Abstract: A secured network is disclosed configured to carry data, comprising a plurality of network bubbles and a plurality of network control points, wherein each network bubble comprises one or more bubble partitions and each bubble partition comprises at least one networked device configured to transmit and receive data, and all of the network devices corresponding to at least one of the plurality of network bubbles have a common network security policy. At least one network control point, such as a router, is provided with a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the at least one network bubble.

Abstract: A method of creating a discontiguous address plan for an enterprise is provided which includes determining a hierarchy of routing optimization for an enterprise, determining a number of route advertisement aggregation points at each level of the hierarchy, determining a number of network security policy areas for the enterprise, and determining a number of addresses for each of the network security policy areas. The number of addresses is rounded up to a power of the address scheme base number to produce a plurality of rounded addresses. The method further includes allocating an address range for each of the plurality of rounded addresses so that a starting address of the address range begins on a power of the base number and determining a size of the plurality of address ranges. The size of the plurality of address ranges is rounded up to a power of the base number to produce the size of a repeating policy pattern.

Abstract: A method of creating a structured access list template, which includes dividing an access list template into a plurality of sections, creating an inbound local rule group for the bubble, creating an outbound local rule group for the bubble, creating an inbound remote rule group for the bubble, and creating an outbound remote rule group for the bubble. A method of creating an access list for each of the plurality of bubble boundary devices, which includes creating an address table that includes a plurality of addresses corresponding to devices in a bubble partition, creating a protocol table that includes a list of network services and whether each of the network services are granted or denied access to the bubble partition, creating an access list template using the address table and the protocol table, generating an access list from the access list template, and providing the access list to one of the plurality of bubble boundary devices.

Abstract: A secure network is provided which includes a plurality of network bubbles having a plurality of bubble partitions. Each bubble partition has at least one network device configured to transmit and receive data. All the network devices that belong to or correspond to a particular network bubble have the same network security policy. The secure network also includes a plurality of network control points, which has one or more network control point devices having at least one interface. Each bubble partition is connected to at least one network control point. The network control point is used to provide a connection between at least two network devices. Each network control point device is configured to enforce the network security policy of all the network bubbles that are connected to it. During the transmission of data from one network device to another network device, one or more network control points are traversed.

Abstract: A bitmap network mask is described for use in network functions such as data packet forwarding, access control list processing, and policy application determination. The bitmap network mask can be applied to a random collection of network parameters if desired. In one format, the bitmap network mask includes a mask sequence of entries in which each entry corresponds to a network parameter covered by the bitmap network mask and one or more indexing parameters for locating an entry in the mask sequence.

Abstract: A network security system is provided comprising a plurality of network bubbles wherein each bubble includes bubble members configured to transmit and receive data. Bubbles have network security policies that may be enforced by a plurality of network control point devices. The system further includes a private virtual backbone configured to interconnect the plurality of network control points connected to known bubbles. The privacy of the private virtual backbone is maintained by an inter-bubble device and/or set of two network control points. The inter-bubble device and set of control points enforce the network security policies of any connected bubble and relay data packets between address spaces. The private virtual backbone may operate in private address space. The system also includes an instance-specific virtual backbone that interconnects only bubble partitions from the same network bubble, thus simplifying the enforcement of a network security policy.

Abstract: A method of creating a discontiguous address plan for an enterprise is provided which includes determining a hierarchy of routing optimization for an enterprise, determining a number of route advertisement aggregation points at each level of the hierarchy, determining a number of network security policy areas for the enterprise, and determining a number of addresses for each of the network security policy areas. The number of addresses is rounded up to a power of the address scheme base number to produce a plurality of rounded addresses. The method further includes allocating an address range for each of the plurality of rounded addresses so that a starting address of the address range begins on a power of the base number and determining a size of the plurality of address ranges. The size of the plurality of address ranges is rounded up to a power of the base number to produce the size of a repeating policy pattern.

Abstract: A secured network is disclosed configured to carry data, comprising a plurality of network bubbles and a plurality of network control points, wherein each network bubble comprises one or more bubble partitions and each bubble partition comprises at least one networked device configured to transmit and receive data, and all of the network devices corresponding to at least one of the plurality of network bubbles have a common network security policy. At least one network control point, such as a router, is provided with a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the at least one network bubble.

Abstract: A method of creating a discontiguous address plan for an enterprise is provided which includes determining a hierarchy of routing optimization for an enterprise, determining a number of route advertisement aggregation points at each level of the hierarchy, determining a number of network security policy areas for the enterprise, and determining a number of addresses for each of the network security policy areas. The number of addresses is rounded up to a power of the address scheme base number to produce a plurality of rounded addresses. The method further includes allocating an address range for each of the plurality of rounded addresses so that a starting address of the address range begins on a power of the base number and determining a size of the plurality of address ranges. The size of the plurality of address ranges is rounded up to a power of the base number to produce the size of a repeating policy pattern.

Abstract: A method of creating a structured access list template, which includes dividing an access list template into a plurality of sections, creating an inbound local rule group for the bubble, creating an outbound local rule group for the bubble, creating an inbound remote rule group for the bubble, and creating an outbound remote rule group for the bubble. A method of creating an access list for each of the plurality of bubble boundary devices, which includes creating an address table that includes a plurality of addresses corresponding to devices in a bubble partition, creating a protocol table that includes a list of network services and whether each of the network services are granted or denied access to the bubble partition, creating an access list template using the address table and the protocol table, generating an access list from the access list template, and providing the access list to one of the plurality of bubble boundary devices.

Abstract: A method of creating a discontiguous address plan for an enterprise is provided which includes determining a hierarchy of routing optimization for an enterprise, determining a number of route advertisement aggregation points at each level of the hierarchy, determining a number of network security policy areas for the enterprise, and determining a number of addresses for each of the network security policy areas. The number of addresses is rounded up to a power of the address scheme base number to produce a plurality of rounded addresses. The method further includes allocating an address range for each of the plurality of rounded addresses so that a starting address of the address range begins on a power of the base number and determining a size of the plurality of address ranges. The size of the plurality of address ranges is rounded up to a power of the base number to produce the size of a repeating policy pattern.

Abstract: A secure network is provided which includes a plurality of network bubbles having a plurality of bubble partitions. Each bubble partition has at least one network device configured to transmit and receive data. All the network devices that belong to or correspond to a particular network bubble have the same network security policy. The secure network also includes a plurality of network control points, which has one or more network control point devices having at least one interface. Each bubble partition is connected to at least one network control point. The network control point is used to provide a connection between at least two network devices. Each network control point device is configured to enforce the network security policy of all the network bubbles that are connected to it. During the transmission of data from one network device to another network device, one or more network control points are traversed.

Abstract: A secure network system is provided which includes a plurality of networks where each network has at least one network device configured to transmit and receive data and has a network security policy. The secure network further includes a plurality of network control points where each network control point has at least one network control point device. Each of the plurality of network control points is connected to at least one of the plurality of networks. All network control point devices are configured to enforce the network security policy for the network to which it is connected. The secure network further includes a virtual backbone configured to connect the plurality of network control points to one another. The virtual backbone does not enforce any network security policy with respect to data being transmitted across the virtual backbone, except for source address integrity at the point the networks connect to a NCP.