公开(公告)号：US08245281B2

公开(公告)日：2012-08-14

申请号：US11966837

申请日：2007-12-28

申请人： Santhosh Cheeniyil ,  Krishna Prabhakar ,  Michael Fine

发明人： Santhosh Cheeniyil ,  Krishna Prabhakar ,  Michael Fine

IPC分类号： G06F21/00

CPC分类号： H04L63/20 ,  H04L63/102

摘要： A method and apparatus for integrating various network access control frameworks under the control of a single policy decision point (PDP). The apparatus supports pluggable protocol terminators to interface to any number of access protocols or backend support services. The apparatus contains Trust and Identity Mediators to mediate between the protocol terminators and a canonical policy subsystem, translating attributes between framework representations, and a canonical representation using extensible data-driven dictionaries.

摘要翻译： 一种用于在单个策略决策点（PDP）的控制下集成各种网络访问控制框架的方法和装置。 该设备支持可插拔协议终结器，以连接任何数量的访问协议或后端支持服务。 该设备包含信任和身份调解员，以协调协议终结者和规范性策略子系统之间的转换，在框架表示之间翻译属性，以及使用可扩展数据驱动的字典进行规范化表示。

公开(公告)号：US07886145B2

公开(公告)日：2011-02-08

申请号：US10996102

申请日：2004-11-23

申请人： Michael R. Smith ,  Padmanabha Nallur ,  Wilson Kok ,  Michael Fine

发明人： Michael R. Smith ,  Padmanabha Nallur ,  Wilson Kok ,  Michael Fine

IPC分类号： H04L29/06 ,  G06F9/00 ,  G06F15/16 ,  G06F17/00 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC分类号： H04L63/20

摘要： A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device.

公开(公告)号：US20100235544A1

公开(公告)日：2010-09-16

申请号：US12788467

申请日：2010-05-27

申请人： Michael R. Smith ,  Awais B. Nemat ,  Michael Fine

发明人： Michael R. Smith ,  Awais B. Nemat ,  Michael Fine

IPC分类号： G06F15/173 ,  G06F15/16 ,  G06F15/177

CPC分类号： H04L63/104 ,  H04L63/08 ,  H04L63/083

摘要： A method and system for the assignment of security group information using a proxy is disclosed. The method includes receiving an address of a network device at a first network device, receiving a security group of the network device at the first network device and associating the address information and the security group information with one another at the first network device. The first network device is coupled to a second network device. The address is represented by address information, which is received from the second network device. The security group is identified using the security group information, which indicates the network device is a member of the security group. The address information and the security group information are associated with one another by storing the address information and the security group information at the first network device.

摘要翻译： 公开了一种使用代理分配安全组信息的方法和系统。 该方法包括在第一网络设备处接收网络设备的地址，在第一网络设备处接收网络设备的安全组，并在第一网络设备处将地址信息和安全组信息彼此相关联。 第一网络设备耦合到第二网络设备。 该地址由从第二网络设备接收的地址信息表示。 使用安全组信息来标识安全组，这表示网络设备是安全组的成员。 通过将地址信息和安全组信息存储在第一网络设备处，地址信息和安全组信息彼此相关联。

公开(公告)号：US20060212928A1

公开(公告)日：2006-09-21

申请号：US11083855

申请日：2005-03-17

申请人： Fabio Maino ,  Michael Fine ,  Irene Kuffel ,  Arthur Zavalkovsky

发明人： Fabio Maino ,  Michael Fine ,  Irene Kuffel ,  Arthur Zavalkovsky

IPC分类号： H04L9/32

CPC分类号： H04L63/0428 ,  H04L9/0841 ,  H04L9/321 ,  H04L9/3273 ,  H04L63/08 ,  H04L63/12 ,  H04L63/20

摘要： A method and an apparatus are disclosed for securing authentication, authorization and accounting (AAA) protocol messages. An encryption key, a device identifier value, and verification data are received and stored at a network device. The verification data comprises in part a copy the encryption key and the device identifier value, and has been encrypted using a private key of a server. A shared secret is generated by applying a computational function to the encryption key and the device identifier value. Based on the shared secret, a first message integrity check value for a message is generated. The message, the first integrity check value, and the verification data are sent to the server. The server decrypts the verification data using the private key, extracts the encryption key and the device identifier value, and generates the same shared secret by applying the same computational function to the extracted encryption key and device identifier value. Based on this generated shared secret, a second message integrity check value is generated and compared to the received first message integrity check value.

摘要翻译： 公开了一种用于保护认证，授权和计费（AAA）协议消息的方法和装置。 加密密钥，设备标识符值和验证数据被接收并存储在网络设备中。 验证数据部分地部分地复制加密密钥和设备标识符值，并且已经使用服务器的专用密钥加密。 通过将计算功能应用于加密密钥和设备标识符值来生成共享秘密。 基于共享密钥，生成消息的第一消息完整性检查值。 消息，第一个完整性检查值和验证数据被发送到服务器。 服务器使用私钥解密验证数据，提取加密密钥和设备标识符值，并通过对提取的加密密钥和设备标识符值应用相同的计算功能来生成相同的共享密钥。 基于此生成的共享密钥，生成第二消息完整性检查值并将其与接收的第一消息完整性校验值进行比较。

公开(公告)号：US06813250B1

公开(公告)日：2004-11-02

申请号：US09748534

申请日：2000-12-22

申请人： Michael Fine ,  Silvano Gai ,  Keith McCloghrie

发明人： Michael Fine ,  Silvano Gai ,  Keith McCloghrie

IPC分类号： H04L1228

CPC分类号： H04L45/48 ,  H04L12/4645 ,  H04L12/4695 ,  H04L45/023

摘要： A shared spanning tree protocol (SSTP) creates a plurality of spanning trees (i.e., loop-free paths) which are shared among one or more virtual local area network (VLAN) designations for data transmission within a computer network. Each shared spanning tree includes and is defined by a primary VLAN and may be associated with one or more secondary VLANs. In order to associate VLAN designation(s) with a single shared spanning tree, network devices exchange novel shared spanning tree protocol data units (SST-PDUs). Each SST-PDU corresponds to a given primary VLAN and preferably includes one or more fields which list the secondary VLAN designations associated with the given primary VLAN. The association of VLAN designations to shared spanning trees, moreover, preferably depends on which path traffic is to follow as well as the anticipated load characteristics of the various VLANs. The association of VLAN designations to shared spanning trees thus provides a degree of load balancing within the network. Data messages tagged with a particular VLAN designation are then distributed by the devices only along the shared spanning tree to which that VLAN has been associated by SSTP.

摘要翻译： 共享生成树协议（SSTP）创建在一个或多个虚拟局域网（VLAN）指定之间共享的多个生成树（即，无环路径），用于计算机网络内的数据传输。 每个共享生成树包括并由主VLAN定义，并且可以与一个或多个辅助VLAN相关联。 为了将VLAN指定与单个共享生成树相关联，网络设备交换新的共享生成树协议数据单元（SST-PDU）。 每个SST-PDU对应于给定的主VLAN，并且优选地包括一个或多个列出与给定主VLAN相关联的辅助VLAN名称的字段。 此外，VLAN标识与共享生成树的关联优选地取决于哪个路径业务将遵循，以及各种VLAN的预期负载特性。 因此，VLAN名称与共享生成树的关联在网络中提供了一定程度的负载平衡。 标有特定VLAN标识的数据消息随后由SSTP与该VLAN关联的共享生成树分配。

公开(公告)号：US06275933B1

公开(公告)日：2001-08-14

申请号：US09303341

申请日：1999-04-30

申请人： Michael Fine ,  Randy Rollins

发明人： Michael Fine ,  Randy Rollins

IPC分类号： G06F900

CPC分类号： G06F21/575 ,  G06F21/34

摘要： In order to boot a portable computer, a smart key is required to be inserted into a PCMCIA card of the portable computer. Firmware in the PCMCIA card verifies that a smart key has been inserted. The portable computer will boot only when two conditions are met. The first condition is that the smart key, the PCMCIA card, and the portable computer all contemporaneously have the matching codes stored therein. The second condition is that the first condition is met and that a new random generated and encrypted code is successfully stored in each of the smart key, the PCMCIA card, and the portable computer. Until these two conditions are met, the portable computer will not boot. Once booted, access to certain coded files on the portable computer is denied if respective matching codes in the coded files are not also contained in the smart key. Also, the portable computer will not exit an idle, sleep, or power conservation mode until the two conditions are met. Also disclosed are an inventive apparatus and system including a smart key, an ASIC analogous to the PCMCIA card, and a computerized apparatus analogous to the portable computer, where the foregoing two conditions must be met before a user gains access to the computerized apparatus. Contemplated computerized apparatus include PDAs, copy machines, facsimile machines, standalone modems, mobile telephones, pagers, televisions, and automobiles.

摘要翻译： 为了引导便携式计算机，需要将智能钥匙插入到便携式计算机的PCMCIA卡中。 PCMCIA卡中的固件验证是否插入了智能钥匙。 只有满足两个条件，便携式计算机才会启动。 第一个条件是智能钥匙，PCMCIA卡和便携式计算机全部同时具有存储在其中的匹配码。 第二个条件是满足第一个条件，并且新的随机生成和加密的代码成功存储在智能钥匙，PCMCIA卡和便携式计算机的每一个中。 直到满足这两个条件，便携式计算机将无法启动。 一旦启动，如果智能钥匙中也不包含编码文件中的相应匹配代码，便可以访问便携式计算机上的某些编码文件。 此外，便携式计算机将不会退出空闲，睡眠或省电模式，直到满足两个条件。 还公开了包括智能密钥，类似于PCMCIA卡的ASIC以及类似于便携式计算机的计算机化设备的创新设备和系统，其中在用户获得对计算机化设备的访问之前必须满足前述两个条件。 考虑到的计算机化设备包括PDA，复印机，传真机，独立调制解调器，移动电话，寻呼机，电视机和汽车。

公开(公告)号：US5959968A

公开(公告)日：1999-09-28

申请号：US902638

申请日：1997-07-30

申请人： Hon Wah Chin ,  Michael Fine ,  Norman W. Finn ,  Richard J. Hausman

发明人： Hon Wah Chin ,  Michael Fine ,  Norman W. Finn ,  Richard J. Hausman

IPC分类号： H04L12/46 ,  H04L12/56 ,  G01R31/08 ,  H04L12/28

CPC分类号： H04L12/4604 ,  H04L45/22 ,  H04L45/02

摘要： A port aggregation protocol (PAGP) dynamically aggregates redundant links between two neighboring devices in a computer network through the exchange of aggregation protocol data unit (AGPDU) frames between the two devices. Each AGPDU frame contains a unique identifier corresponding to the device sourcing the frame and a port number corresponding to the port through which the frame is forwarded. The exchange of AGPDU frames and the information contained therein allows the neighboring devices to identify those ports corresponding to the redundant links. Each device then dynamically aggregates its ports corresponding to the redundant links into a logical aggregation port (agport) which appears as a single, high-bandwidth port or interface to other processes executing on the device.

公开(公告)号：US09727830B2

公开(公告)日：2017-08-08

申请号：US12268836

申请日：2008-11-11

申请人： Irene Gonzalez ,  Roderic Michael Fine ,  John Neil Thuringer ,  Adrian Hunter ,  Jon MacGoy ,  Neil Bristow ,  Daniel Matlin

发明人： Irene Gonzalez ,  Roderic Michael Fine ,  John Neil Thuringer ,  Adrian Hunter ,  Jon MacGoy ,  Neil Bristow ,  Daniel Matlin

IPC分类号： G06Q10/06

CPC分类号： G06Q10/06 ,  G06Q10/067

摘要： A three-tier employment model provides flexibility when modeling even moderately complex relationships, such as where an employee has multiple job tasks or assignments for an employer. In such an example, a top level can store information for each employee defining the type of relationship that exists between the employee and the employer, such as where the employee works for multiple entities of the employer. A middle level can capture employment terms and conditions that are associated with the relationship(s), as well as one or many work assignments, such as salary information for each assignment. A bottom level can store the actual details of the work to be performed. A three-tier approach thus provides significant flexibility in modeling the employment of a person for an enterprise, and allows companies and enterprises to easily record the reality of their complex work relationships.

公开(公告)号：US20090049196A1

公开(公告)日：2009-02-19

申请号：US11837958

申请日：2007-08-13

申请人： Michael R. Smith ,  Awais B. Nemat ,  Michael Fine

发明人： Michael R. Smith ,  Awais B. Nemat ,  Michael Fine

IPC分类号： G06F15/16

CPC分类号： H04L63/104 ,  H04L63/08 ,  H04L63/083

摘要： A method and system for the assignment of security group information using a proxy is disclosed. The method includes receiving an address of a network device at a first network device, receiving a security group of the network device at the first network device and associating the address information and the security group information with one another at the first network device. The first network device is coupled to a second network device. The address is represented by address information, which is received from the second network device. The security group is identified using the security group information, which indicates the network device is a member of the security group. The address information and the security group information are associated with one another by storing the address information and the security group information at the first network device.

摘要翻译： 公开了一种使用代理分配安全组信息的方法和系统。 该方法包括在第一网络设备处接收网络设备的地址，在第一网络设备处接收网络设备的安全组，并在第一网络设备处将地址信息和安全组信息彼此相关联。 第一网络设备耦合到第二网络设备。 该地址由从第二网络设备接收的地址信息表示。 使用安全组信息来标识安全组，这表示网络设备是安全组的成员。 通过将地址信息和安全组信息存储在第一网络设备处，地址信息和安全组信息彼此相关联。

公开(公告)号：US20060259759A1

公开(公告)日：2006-11-16

申请号：US11130654

申请日：2005-05-16

申请人： Fabio Maino ,  Michael Fine ,  Irene Kuffel ,  Wilson Kok

发明人： Fabio Maino ,  Michael Fine ,  Irene Kuffel ,  Wilson Kok

IPC分类号： H04L9/00

CPC分类号： H04L63/162 ,  H04L63/08 ,  H04L63/0892

摘要： A method of securely extending a protected network through secure relay of AAA information, when an isolated device lacks Layer 3 connectivity to an AAA infrastructure of the protected network, comprises receiving a first authentication message, from an isolated first network device, wherein the first authentication message is encapsulated in a first Layer 2 message, wherein the first authentication message seeks to authenticate a second network device using an authentication server, and wherein the second network device and the authentication server are within a protected network; extracting the first authentication message from the first Layer 2 message; forming a packet that includes the first authentication message; sending the packet with the extracted authentication message over a Layer 3 link to the authentication server, without modifying the extracted authentication message. Thus a network node within a protected network can relay AAA requests and responses between an isolated AAA client, encapsulated in Layer 2 messages, and an AAA server, in Layer 3 messages.

摘要翻译： 一种当隔离设备缺少到受保护网络的AAA基础设施的第3层连接时，通过AAA信息的安全中继来安全地扩展受保护网络的方法包括从隔离的第一网络设备接收第一认证消息，其中第一认证 消息被封装在第一层2消息中，其中所述第一认证消息试图使用认证服务器认证第二网络设备，并且其中所述第二网络设备和所述认证服务器在受保护网络内; 从所述第一层2消息中提取所述第一认证消息; 形成包括所述第一认证消息的分组; 通过三层链路将提取的认证消息发送给认证服务器，而不修改提取的认证消息。 因此，受保护网络中的网络节点可以在层3消息中中继AAA请求和响应之间隔离的AAA客户端，封装在二层消息中，AAA服务器之间。