CA2532189A1 - Method and apparatus for providing network security using role-based access control - Google Patents

Method and apparatus for providing network security using role-based access control Download PDF

Info

Publication number
CA2532189A1
CA2532189A1 CA002532189A CA2532189A CA2532189A1 CA 2532189 A1 CA2532189 A1 CA 2532189A1 CA 002532189 A CA002532189 A CA 002532189A CA 2532189 A CA2532189 A CA 2532189A CA 2532189 A1 CA2532189 A1 CA 2532189A1
Authority
CA
Canada
Prior art keywords
user group
destination
source
packet
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002532189A
Other languages
French (fr)
Other versions
CA2532189C (en
Inventor
Michael R. Smith
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology, Inc.
Michael R. Smith
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology, Inc., Michael R. Smith filed Critical Cisco Technology, Inc.
Publication of CA2532189A1 publication Critical patent/CA2532189A1/en
Application granted granted Critical
Publication of CA2532189C publication Critical patent/CA2532189C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • H04L45/7453Address table lookup; Address filtering using hashing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4645Details on frame tagging
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4675Dynamic sharing of VLAN information amongst network nodes

Abstract

A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list (700). Such an access control list includes an access control list entry (710), which, in turn, includes one or more user group fields (730 and 740). Alternatively, a network device implementing such a method can include, for example, a forwarding table (300) that includes a plurality of forwarding table entries (310). In such a case, at least one of the forwarding table entries includes a user group field (350).

Claims (88)

1. ~A network device comprising:
an access control list, wherein said access control list comprises an access control list entry, and~
said access control list entry comprises a user group field.
2. ~The network device of claim 1, wherein said access control list comprises a plurality of access control list entries, and said access control list entries comprise said access control list entry.
3. ~The network device of claim 2, wherein said access control list entry further comprises:
a flow label field, wherein said flow label field allows said access control list entry to be identified as a role-based access control list (RBACL) entry.
4. ~The network device of claim 2, wherein said access control list entry further comprises:
a plurality of user group fields, wherein said user group fields comprise said user group field.
5. ~The network device of claim 4, wherein said user group fields further comprise:
a source user group field; and a destination user group field.
6. ~The network device of claim 5, wherein said source user group field stores a source user group identifier, and said source user group identifier identifies a user group of a source of a packet processed using said access control list.
7. ~The network device of claim 5, wherein said destination user group field stores a destination user group identifier, and said destination user group identifier identifies a user group of a destination of a packet processed using said access control list.
8. ~A network device comprising:
a forwarding table, wherein said forwarding table comprises a plurality of forwarding table entries, and at least one forwarding table entry of said forwarding table entries comprises a user group field.
9. ~The network device of claim 8, wherein said at least one forwarding table entry further comprises:
a port identifier field, wherein a port identifier stored in said port identifier field identifies a port.
10. ~The network device of claim 9, wherein a user group, identified by a user group identifier stored in said user group field, is associated with said port.
11. ~The network device of claim 10, wherein said at least one forwarding table entry further comprises:
a media access control (MAC) address field configured to store a MAC address;
and a virtual local area network (ULAN) identifier field, wherein a VLAN identifier stored in said VLAN identifier field identifies a ULAN, and a combination of said MAC address and said ULAN identifier identify said port and a user group identified by a user group identifier stored in said user group field.
12. ~The network device of claim 10, wherein said at least one forwarding table entry further comprises:
a media access control (MAC) address field configured to store a MAC address, wherein said MAC address is associated with a user group identified by a user group identifier stored in said user group field.
13. ~The network device of claim 8, wherein said at least one forwarding table entry further comprises:
a virtual local area network (VLAN) identifier field, wherein a VLAN identifier stored in said VLAN identifier field identifies a VLAN, and said ULAN is associated with a user group identified by a user group identifier stored in said user group field.
14. ~A method comprising:~
comparing a user group of a packet with a user group of a destination of said packet.
15. The method of claim 14, wherein said user group of said destination of said packet is identified by a user group identifier, and said user group identifier is stored in a role-based access control list entry of an access control list.
16. The method of claim 14, wherein said user group of said packet is a source user group, and said user group of said destination of said packet is a destination user group.
17. The method of claim 16, wherein said source user group is assigned to a source of said packet based on a role of said source, and said destination user group is assigned to said destination based on a role of said destination.
18. The method of claim 16, further comprising:
retrieving said destination user group from a forwarding information base.
19. The method of claim 18, further comprising:
storing said destination user group in an access control list.
20. The method of claim 16, wherein said source user group is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device receiving said packet.
21. The method of claim 16, further comprising:
determining said source user group; and determining said destination user group by looking up said destination user group in an access control list.
22. The method of claim 21, wherein said destination user group is identified by a destination user group identifier, and said destination user group identifier is stored in a role-based access control list entry of said access control list.
23. The method of claim 21, wherein said access control list is a role-based access control list.
24. The method of claim 21, wherein said determining said source user group comprises:
extracting a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.
25. The method of claim 24, further comprising:
populating said access control list with a destination user group identifier, wherein said destination user group identifier identifies said destination user group.
26. The method of claim 25, wherein said destination user group is assigned to said destination based on a role of said destination.
27. The method of claim 25, wherein said comparing and said populating are performed by a network device, and said populating comprises sending a request to another network device, and receiving a response from said another network device, wherein said response includes a destination user group identifier, and said destination user group identifier identifies said destination user group.
28. The method of claim 14, further comprising:
populating a forwarding table with a user group identifier, wherein said user group identifier identifies said user group of said packet, and said user group of said packet indicates a user group of a source of said packet.
29. The method of claim 28, wherein said source user group is assigned to said source based on a role of said source.
30. The method of claim 28, wherein said user group is a source user group, and said user group identifier is a source user group identifier.
31. The method of claim 30, wherein said comparing and said populating are performed by a network device, and said populating comprises determining said source user group.
32. The method of claim 31, wherein said populating further comprises:
receiving an authentication message from another network device, wherein said response includes said source user group identifier.
33. A computer program product comprising:
a first set of instructions, executable on a computer system, configured to compare a user group of a packet with a user group of a destination of said packet; and computer readable media, wherein said computer program product is encoded in said computer readable media.
34. The computer program product of claim 33, wherein said user group of said packet is a source user group, and said user group of said destination of said packet is a destination user group.
35. The computer program product of claim 34, further comprising:
a second set of instructions, executable on said computer system, configured to retrieve said destination user group from a forwarding information base.
36. The computer program product of claim 35, further comprising:
a third set of instructions, executable on said computer system, configured to storing said destination user group in an access control list.
37. The computer program product of claim 33, wherein said source user group is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device receiving said packet.
38. The computer program product of claim 34, further comprising:
a second set of instructions, executable on said computer system, configured to determine said source user group; and a third set of instructions, executable on said computer system, configured to determine said destination user group by looking up said destination user group in an access control list.
39. The computer program product of claim 38, wherein said second set of instructions comprises:
a first subset of instructions, executable on said computer system, configured to extract a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.
40. The computer program product of claim 39, further comprising:
a fourth set of instructions, executable on said computer system, configured to populate said access control list with a destination user group identifier, wherein said destination user group identifier identifies said destination user group.
41. The computer program product of claim 33, further comprising:
a second set of instructions, executable on said computer system, configured to populate a forwarding table with a user group identifier, wherein said user group identifier identifies said user group of said packet, and said user group of said packet indicates a user group of a source of said packet.
42. The computer program product of claim 41, wherein said second set of instructions comprises:
a first subset of instructions, executable on said computer system, configured to determine said source user group.
43. The computer program product of claim 42, wherein said second set of instructions comprises:
a second subset of instructions, executable on said computer system, configured to receive an authentication message from another network device, wherein said response includes said source user group identifier.
44. An apparatus comprising:
means for comparing a user group of a packet with a user group of a destination of said packet.
45. The apparatus of claim 44, wherein said user group of said packet is a source user group, and said user group of said destination of said packet is a destination user group.
46. The apparatus of claim 45, further comprising:
means for retrieving said destination user group from a forwarding information base.
47. The apparatus of claim 46, further comprising:
means for storing said destination user group in an access control list.
48. The apparatus of claim 45, wherein said source user group is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device receiving said packet.
49. The apparatus of claim 45, further comprising:
means for determining said source user group; and means for determining said destination user group by looking up said destination user group in an access control list.
50. The apparatus of claim 49, wherein said means for determining said source user group comprises:
means for extracting a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.
51. The apparatus of claim 50, further comprising:
means for populating said access control list with a destination user group identifier, wherein said destination user group identifier identifies said destination user group.
52. The apparatus of claim 44, further comprising:
means for populating a forwarding table with a user group identifier, wherein said user group identifier identifies said user group of said packet, and said user group of said packet indicates a user group of a source of said packet.
53. The apparatus of claim 52, wherein said means for comparing and said means for populating are included in a network device, and said means for populating comprises determining said source user group.
54. The apparatus of claim 53, wherein said means for populating further comprises:
means for receiving an authentication message from another network device, wherein said response includes said source user group identifier.
55. A method comprising:
populating an access control list with a destination user group identifier, wherein said destination user group identifier identifies a destination user group of a destination.
56. The method of claim 55, wherein said destination user group is assigned to said destination based on a role of said destination.
57. The method of claim 55, wherein said populating is performed by a network device and comprises sending a request to another network device, and receiving a response from said another network device, wherein said response includes said destination user group identifier, and said destination user group identifier identifies said destination user group.
58. The method of claim 55, further comprising:
comparing a user group of a packet with said destination user group.
59. The method of claim 58, wherein said user group of said packet is a source user group, said destination user group is a user group of a destination of said packet, and said destination is said destination of said packet.
60. The method of claim 59, wherein said source user group is assigned to a source of said packet based on a role of said source, and said destination user group is assigned to said destination based on a role of said destination.
61. The method of claim 59, wherein said source user group is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device receiving said packet.
62. The method of claim 59, further comprising:
determining said source user group; and determining said destination user group by looking up said destination user group in an access control list.
63. The method of claim 62, wherein said access control list is a role-based access control list.
64. The method of claim 62, wherein said determining said source user group comprises:
extracting a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.
65. A method comprising:
populating a forwarding table with a user group identifier.
66. The method of claim 65, wherein said user group identifier is a source user group identifier, and so identifies a source user group.
67. The method of claim 66, wherein a source of a packet is in said source user group.
68. The method of claim 67, wherein said source user group is assigned to said source based on a role of said source.
69. The method of claim 67, wherein said populating comprises determining said source user group.
70. The method of claim 69, wherein said populating is performed by a network device and further comprises:
receiving an authentication message from another network device, wherein said response includes said source user group identifier.
71. The method of claim 67, wherein a destination of said packet is in a destination user group.
72. The method of claim 71, wherein said destination user group is assigned to said destination based on a role of said destination.
73. The method of claim 71, further comprising:
comparing a source user group of said packet with said destination user group.
74. The method of claim 73, wherein said source user group of said packet is indicated by a source user group identifier stored in said packet, and said destination user group is indicated by a destination user group stored in a network device performing said comparison.
75. The method of claim 71, further comprising:
determining said source user group; and determining said destination user group by looking up said destination user group in an access control list stored at said network device performing said comparison.
76. The method of claim 75, wherein said determining said source user group comprises:
extracting said source user group identifier stored in said packet from said packet, wherein said source user group identifier stored in said packet identifies said source user group of said source of said packet.
77. A method comprising:
indexing a row of a permissions matrix with a first user group; and indexing a column of said permissions matrix with a second user group.
78. The method of claim 77, wherein said first user group is a source user group, and said second user group is a destination user group.
79. The method of claim 78, wherein said permissions matrix comprises:
a plurality of permissions matrix entries.
80. The method of claim 79, wherein each of said permissions matrix entries is a pointer to a data structure.
81. The method of claim 80, wherein said data structure is a permission list.
82. The method of claim 80, wherein said data structure is a permission list entry.
83. The method of claim 80, wherein said data structure is a pointer to a permission list.
84. The method of claim 83, wherein said data structure further comprises:
another pointer to another permission list.
85. The method of claim 80, further comprising:
employing permission list chaining in said data structure.
86. The method of claim 80, further comprising:
selecting a selected permissions matrix entry of said permissions matrix entries, wherein said selecting comprises identifying a row of said permissions matrix using a source user group identifier, identifying a column of said permissions matrix using a destination user group identifier, and identifying a permissions matrix entry of said permissions matrix entries in said row and said column as said selected permissions matrix entry.
87. The method of claim 86, further comprising:
selecting a permission list from a plurality of permission lists using said selected permissions matrix entry.
88. The method of claim 86, further comprising:
selecting a permission list entry from a permission list using said selected permissions matrix entry.
CA2532189A 2003-09-10 2004-08-31 Method and apparatus for providing network security using role-based access control Active CA2532189C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US10/659,614 US7530112B2 (en) 2003-09-10 2003-09-10 Method and apparatus for providing network security using role-based access control
US10/659,614 2003-09-10
PCT/US2004/028359 WO2005027464A1 (en) 2003-09-10 2004-08-31 Method and apparatus for providing network security using role­-based access control

Publications (2)

Publication Number Publication Date
CA2532189A1 true CA2532189A1 (en) 2005-03-24
CA2532189C CA2532189C (en) 2012-12-18

Family

ID=34226987

Family Applications (1)

Application Number Title Priority Date Filing Date
CA2532189A Active CA2532189C (en) 2003-09-10 2004-08-31 Method and apparatus for providing network security using role-based access control

Country Status (6)

Country Link
US (5) US7530112B2 (en)
EP (1) EP1678912B1 (en)
CN (1) CN1823514B (en)
CA (1) CA2532189C (en)
ES (1) ES2574003T3 (en)
WO (1) WO2005027464A1 (en)

Families Citing this family (101)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7530112B2 (en) 2003-09-10 2009-05-05 Cisco Technology, Inc. Method and apparatus for providing network security using role-based access control
WO2005032042A1 (en) 2003-09-24 2005-04-07 Infoexpress, Inc. Systems and methods of controlling network access
US7299493B1 (en) 2003-09-30 2007-11-20 Novell, Inc. Techniques for dynamically establishing and managing authentication and trust relationships
US7836490B2 (en) 2003-10-29 2010-11-16 Cisco Technology, Inc. Method and apparatus for providing network security using security labeling
US7971244B1 (en) * 2003-11-19 2011-06-28 Cisco Technology, Inc. Method of determining network penetration
JP4676782B2 (en) * 2004-04-28 2011-04-27 株式会社リコー Information processing apparatus, operation permission data generation method, operation permission data generation permission determination method, operation permission data generation program, operation permission data generation permission determination program, and recording medium
US8990254B2 (en) * 2004-07-02 2015-03-24 Ellie Mae, Inc. Loan origination software system for processing mortgage loans over a distributed network
EP1624638B1 (en) * 2004-08-05 2006-10-25 Alcatel Access control method and apparatus
JP2006072486A (en) * 2004-08-31 2006-03-16 Konica Minolta Business Technologies Inc Data management device, data management system and data management method
US7669244B2 (en) 2004-10-21 2010-02-23 Cisco Technology, Inc. Method and system for generating user group permission lists
KR100677145B1 (en) * 2004-10-28 2007-02-02 삼성전자주식회사 Method and apparatus for auto-configuring network address
US7877796B2 (en) 2004-11-16 2011-01-25 Cisco Technology, Inc. Method and apparatus for best effort propagation of security group information
US7886145B2 (en) * 2004-11-23 2011-02-08 Cisco Technology, Inc. Method and system for including security information with a packet
US7721323B2 (en) * 2004-11-23 2010-05-18 Cisco Technology, Inc. Method and system for including network security information in a frame
US7827402B2 (en) 2004-12-01 2010-11-02 Cisco Technology, Inc. Method and apparatus for ingress filtering using security group information
US8245280B2 (en) * 2005-02-11 2012-08-14 Samsung Electronics Co., Ltd. System and method for user access control to content in a network
US20060218394A1 (en) * 2005-03-28 2006-09-28 Yang Dung C Organizational role-based controlled access management system
US20060225128A1 (en) * 2005-04-04 2006-10-05 Nokia Corporation Measures for enhancing security in communication systems
US7774827B2 (en) * 2005-06-06 2010-08-10 Novell, Inc. Techniques for providing role-based security with instance-level granularity
US9191396B2 (en) * 2005-09-08 2015-11-17 International Business Machines Corporation Identifying source of malicious network messages
US9858433B2 (en) 2005-09-16 2018-01-02 Koninklijke Philips N.V. Cryptographic role-based access control
US8059647B2 (en) * 2005-10-05 2011-11-15 Nortel Networks Limited Multicast implementation in a link state protocol controlled ethernet network
US7688756B2 (en) 2005-10-05 2010-03-30 Nortel Networks Limited Provider link state bridging
US20070100830A1 (en) * 2005-10-20 2007-05-03 Ganesha Beedubail Method and apparatus for access control list (ACL) binding in a data processing system
US20070214497A1 (en) * 2006-03-10 2007-09-13 Axalto Inc. System and method for providing a hierarchical role-based access control
US7814311B2 (en) * 2006-03-10 2010-10-12 Cisco Technology, Inc. Role aware network security enforcement
US7953089B1 (en) * 2006-05-16 2011-05-31 Cisco Technology, Inc. Systems and methods for multicast switching in a private VLAN
US9455990B2 (en) 2006-07-21 2016-09-27 International Business Machines Corporation System and method for role based access control in a content management system
US20080028445A1 (en) * 2006-07-31 2008-01-31 Fortinet, Inc. Use of authentication information to make routing decisions
CN100456747C (en) * 2006-08-02 2009-01-28 华为技术有限公司 Method and network equipment for implementing inspection of reversal path of unicast
JP4923869B2 (en) * 2006-08-30 2012-04-25 富士通株式会社 Control program and control method
US8607058B2 (en) * 2006-09-29 2013-12-10 Intel Corporation Port access control in a shared link environment
US8528102B2 (en) * 2006-10-06 2013-09-03 Broadcom Corporation Method and system for protection of customer secrets in a secure reprogrammable system
US9231911B2 (en) * 2006-10-16 2016-01-05 Aruba Networks, Inc. Per-user firewall
US20080148382A1 (en) * 2006-12-15 2008-06-19 International Business Machines Corporation System, method and program for managing firewalls
US7840708B2 (en) * 2007-08-13 2010-11-23 Cisco Technology, Inc. Method and system for the assignment of security group information using a proxy
US20090077656A1 (en) * 2007-09-14 2009-03-19 Kabushiki Kaisha Toshiba Image forming apparatus, image forming system, and control method of image forming apparatus
US20090328188A1 (en) * 2008-05-01 2009-12-31 Motorola, Inc. Context-based semantic firewall for the protection of information
KR101398631B1 (en) * 2008-05-30 2014-05-22 삼성전자주식회사 Method and Apparatus of Anti-Replay Attack over Wireless Network Environment
US8201228B2 (en) * 2008-09-23 2012-06-12 Fujitsu Limited System and method for securing a network
US8826455B2 (en) * 2009-02-17 2014-09-02 International Business Machines Corporation Method and apparatus for automated assignment of access permissions to users
US7924717B2 (en) * 2009-02-27 2011-04-12 Hewlett-Packard Development Company, L.P. Systems and methods of handling access control violations
US8255419B2 (en) 2009-06-17 2012-08-28 Microsoft Corporation Exclusive scope model for role-based access control administration
US8782086B2 (en) * 2009-08-27 2014-07-15 Cleversafe, Inc. Updating dispersed storage network access control information
JP5673543B2 (en) * 2009-09-10 2015-02-18 日本電気株式会社 Role setting device, role setting method, and role setting program
US20110202384A1 (en) * 2010-02-17 2011-08-18 Rabstejnek Wayne S Enterprise Rendering Platform
CN102263774B (en) 2010-05-24 2014-04-16 杭州华三通信技术有限公司 Method and device for processing source role information
JP5581141B2 (en) * 2010-07-29 2014-08-27 株式会社Pfu Management server, communication cutoff device, information processing system, method, and program
US8750144B1 (en) * 2010-10-20 2014-06-10 Google Inc. System and method for reducing required memory updates
US9178910B2 (en) * 2010-12-24 2015-11-03 Nec Corporation Communication system, control apparatus, policy management apparatus, communication method, and program
US9767268B2 (en) 2011-04-20 2017-09-19 International Business Machines Corporation Optimizing a compiled access control table in a content management system
CN102316002B (en) * 2011-10-31 2014-04-30 华为技术有限公司 Method and apparatus for configuration of virtual local area network
CN102495985B (en) * 2011-12-13 2014-06-25 桂林电子科技大学 Role access control method based on dynamic description logic
EP2663053A3 (en) * 2012-05-09 2014-01-01 Computer Security Products, Inc. Methods and apparatus for creating and implementing security policies for resources on a network
TWI476627B (en) * 2012-05-11 2015-03-11 Chunghwa Telecom Co Ltd The management system and method of network service level and function of cloud virtual desktop application
KR101401794B1 (en) * 2012-06-29 2014-06-27 인텔렉추얼디스커버리 주식회사 Method and apparatus for providing data sharing
CN102833227A (en) * 2012-07-11 2012-12-19 武汉虹信通信技术有限责任公司 Method and system for realizing access control list in wireless access controller
US9197498B2 (en) 2012-08-31 2015-11-24 Cisco Technology, Inc. Method for automatically applying access control policies based on device types of networked computing devices
US9258208B2 (en) 2012-10-30 2016-02-09 Cisco Technology, Inc. Multiple path availability between walkable clusters
US9043874B2 (en) * 2012-11-28 2015-05-26 Wal-Mart Stores, Inc. System and method for protecting data in an enterprise environment
CN103051609B (en) * 2012-12-07 2015-11-18 东软集团股份有限公司 The virtual interactive interface method of gateway device and the NS software by its execution
US9019837B2 (en) 2013-02-19 2015-04-28 Cisco Technology, Inc. Packet modification to facilitate use of network tags
CN103220287B (en) * 2013-04-11 2016-12-28 汉柏科技有限公司 Utilize the method that ACL carries out business coupling to message
US9191404B2 (en) * 2013-06-05 2015-11-17 Cisco Technology, Inc. Probabilistic flow management
CN103581018B (en) * 2013-07-26 2017-08-11 北京华为数字技术有限公司 File transmitting method, router and operation exchange device
CN104580116B (en) * 2013-10-25 2018-09-14 新华三技术有限公司 A kind of management method and equipment of security strategy
US20150124824A1 (en) * 2013-11-05 2015-05-07 Cisco Technology, Inc. Incast drop cause telemetry
CN103595711A (en) * 2013-11-06 2014-02-19 神州数码网络(北京)有限公司 Adjusting safety access method and exchanger
CN103605916A (en) * 2013-12-06 2014-02-26 山东高速信息工程有限公司 RBAC (Role-Based policies Access Control) accessing control model based on organization
US9973904B2 (en) * 2014-09-15 2018-05-15 Bank Of America Corporation Matrix access review
US9917839B2 (en) * 2014-10-17 2018-03-13 Aruba Networks, Inc. Communication model based on user role
US9992202B2 (en) * 2015-02-28 2018-06-05 Aruba Networks, Inc Access control through dynamic grouping
US9755939B2 (en) * 2015-06-26 2017-09-05 Cisco Technology, Inc. Network wide source group tag binding propagation
CN106549793B (en) * 2015-09-23 2020-08-07 华为技术有限公司 Flow control method and device
US20170187700A1 (en) * 2015-12-28 2017-06-29 Paypal, Inc. Pregenerated two-factor authentication tokens
US11611564B2 (en) * 2016-02-15 2023-03-21 Luigius Caramico Methods and systems of dual-layer computer-system security
CN106506468A (en) * 2016-10-31 2017-03-15 盛科网络(苏州)有限公司 A kind of method that minimizing ACE entries are consumed
CN106533693B (en) * 2016-11-03 2021-01-19 中车青岛四方机车车辆股份有限公司 Access method and device of railway vehicle monitoring and overhauling system
TWI585600B (en) * 2016-12-02 2017-06-01 亞洲大學 CBR-based Negotiation RBAC Method for Enhancing Ubiquitous Resources Management
CN108347376B (en) * 2017-01-24 2020-01-31 华为技术有限公司 method, device and system for adjusting forwarding path
CN108418776B (en) * 2017-02-09 2021-08-20 上海诺基亚贝尔股份有限公司 Method and apparatus for providing secure services
US10673863B2 (en) 2017-02-24 2020-06-02 International Business Machines Corporation Managing inter-object operations in a domain role-based access control (RBAC) system
US10397116B1 (en) * 2017-05-05 2019-08-27 Amazon Technologies, Inc. Access control based on range-matching
US10958622B2 (en) 2018-01-10 2021-03-23 Cisco Technology, Inc. Hierarchical security group identifiers
CN108549797A (en) * 2018-03-26 2018-09-18 安徽笛申科技有限公司 A kind of user and user group and the System right management method of role
EP3550791B1 (en) 2018-04-03 2023-12-06 Palantir Technologies Inc. Controlling access to computer resources
US11212257B2 (en) 2018-06-22 2021-12-28 Aeronix, Inc. Multi-level secure ethernet switch
US11483313B2 (en) * 2018-06-28 2022-10-25 Intel Corporation Technologies for updating an access control list table without causing disruption
US11070458B2 (en) * 2018-07-17 2021-07-20 Cisco Technology, Inc. Encrypted traffic analysis control mechanisms
US11258794B2 (en) * 2019-01-09 2022-02-22 Hewlett Packard Enterprise Development Lp Device category based authentication
US10764177B2 (en) * 2019-01-21 2020-09-01 Mellanox Technologies Tlv Ltd. Efficient implementation of complex network segmentation
US11704441B2 (en) * 2019-09-03 2023-07-18 Palantir Technologies Inc. Charter-based access controls for managing computer resources
WO2021046782A1 (en) * 2019-09-11 2021-03-18 Oppo广东移动通信有限公司 Access control method, device, and storage medium
US11336695B2 (en) 2019-11-15 2022-05-17 Cisco Technology, Inc. Conversation-based policy distribution
CN110958334B (en) * 2019-11-25 2022-08-09 新华三半导体技术有限公司 Message processing method and device
CN111049840B (en) * 2019-12-17 2022-04-26 锐捷网络股份有限公司 Message detection method and device
CN112632525A (en) * 2020-12-30 2021-04-09 南京中孚信息技术有限公司 Method and device for limiting user to access electronic document
US20230089819A1 (en) * 2021-09-22 2023-03-23 Hewlett Packard Enterprise Development Lp Source port-based identification of client role
US11936658B2 (en) 2021-11-15 2024-03-19 Bank Of America Corporation Intelligent assignment of a network resource
CN114095231B (en) * 2021-11-16 2023-11-17 锐捷网络股份有限公司 Message filtering method, device, equipment and medium
US20230179604A1 (en) * 2021-12-08 2023-06-08 Capital One Services, Llc Access control systems and methods for automatically assigning roles

Family Cites Families (95)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4922486A (en) * 1988-03-31 1990-05-01 American Telephone And Telegraph Company User to network interface protocol for packet communications networks
US5017917A (en) * 1988-12-30 1991-05-21 At&T Bell Laboratories Restriction of communication service accessibility among subscriber communities
US5113442A (en) 1989-03-06 1992-05-12 Lachman Associates, Inc. Method and apparatus for providing access control in a secure operating system
US5204961A (en) 1990-06-25 1993-04-20 Digital Equipment Corporation Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols
US5251205A (en) 1990-09-04 1993-10-05 Digital Equipment Corporation Multiple protocol routing
EP0697662B1 (en) 1994-08-15 2001-05-30 International Business Machines Corporation Method and system for advanced role-based access control in distributed and centralized computer systems
US5615264A (en) 1995-06-08 1997-03-25 Wave Systems Corp. Encrypted data package record for use in remote transaction metered data system
US5941947A (en) * 1995-08-18 1999-08-24 Microsoft Corporation System and method for controlling access to data entities in a computer network
JP3688830B2 (en) 1995-11-30 2005-08-31 株式会社東芝 Packet transfer method and packet processing apparatus
US5787427A (en) * 1996-01-03 1998-07-28 International Business Machines Corporation Information handling system, method, and article of manufacture for efficient object security processing by grouping objects sharing common control access policies
US6272538B1 (en) * 1996-07-30 2001-08-07 Micron Technology, Inc. Method and system for establishing a security perimeter in computer networks
US6023765A (en) * 1996-12-06 2000-02-08 The United States Of America As Represented By The Secretary Of Commerce Implementation of role-based access control in multi-level secure systems
US6292900B1 (en) 1996-12-18 2001-09-18 Sun Microsystems, Inc. Multilevel security attribute passing methods, apparatuses, and computer program products in a stream
US5845068A (en) 1996-12-18 1998-12-01 Sun Microsystems, Inc. Multilevel security port methods, apparatuses, and computer program products
US6212558B1 (en) 1997-04-25 2001-04-03 Anand K. Antur Method and apparatus for configuring and managing firewalls and security devices
US6088659A (en) 1997-09-11 2000-07-11 Abb Power T&D Company Inc. Automated meter reading system
US5968177A (en) * 1997-10-14 1999-10-19 Entrust Technologies Limited Method and apparatus for processing administration of a secured community
US6014666A (en) * 1997-10-28 2000-01-11 Microsoft Corporation Declarative and programmatic access control of component-based server applications using roles
US6202066B1 (en) * 1997-11-19 2001-03-13 The United States Of America As Represented By The Secretary Of Commerce Implementation of role/group permission association using object access type
US6052456A (en) * 1997-12-23 2000-04-18 Alcatel Usa Sourcing, L.P. Graphical shelf navigator for a telecommunications switch management system
US6233618B1 (en) * 1998-03-31 2001-05-15 Content Advisor, Inc. Access control of networked data
US6449643B1 (en) * 1998-05-14 2002-09-10 Nortel Networks Limited Access control with just-in-time resource discovery
US6304973B1 (en) * 1998-08-06 2001-10-16 Cryptek Secure Communications, Llc Multi-level security network system
US6292798B1 (en) * 1998-09-09 2001-09-18 International Business Machines Corporation Method and system for controlling access to data resources and protecting computing system resources from unauthorized access
JP2000099738A (en) * 1998-09-28 2000-04-07 Sony Corp Information recorder and information recording method, measuring instrument and its method, image processor and image processing method, image processing system, and providing medium
JP2002526830A (en) * 1998-09-28 2002-08-20 アーガス システムズ グループ,インク. Compartmentalized trust computer operating system
US6405259B1 (en) * 1998-12-08 2002-06-11 International Business Machines Corporation Data processing system and method for transmission of a network packet specifying a group identifier identifying a selected plurality of clients
US6271946B1 (en) * 1999-01-25 2001-08-07 Telcordia Technologies, Inc. Optical layer survivability and security system using optical label switching and high-speed optical header generation and detection
US6973057B1 (en) * 1999-01-29 2005-12-06 Telefonaktiebolaget L M Ericsson (Publ) Public mobile data communications network
US7881477B2 (en) * 1999-02-05 2011-02-01 Avaya Inc. Method for key distribution in a hierarchical multicast traffic security system for an internetwork
US6678827B1 (en) 1999-05-06 2004-01-13 Watchguard Technologies, Inc. Managing multiple network security devices from a manager device
US6754214B1 (en) 1999-07-19 2004-06-22 Dunti, Llc Communication network having packetized security codes and a system for detecting security breach locations within the network
US6711172B1 (en) * 1999-08-02 2004-03-23 Nortel Networks Corp. Network packet routing
JP3163496B2 (en) * 1999-08-20 2001-05-08 株式会社光栄 Group character moving method, recording medium, and game device
US7072343B1 (en) * 1999-09-27 2006-07-04 Cisco Technology, Inc. Methods and apparatus for controlling a data stream using a host agent acting on behalf of a host computer
US7023863B1 (en) 1999-10-29 2006-04-04 3Com Corporation Apparatus and method for processing encrypted packets in a computer network device
US7000120B1 (en) 1999-12-23 2006-02-14 Nokia Corporation Scheme for determining transport level information in the presence of IP security encryption
US6985948B2 (en) 2000-03-29 2006-01-10 Fujitsu Limited User's right information and keywords input based search query generating means method and apparatus for searching a file
US20020026592A1 (en) 2000-06-16 2002-02-28 Vdg, Inc. Method for automatic permission management in role-based access control systems
CN1334519A (en) * 2000-07-13 2002-02-06 王信 Method and system for treating differences between network game roles
ES2312483T3 (en) 2000-07-14 2009-03-01 Irdeto Access B.V. ARCHITECTURE OF SECURE DATA DISSEMINATION BY PACKAGES.
JP2002077213A (en) 2000-09-05 2002-03-15 Hitachi Kokusai Electric Inc System for accessing subscriber's radio
US6823462B1 (en) * 2000-09-07 2004-11-23 International Business Machines Corporation Virtual private network with multiple tunnels associated with one group name
EP1209644A1 (en) * 2000-11-23 2002-05-29 Telefonaktiebolaget L M Ericsson (Publ) Traffic management system including a layered management structure
JP4183379B2 (en) 2000-11-27 2008-11-19 富士通株式会社 Network and edge router
US7032243B2 (en) * 2000-12-15 2006-04-18 Hewlett-Packard Development Company, L.P. System and method for a group-based network access control for computer
US7284271B2 (en) 2001-03-14 2007-10-16 Microsoft Corporation Authorizing a requesting entity to operate upon data structures
US7136374B1 (en) 2001-03-19 2006-11-14 Juniper Networks, Inc. Transport networks supporting virtual private networks, and configuring such networks
US7380271B2 (en) 2001-07-12 2008-05-27 International Business Machines Corporation Grouped access control list actions
US7207062B2 (en) * 2001-08-16 2007-04-17 Lucent Technologies Inc Method and apparatus for protecting web sites from distributed denial-of-service attacks
US7207061B2 (en) 2001-08-31 2007-04-17 International Business Machines Corporation State machine for accessing a stealth firewall
JP2003110609A (en) 2001-09-28 2003-04-11 Fujitsu Ltd Communication apparatus
US8713185B2 (en) 2001-12-07 2014-04-29 Rockstar Bidco, LP Methods of establishing virtual circuits and of providing a virtual private network service through a shared network, and provider edge device for such network
US7591020B2 (en) 2002-01-18 2009-09-15 Palm, Inc. Location based security modification system and method
US7743415B2 (en) 2002-01-31 2010-06-22 Riverbed Technology, Inc. Denial of service attacks characterization
US7574735B2 (en) 2002-02-13 2009-08-11 Nokia Corporation Method and network element for providing secure access to a packet data network
US7305704B2 (en) * 2002-03-16 2007-12-04 Trustedflow Systems, Inc. Management of trusted flow system
US7185365B2 (en) * 2002-03-27 2007-02-27 Intel Corporation Security enabled network access control
US20030196108A1 (en) * 2002-04-12 2003-10-16 Kung Kenneth C. System and techniques to bind information objects to security labels
US8910241B2 (en) * 2002-04-25 2014-12-09 Citrix Systems, Inc. Computer security system
US7284269B2 (en) 2002-05-29 2007-10-16 Alcatel Canada Inc. High-speed adaptive structure of elementary firewall modules
US7548541B2 (en) 2002-06-04 2009-06-16 Alcatel-Lucent Usa Inc. Managing VLAN traffic in a multiport network node using customer-specific identifiers
US7415723B2 (en) * 2002-06-11 2008-08-19 Pandya Ashish A Distributed network security system and a hardware processor therefor
US7594262B2 (en) * 2002-09-04 2009-09-22 Secure Computing Corporation System and method for secure group communications
US7023963B1 (en) * 2002-09-18 2006-04-04 Adtran, Inc. DSL line card echo canceler-based mechanism for locating telecommunication line fault
KR100933167B1 (en) 2002-10-02 2009-12-21 삼성전자주식회사 Transmission Method for Authentication and Privacy Guarantee in Tree-structured Networks
US7350077B2 (en) 2002-11-26 2008-03-25 Cisco Technology, Inc. 802.11 using a compressed reassociation exchange to facilitate fast handoff
US7417950B2 (en) * 2003-02-03 2008-08-26 Ciena Corporation Method and apparatus for performing data flow ingress/egress admission control in a provider network
US7567510B2 (en) * 2003-02-13 2009-07-28 Cisco Technology, Inc. Security groups
US7434045B1 (en) * 2003-04-21 2008-10-07 Cisco Technology, Inc. Method and apparatus for indexing an inbound security association database
US20040223497A1 (en) 2003-05-08 2004-11-11 Onvoy Inc. Communications network with converged services
US20040268123A1 (en) * 2003-06-27 2004-12-30 Nokia Corporation Security for protocol traversal
US7397922B2 (en) 2003-06-27 2008-07-08 Microsoft Corporation Group security
US7519989B2 (en) * 2003-07-17 2009-04-14 Av Thenex Inc. Token device that generates and displays one-time passwords and that couples to a computer for inputting or receiving data for generating and outputting one-time passwords and other functions
US7734844B2 (en) * 2003-08-19 2010-06-08 General Dynamics Advanced Information Systems, Inc. Trusted interface unit (TIU) and method of making and using the same
US7530112B2 (en) 2003-09-10 2009-05-05 Cisco Technology, Inc. Method and apparatus for providing network security using role-based access control
US7965653B2 (en) 2003-09-25 2011-06-21 Cisco Technology, Inc. System and method for registering and un-registering membership in virtual local area networks
US7519986B2 (en) 2003-10-01 2009-04-14 Tara Chand Singhal Method and apparatus for network security using a router based authentication system
US7836490B2 (en) * 2003-10-29 2010-11-16 Cisco Technology, Inc. Method and apparatus for providing network security using security labeling
EP1531645A1 (en) 2003-11-12 2005-05-18 Matsushita Electric Industrial Co., Ltd. Context transfer in a communication network comprising plural heterogeneous access networks
US8146148B2 (en) 2003-11-19 2012-03-27 Cisco Technology, Inc. Tunneled security groups
US7568098B2 (en) 2003-12-02 2009-07-28 Microsoft Corporation Systems and methods for enhancing security of communication over a public network
US7624431B2 (en) * 2003-12-04 2009-11-24 Cisco Technology, Inc. 802.1X authentication technique for shared media
US20050177717A1 (en) * 2004-02-11 2005-08-11 Grosse Eric H. Method and apparatus for defending against denial on service attacks which employ IP source spoofing
US20050190758A1 (en) * 2004-03-01 2005-09-01 Cisco Technology, Inc. Security groups for VLANs
US7882544B2 (en) * 2004-07-12 2011-02-01 International Business Machines Corporation Inherited role-based access control system, method and program product
US7660259B1 (en) * 2004-10-20 2010-02-09 Extreme Networks, Inc. Methods and systems for hybrid hardware- and software-base media access control (MAC) address learning
US7669244B2 (en) 2004-10-21 2010-02-23 Cisco Technology, Inc. Method and system for generating user group permission lists
US7877796B2 (en) 2004-11-16 2011-01-25 Cisco Technology, Inc. Method and apparatus for best effort propagation of security group information
US7886145B2 (en) 2004-11-23 2011-02-08 Cisco Technology, Inc. Method and system for including security information with a packet
US7721323B2 (en) * 2004-11-23 2010-05-18 Cisco Technology, Inc. Method and system for including network security information in a frame
US7827402B2 (en) 2004-12-01 2010-11-02 Cisco Technology, Inc. Method and apparatus for ingress filtering using security group information
US7437755B2 (en) 2005-10-26 2008-10-14 Cisco Technology, Inc. Unified network and physical premises access control server
US7506102B2 (en) 2006-03-28 2009-03-17 Cisco Technology, Inc. Method and apparatus for local access authorization of cached resources
US7840708B2 (en) 2007-08-13 2010-11-23 Cisco Technology, Inc. Method and system for the assignment of security group information using a proxy

Also Published As

Publication number Publication date
US20160255087A1 (en) 2016-09-01
US7530112B2 (en) 2009-05-05
US7954163B2 (en) 2011-05-31
US20050055573A1 (en) 2005-03-10
US9237158B2 (en) 2016-01-12
US20110231907A1 (en) 2011-09-22
CN1823514B (en) 2012-01-04
US20090217355A1 (en) 2009-08-27
ES2574003T3 (en) 2016-06-14
EP1678912B1 (en) 2016-04-27
EP1678912A1 (en) 2006-07-12
CN1823514A (en) 2006-08-23
US20140173703A1 (en) 2014-06-19
US9860254B2 (en) 2018-01-02
US8661556B2 (en) 2014-02-25
WO2005027464A1 (en) 2005-03-24
CA2532189C (en) 2012-12-18

Similar Documents

Publication Publication Date Title
CA2532189A1 (en) Method and apparatus for providing network security using role-based access control
CN103581363B (en) To malice domain name and the control method and device of unauthorized access
US20140310307A1 (en) Exact Match Lookup with Variable Key Sizes
EP2314027B1 (en) Switching table in an ethernet bridge
CN107368354B (en) Virtual machine security isolation method
JP2009532989A (en) Method for performing a table lookup operation using a table index that exceeds the CAM key size
CN110347723A (en) A kind of data query method, system and electronic equipment and storage medium
GB2386291B (en) Integrated procedure for partitioning network data services among multiple subscribers
CN104053154B (en) A kind of wireless network access controlling method, device and access point apparatus
JP2012164031A (en) Data processor, data storage device, data processing method, data storage method and program
Guo Fragile watermarking scheme for tamper detection of relational database
CN106980793A (en) TrustZone-based universal password storage and reading method, device and terminal equipment
EP3012747B1 (en) Tcam-based table query processing method and apparatus
RU2005108108A (en) METHOD AND SYSTEM FOR DISPLAYING AND MANAGING INFORMATION RELATING TO SAFETY
CN102571355A (en) Method and device for importing secret key without landing
US20120134360A1 (en) Device and method for processing network packet
CN108664808B (en) A kind of user's sensitivity theme guard method and system towards books search service
CN102143151B (en) Deep packet inspection based protocol packet spanning inspection method and deep packet inspection based protocol packet spanning inspection device
CN103780630A (en) Method and system for isolating ports of virtual local area network
EP1357722A1 (en) Method for controlling network access for fragments
CN105978868A (en) Method and apparatus for searching IP address authority
CN106130903A (en) SDN switch stream table encryption method based on FPGA
JP2011150388A (en) System for converting file storage destination path based on secrecy section information, and method
CA2538443A1 (en) System and method for sending encrypted messages to a distribution list
CN111950000A (en) Access access control method and device

Legal Events

Date Code Title Description
EEER Examination request