System and methods for network segmentation
    1.
    发明授权
    System and methods for network segmentation 有权
    网络分割的系统和方法

    公开(公告)号:US07688829B2

    公开(公告)日:2010-03-30

    申请号:US11226011

    申请日:2005-09-14

    IPC分类号: H04L12/28

    摘要: A routing mechanism provides network segmentation preservation by route distribution with segment identification, policy distribution for a given VPN segment, and encapsulation/decapsulation for each segment using an Ethernet VLAN_ID, indicative of the VPN segment (subnetwork). Encapsulated segmentation information in a message packet identifies which routing and forwarding table is employed for the next hop. A common routing instance receives the message packets from the common interface, and indexes a corresponding VRF table from the VLAN ID, or segment identifier, indicative of the subnetwork (e.g. segment). In this manner, the routing instance receives the incoming message packet, decapsulates the VLAN ID in the incoming message packet, and indexes the corresponding VRF and policy ID from the VLAN ID, therefore employing a common routing instance over a common subinterface for a plurality of segments (subnetworks) coupled to a particular forwarding device (e.g. VPN router).

    摘要翻译: 路由机制通过分段识别,给定VPN段的策略分配以及使用指示VPN段(子网)的以太网VLAN_ID对每个段进行封装/解封装来提供网络分段保护。 消息分组中的封装分段信息标识下一跳采用的路由和转发表。 公共路由实例从公共接口接收消息包,并从指示子网(例如,段)的VLAN ID或段标识符中对相应的VRF表进行索引。 以这种方式,路由实例接收到入消息包,将入局消息包中的VLAN ID解封装,并从VLAN ID中对相应的VRF和策略ID进行索引,因此在公共子接口上采用公共路由实例, 耦合到特定转发设备(例如,VPN路由器)的段(子网络)。

    Inspection and rewriting of cryptographically protected data from group VPNs
    3.
    发明申请
    Inspection and rewriting of cryptographically protected data from group VPNs 有权
    密码保护的数据从组VPN的检查和重写

    公开(公告)号:US20100064137A1

    公开(公告)日:2010-03-11

    申请号:US12231813

    申请日:2008-09-05

    IPC分类号: H04L9/00

    摘要: Systems, methods, and other embodiments associated with processing secure network traffic are described. One example method includes determining whether a device is a preconfigured member of a group key system. If the device is not a preconfigured member then the method selectively establishes membership in the group key system by requesting membership from a group controller. The example method may also include receiving a set of keys from the group controller and being assigned a role by the group controller. The method may further include processing secure network traffic as an inspection point, a rewriting point, and/or a validation point based on the received set of keys and the assigned role(s).

    摘要翻译: 描述了与处理安全网络业务相关联的系统,方法和其他实施例。 一个示例性方法包括确定设备是组密钥系统的预配置成员。 如果设备不是预配置的成员,则该方法通过从组控制器请求成员资格来选择性地建立组密钥系统中的成员关系。 示例性方法还可以包括从组控制器接收一组密钥并由组控制器分配角色。 该方法还可以包括基于所接收的密钥集合和所分配的角色来将安全网络业务作为检查点,重写点和/或验证点进行处理。

    System and methods for network segmentation
    4.
    发明申请
    System and methods for network segmentation 有权
    网络分割的系统和方法

    公开(公告)号:US20070058638A1

    公开(公告)日:2007-03-15

    申请号:US11226011

    申请日:2005-09-14

    IPC分类号: H04L12/28

    摘要: A routing mechanism provides network segmentation preservation by route distribution with segment identification, policy distribution for a given VPN segment, and encapsulation/decapsulation for each segment using an Ethernet VLAN_ID, indicative of the VPN segment (subnetwork). Encapsulated segmentation information in a message packet identifies which routing and forwarding table is employed for the next hop. A common routing instance receives the message packets from the common interface, and indexes a corresponding VRF table from the VLAN ID, or segment identifier, indicative of the subnetwork (e.g. segment). In this manner, the routing instance receives the incoming message packet, decapsulates the VLAN ID in the incoming message packet, and indexes the corresponding VRF and policy ID from the VLAN ID, therefore employing a common routing instance over a common subinterface for a plurality of segments (subnetworks) coupled to a particular forwarding device (e.g. VPN router).

    摘要翻译: 路由机制通过分段识别,给定VPN段的策略分配以及使用指示VPN段(子网)的以太网VLAN_ID对每个段进行封装/解封装来提供网络分段保护。 消息分组中的封装分段信息标识下一跳采用的路由和转发表。 公共路由实例从公共接口接收消息包,并从指示子网(例如,段)的VLAN ID或段标识符中对相应的VRF表进行索引。 以这种方式,路由实例接收到入消息包,将入局消息包中的VLAN ID解封装,并从VLAN ID中对相应的VRF和策略ID进行索引,因此在公共子接口上采用公共路由实例, 耦合到特定转发设备(例如,VPN路由器)的段(子网络)。

    Inspection and rewriting of cryptographically protected data from group VPNs
    5.
    发明授权
    Inspection and rewriting of cryptographically protected data from group VPNs 有权
    密码保护的数据从组VPN的检查和重写

    公开(公告)号:US08347073B2

    公开(公告)日:2013-01-01

    申请号:US12231813

    申请日:2008-09-05

    IPC分类号: H04L29/02 H04L9/08

    摘要: Systems, methods, and other embodiments associated with processing secure network traffic are described. One example method includes determining whether a device is a preconfigured member of a group key system. If the device is not a preconfigured member then the method selectively establishes membership in the group key system by requesting membership from a group controller. The example method may also include receiving a set of keys from the group controller and being assigned a role by the group controller. The method may further include processing secure network traffic as an inspection point, a rewriting point, and/or a validation point based on the received set of keys and the assigned role(s).

    摘要翻译: 描述了与处理安全网络业务相关联的系统,方法和其他实施例。 一个示例性方法包括确定设备是组密钥系统的预配置成员。 如果设备不是预配置的成员,则该方法通过从组控制器请求成员资格来选择性地建立组密钥系统中的成员关系。 示例性方法还可以包括从组控制器接收一组密钥并由组控制器分配角色。 该方法还可以包括基于所接收的密钥集合和所分配的角色来将安全网络业务作为检查点,重写点和/或验证点进行处理。