micro Circuits Corporation Cut-through packet stream encryption/decryption
US9258275B2 (en) * 2012-04-11 2016-02-09 Varmour Networks, Inc. System and method for dynamic security insertion in network virtualization
KR101478228B1 (en) * 2013-12-31 2015-01-06 주식회사 시큐아이 Computer device and for method for searching policy thereof
US9973472B2 (en) 2015-04-02 2018-05-15 Varmour Networks, Inc. Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
US10091238B2 (en) 2014-02-11 2018-10-02 Varmour Networks, Inc. Deception using distributed threat detection
US10264025B2 (en) 2016-06-24 2019-04-16 Varmour Networks, Inc. Security policy generation for virtualization, bare-metal server, and cloud computing environments
US9294442B1 (en) 2015-03-30 2016-03-22 Varmour Networks, Inc. System and method for threat-driven security policy controls
US10193929B2 (en) 2015-03-13 2019-01-29 Varmour Networks, Inc. Methods and systems for improving analytics in distributed networks
US9380027B1 (en) 2015-03-30 2016-06-28 Varmour Networks, Inc. Conditional declarative policies
US10009381B2 (en) 2015-03-30 2018-06-26 Varmour Networks, Inc. System and method for threat-driven security policy controls
US9525697B2 (en) 2015-04-02 2016-12-20 Varmour Networks, Inc. Delivering security functions to distributed networks
US10191758B2 (en) 2015-12-09 2019-01-29 Varmour Networks, Inc. Directing data traffic between intra-server virtual machines
KR101720702B1 (en) * 2015-12-15 2017-04-10 주식회사 시큐아이 Security device and driving method thereof
US9680852B1 (en) 2016-01-29 2017-06-13 Varmour Networks, Inc. Recursive multi-layer examination for computer network security remediation
US9762599B2 (en) 2016-01-29 2017-09-12 Varmour Networks, Inc. Multi-node affinity-based examination for computer network security remediation
US9521115B1 (en) 2016-03-24 2016-12-13 Varmour Networks, Inc. Security policy generation using container metadata
US10755334B2 (en) 2016-06-30 2020-08-25 Varmour Networks, Inc. Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors
US10812135B2 (en) * 2017-02-28 2020-10-20 Texas Instruments Incorporated Independent sequence processing to facilitate security between nodes in wireless networks
US10609008B2 (en) 2017-06-08 2020-03-31 Nxp Usa, Inc. Securing an electronically transmitted communication
US11863580B2 (en) 2019-05-31 2024-01-02 Varmour Networks, Inc. Modeling application dependencies to identify operational risk
US11711374B2 (en) 2019-05-31 2023-07-25 Varmour Networks, Inc. Systems and methods for understanding identity and organizational access to applications within an enterprise environment
US11290493B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Template-driven intent-based security
US11310284B2 (en) 2019-05-31 2022-04-19 Varmour Networks, Inc. Validation of cloud security policies
US11575563B2 (en) 2019-05-31 2023-02-07 Varmour Networks, Inc. Cloud security management
US11290494B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Reliability prediction for cloud security policies
US11588798B1 (en) * 2020-03-12 2023-02-21 Government Of The United States, As Represented By The National Security Agency Protocol free encrypting device
US11329956B2 (en) 2020-07-28 2022-05-10 Bank Of America Corporation Scalable encryption framework using virtualization and adaptive sampling
US11818152B2 (en) 2020-12-23 2023-11-14 Varmour Networks, Inc. Modeling topic-based message-oriented middleware within a security system
US11876817B2 (en) 2020-12-23 2024-01-16 Varmour Networks, Inc. Modeling queue-based message-oriented middleware relationships in a security system
US11777978B2 (en) 2021-01-29 2023-10-03 Varmour Networks, Inc. Methods and systems for accurately assessing application access risk
US11734316B2 (en) 2021-07-08 2023-08-22 Varmour Networks, Inc. Relationship-based search in a computing environment

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4715030A (en) * 1986-08-04 1987-12-22 General Electric Company Local area network bridge
US5172111A (en) * 1987-08-31 1992-12-15 Olivo Jr John W Stored media screening device
DE69316009T2 (en) * 1992-06-12 1998-04-23 Dow Chemical Co SAFE FRONT END CONNECTION SYSTEM AND METHOD FOR PROCESS CONTROLLER
US5448698A (en) * 1993-04-05 1995-09-05 Hewlett-Packard Company Inter-processor communication system in which messages are stored at locations specified by the sender
WO1997000471A2 (en) 1993-12-15 1997-01-03 Check Point Software Technologies Ltd. A system for securing the flow of and selectively modifying packets in a computer network
US5615340A (en) * 1994-07-21 1997-03-25 Allied Telesyn Int'l Corp. Network interfacing apparatus and method using repeater and cascade interface with scrambling
US5761424A (en) 1995-12-29 1998-06-02 Symbios, Inc. Method and apparatus for programmable filtration and generation of information in packetized communication systems
US5848233A (en) 1996-12-09 1998-12-08 Sun Microsystems, Inc. Method and apparatus for dynamic packet filter assignment
US6092110A (en) * 1997-10-23 2000-07-18 At&T Wireless Svcs. Inc. Apparatus for filtering packets using a dedicated processor

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101547203B (en) * 2000-06-26 2015-08-05 英特尔公司 Internet protocol security policies is used to set up network security

Also Published As

Publication number Publication date
KR20010071528A (en) 2001-07-28
DE69912846T2 (en) 2004-09-02
WO1999067930A2 (en) 1999-12-29
AU4786299A (en) 2000-01-10
EP1145520B1 (en) 2003-11-12
JP2002524891A (en) 2002-08-06
CA2335082C (en) 2009-11-17
DE69912846D1 (en) 2003-12-18
ATE254371T1 (en) 2003-11-15
WO1999067930A3 (en) 2001-10-04
KR100641279B1 (en) 2006-10-31
JP4771390B2 (en) 2011-09-14
EP1145520A2 (en) 2001-10-17
IL140263A (en) 2005-07-25
EP1145520A3 (en) 2001-11-28
IL140263A0 (en) 2002-02-10
US6253321B1 (en) 2001-06-26

Similar Documents

Publication Publication Date Title
CA2335082A1 (en) Method and arrangement for implementing ipsec policy management using filter code
US8190734B2 (en) System and method for network monitoring of internet protocol (IP) networks
US10212135B2 (en) Locked down network interface
CA2401577C (en) System, device and method for rapid packet filtering and processing
DE60036284T2 (en) APPARATUS FOR CLASSIFICATION IN A CRYPTOGRAPHIC ACCELERATION SCHIP
US6772348B1 (en) Method and system for retrieving security information for secured transmission of network communication streams
US20040039940A1 (en) Hardware-based packet filtering accelerator
EP3160083A1 (en) Policy conflict resolution method and device
US9356844B2 (en) Efficient application recognition in network traffic
US20060173989A1 (en) Method for synchronization of policy cache with various policy-based applications
KR960012819A (en) System for unsigned transmission and reception of data packets between computer networks
Abadi et al. Authentication primitives and their compilation
CN101409677B (en) Access control method and apparatus
US7409542B2 (en) Security association management through the use of lookup tables
CN101605136B (en) A method and an apparatus for Internet protocol security IPSec processing to packets
CN101529434B (en) Method and transmitting device for securely creating and sending an electronic message and method and receiving device for securely receiving and processing an electronic message
CN105939284A (en) Message control strategy matching method and device
US11818099B2 (en) Efficient matching of feature-rich security policy with dynamic content using user group matching
CN101741818B (en) Independent network safety encryption isolator arranged on network cable and isolation method thereof
US20060013397A1 (en) Channel adapter managed trusted queue pairs
CN107168812A (en) Obtain the method and device of process data
US20200145379A1 (en) Efficient matching of feature-rich security policy with dynamic content using incremental precondition changes
US10965647B2 (en) Efficient matching of feature-rich security policy with dynamic content
US11328057B2 (en) Detection of malicious data in a containerized environment
CN117424749A (en) Network transparent encryption and decryption method, device, system, equipment and storage medium

Legal Events

Date Code Title Description
EEER Examination request
MKEX Expiry

Effective date: 20190618