51 results about "Security policy database" patented technology

A system and method providing Internet protocol security without secure domain name resolution are disclosed. A processor that periodically needs to resolve domain names into network addresses has a local DNS server that includes a secure IPSEC cache, a resolver function, a security policy database, and an IPSEC layer. The cache is readable only by the IPSEC layer. Resolved domain names are cached with process and transaction identifiers that uniquely associate the resolved names with an application process and time. When resolution is needed, the cache is used to ensure that IP addresses are resolved from names that came from the application. As a result, IPSEC connections may be established without use of DNSSEC to provide secure domain name resolution.

A system for accessing at least one Virtual Private Network (VPN) includes a terminal, and can include at least one Security Policy Database (SPD). The terminal is capable of communicating with a VPN client and at least one application. The VPN client, in turn, is capable of defining at least one VPN access point, each VPN access point including an associated physical access point and VPN policy. Thereafter, the VPN client can access at least one VPN based upon the VPN access point(s) to thereby establish at least one data connection from at least one application across the at least one VPN. In addition, the VPN client can be capable of downloading at least one VPN policy from the SPD. A system for managing at least one Virtual Private Network (VPN) policy is also provided, where the VPN polic(ies) are for use in accessing at least one VPN.

Methods and apparatus' for performing IPSec processing on an IP packet being transmitted onto a network and being received from a network are described. The methods and apparatus' further described perform IPSec processing inline which results in a reduced number of transfers over the system bus, reduced utilization of system memory, and a reduced utilization of the system CPU. An IP packet which requires IPSec processing enters an acceleration device. In one embodiment, the acceleration device is coupled to a security policy database (SPD) and security association database (SAD). IPSec processing is performed at the acceleration device without sending the IP Packet to system memory for processing.

A searching method for a Security Policy Database (SPD) is proposed. The characteristic of peer gateway of the IPSec is applied to divide the original SPD into multiple smaller peer-based SPDs, and build a peer table corresponding to the peer-based SPDs. When it is required to search the policies in the database, the peer-based SPD according to the present invention can be directly used so as to save the time of data searching.

The invention discloses a digital content trusted usage control method based on cloud computing. The system framework comprises a multimedia server, a mobile terminal, a verification agent server, a certificate and license server, an integrity measurement reference and security policy database and a trust measurement log, wherein the mobile terminal uses the multimedia digital content on the multimedia server through a graphical user interface of a DRM (digital rights management) controller; a multimedia server platform runs the DRM controller and performs usage control on the DRM controller through a DRM license; the mobile terminal and the multimedia server determine a verification agent through negotiation; and by adopting a remote proof method and a bidirectional integrity verification security protocol, which support the verification agent, the bidirectional trust relationship between the multimedia content provider and the terminal user is guaranteed, and the secrete privacy data on the terminal equipment of the user is protected as well. In the invention, as the DRM controller is configured on the multimedia server, the possibility of malicious attack such as breaking, tampering and the like, performed by an illegal user, is avoided.

A packet communication system for effectively using network resources and for improving network operability. A transmission security policy database specifies the omission of header information attached when a transmission packet is capsulated, as a transmission security policy. A header-information omitting section omits the header information of the capsulated transmission packet. A packet transmission processing section adds a security header and a header for tunnel communication to the packet from which the header information has been omitted and transmits the packet. A receiving security policy database specifies that the header information has been omitted, as a receiving security policy. A header-information recovering section searches the receiving security policy database for a security policy for a received packet, and when recognizing that the received packet is a target packet from which the header information has been omitted, recovers the header information.

Security policy databases capable of being fast retrieved while securing sequentiality. An IPSec processing device of the present invention performs communications by encrypting IP packets exchanged between a first IP network and a second IP network. The IPSec processing device includes a security policy database that stores security policies. The security policy database includes first, second, and third security policy databases. The first and third security policy databases include a linear list structure, and the second security policy database includes a hash list structure. The IPSec processing device, when performing at least one of transmission and reception of the IP packet, retrieves a security policy in the order of the first, second, and third security policy databases.

The invention relates to a system and method for dynamically configuring a virtual machine migration security policy. A source host node and a target host node are both provided with strategy agent modules; a security policy database and a policy coordination module are respectively connected with a security management center; the policy coordination module is further connected with all the strategy agent modules; the security management center is used for inquiring the security policy database to judge whether a local security policy intermediate value violates a global security policy or not; if yes, the local security policy intermediate value is adjusted to be a security policy final value; if not, the local security policy intermediate value is set to be the security policy final value. Due to the fact that the global security policy is introduced in the process of generating the security policy final value, the security policy final value can violate the global security policy under no circumstances; after a virtual machine is migrated, a local security policy on the target host node is adjusted and brought into global security policy planning, and therefore the virtual machine is effectively prevented from lowering in security before and after migration.

The invention relates to the field of firewalls, and aims to provide an HTTP (Hyper Text Transport Protocol) service firewall based on an adaptive agent mechanism. The HTTP service firewall based on the adaptive agent mechanism comprises an agent module, a core control and a security policy database, wherein the agent module is used for accessing HTTP access from a client, acquiring various data, transmitting the acquired data to the core control, and performing execution after receiving a judgment conclusion of the core control; the core control is used for scheduling the cooperation of each module, receiving the request of each module, and updating data records, working modes and working methods in the security policy database; and the security policy database comprises a client permission strategy, a client session state database, a start address white list and a subsequent address white list. Through adoption of the HTTP service firewall, checking work on various security aspects of accidental access, accidental parameters, session parameter check, user associated data and the like needing to be considered in a protection system can be reduced, and the security level of the system is raised.

A security policy database cache includes at least one primary table including signature values that indicate that a packet's security policy database information may be in the cache and at least one secondary table including cache entries having a selector, flags, security association information and an operation to perform on the corresponding packet for which a cache lookup was made.

A security procedure for invoking IPsec security for communication of a packet in a network includes the steps of generating a message to be sent at the transport layer, building Internet Protocol and Transport Control Protocol headers for the message, selecting a security policy in accordance with a security policy database after the step of building Internet Protocol and Transport Control Protocol headers, and processing the packet according to the selected security policy.

The invention relates an IPSec VPN (Internet Protocol Security Virtual Private Network) realizing system and method based on a NetFPGA (Net Field Programmable Gate Array), wherein a control layer of a router is additively provided with an IKE (Internet Key Exchange) module, a security relation database mapping module and a security policy database, and a key management module is used for dynamically managing the key, the security relation and the security policy; and a forward layer is additionally provided with two independently designed IPSec input and output process modules in the originalNetFPGA standard router architecture by sufficiently utilizing the modularization reusable idea of a NetPGA development board. The scheme of the invention can realize the route forward function of the data flow in a hardware manner, and can also realize the great mass of calculation functions required by the IPSecVPN in a hardware manner, such as safe detaching/packing load and completeness authentication; in addition, the invention can effectively make a compromise on the data flow forward performance and the IPSec protocol processing performance.

The embodiment of the invention provides an IPSec (Internet Protocol Security) acceleration method, apparatus and system. The IPSec acceleration method includes the steps: an IKE (Internet Key Exchange) module generates an IKE chain building session message, based on an IPSec configuration parameter and a safety strategy in an SPD (Security Policy Database); the IKE module sends the IKE chain building session message to opposite-end equipment, and establishes SA (Security Association) with the opposite-end equipment; and the IKE module sends the SA to a data forwarding module, wherein the IKE module and the data forwarding module are discrete modules. The embodiment of the IPSec acceleration method, apparatus and system discretely sets the IKE module and the data forwarding module, so that the IKE module and the data forwarding module can be arranged in different equipment to improve the IPSec speed.

A virtual firewall system based on a common security policy and a method of controlling the same. The virtual firewall system includes one or more virtual security policy modules, each of which includes a local security policy database; a security policy determiner, which determines, from the one or more virtual security policy modules, a virtual security policy module corresponding to a packet received from outside; and a common security policy database, which stores security policies. Each of the one or more virtual security policy modules determines whether or not to apply a security policy of the common security policy database to the received packet, and when the security policy of the common security policy database is applied, does not apply the security policy of a local security policy database. An operator can easily and conveniently set and restore the system.

Saving the input personal identification ID and personal attribute information corresponding to the ID into a database 21 of ID. Saving the input personal attribute and region information corresponding to the attribute into the database 23 of regions and attributes contained in database 22 of a security policy. Saving the input region and the information of an electronic lock of gate setting corresponding to the access of region into the database 24 of regions and electronic locks contained in the database 22 of security policy. Then, generating data representing the personal ID and the list of ID and electronic locks of region gate that can pass with the ID from all informations of security policy database 22 and ID database 21, and setting the data in the toll bar gate control for controlling the locking and unlocking of electronic locks.

The invention discloses a searching device for an Ethernet IPSec database. According to the device, a processing unit configures a security database, a receiving module receives a data frame from the Ethernet and unpacks the data frame into an IP data packet, an IPSec database searching module conducts selector extraction and compression on the IP data packet unpacked by the receiving module, a compressed character serves as an input address of a security policy database (SPD) storage unit, the SPD storage unit outputs a security policy and submits the security policy to the IPSec database searching module for analysis, information that whether IPSec protocol processing is to be conducted or not and an input address of a security association database (SAD) storage unit can be obtained from the security policy, the SAD storage unit outputs a security association, and the IPSec database searching module analyzes the security association to generate a task descriptor. By the aid of the device, the requirements for high-speed searching can be met, and the security database can be configured simply and flexibly. The invention also discloses a corresponding security database searching method as well as a device and a method which are used for achieving Ethernet IPSec database searching.

The invention discloses a method for forwarding internet protocol security (IPSec) and relates to the technical field of network security. The method comprises the following steps of: A, adding a service priority level to each specific data item in a security policy database (SPD) and a security association database (SADB); and B, according to the service priority level, performing priority processing on high-priority data items. The method for forwarding the IPSec has the advantages that: according to the situation of network flow and the size of the priorities of users, the bandwidths of the users with different priorities are dynamically changed; by improving the bandwidth distribution of high-priority users, using experiences of the high-priority users are improved; installation of quality of service (QoS) equipment is not required for network equipment without a QoS function; and cost is reduced.

The embodiment of the invention discloses an Internet Protocol security internet (IPsec) message format processing method, device and equipment, and a storage medium, wherein the method comprises thesteps of receiving IP message data sent by a media access control (MAC) layer, and reading a destination IP address from the IP message data; obtaining a new source IP address and a new destination IPaddress by matching from a security policy database according to the destination IP address; if the new source IP address and the new destination IP address are not all zeros, querying a security association database according to the new destination IP address to obtain an encryption key; according to the encryption key, performing encryption processing on the IP message data based on an encrypted data format to obtain encrypted message data; generating a new IP header for the IP message data, and adding authentication data processed through a preset authentication data format to the end of the IP message data as new IP message data; and packaging and sending the encrypted message data and the new IP message data. According to the method, the device, the equipment and the storage medium in the application, the IP message data format is subjected to centralized and unified processing so as to adapt to various TCP (UDP)/IP network environments, thereby improving code standardization, and improving IPsec performance.