Multifactor authentication as a network service

US 10,547,600 B2
Filed: 09/30/2016
Issued: 01/28/2020
Est. Priority Date: 09/30/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor a new session at a firewall, wherein the firewall filters inbound traffic by applying a set of rules or policies to prevent unwanted outside traffic from accessing protected resources;

perform a user identification look-up at the firewall based on an IP address associated with the new session to generate the IP address and user binding;

apply an authentication profile based on the new session, wherein the authentication profile is selected by the firewall based on the session and the user identification, and wherein the authentication profile is enforced by the firewall; and

perform an action based on the authentication profile including enforcing a configurable first cache timeout since a last successful authentication for a first factor authentication based on the IP address and user binding, and enforcing a configurable second cache timeout since a last successful authentication for a second factor authentication based on the IP address and user binding, wherein the firewall performs multifactor authentication using the first factor authentication and the second factor authentication to prevent unwanted outside traffic from accessing the protected resources; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for multifactor authentication as a network service are disclosed. In some embodiments, a system, process, and/or computer program product for multifactor authentication as a network service includes monitoring a session at a firewall, applying an authentication profile based on the new session, and performing an action based on the authentication profile.

41 Citations

View as Search Results

21 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor a new session at a firewall, wherein the firewall filters inbound traffic by applying a set of rules or policies to prevent unwanted outside traffic from accessing protected resources;
  
  perform a user identification look-up at the firewall based on an IP address associated with the new session to generate the IP address and user binding;
  
  apply an authentication profile based on the new session, wherein the authentication profile is selected by the firewall based on the session and the user identification, and wherein the authentication profile is enforced by the firewall; and
  
  perform an action based on the authentication profile including enforcing a configurable first cache timeout since a last successful authentication for a first factor authentication based on the IP address and user binding, and enforcing a configurable second cache timeout since a last successful authentication for a second factor authentication based on the IP address and user binding, wherein the firewall performs multifactor authentication using the first factor authentication and the second factor authentication to prevent unwanted outside traffic from accessing the protected resources; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system recited in claim 1, wherein the firewall performs multifactor authentication as a network service.
  - 3. The system recited in claim 1, wherein the authentication profile is for a first authentication factor.
  - 4. The system recited in claim 1, wherein the authentication profile is for a first authentication factor and a second authentication factor.
  - 5. The system recited in claim 1, wherein the authentication profile is for a plurality of authentication factors for performing multifactor authentication.
  - 6. The system recited in claim 1, wherein the authentication profile is a multifactor authentication profile.
  - 7. The system recited in claim 1, wherein the processor is further configured to:
    - match criteria associated with the new session at the firewall.
  - 8. The system recited in claim 1, wherein the processor is further configured to:
    - match criteria associated with the new session at the firewall, wherein the criteria includes one or more of the following;
      
      source zone and IP address, source user or group, destination zone and IP address, service and URL category, and source Host Information Profiles.
  - 9. The system recited in claim 1, wherein the processor is further configured to:
    - block or drop the new session if one or more authentication factors fail or time-out, wherein the one or more authentication factors are required based on the authentication profile.
  - 10. The system recited in claim 1, wherein the processor is further configured to:
    - allow the new session to access a requested resource if each authentication factor required by the authentication profile is satisfied.
  - 11. The system recited in claim 1, wherein the processor is further configured to:
    - perform the user identification look-up at the firewall based on the IP address and a device type check associated with the new session.

12. A method, comprising:
- monitoring a new session at a firewall, wherein the firewall filters inbound traffic by applying a set of rules or policies to prevent unwanted outside traffic from accessing protected resources;
  
  performing a user identification look-up at the firewall based on an IP address associated with the new session to generate the IP address and user binding;
  
  applying an authentication profile based on the new session, wherein the authentication profile is selected by the firewall based on the session and the user identification, and wherein the authentication profile is enforced by the firewall; and
  
  performing an action based on the authentication profile including enforcing a configurable first cache timeout since a last successful authentication for a first factor authentication based on the IP address and user binding, and enforcing a configurable second cache timeout since a last successful authentication for a second factor authentication based on the IP address and user binding, wherein the firewall performs multifactor authentication using the first factor authentication and the second factor authentication to prevent unwanted outside traffic from accessing the protected resources.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, further comprising:
    - matching criteria associated with the new session at the firewall.
  - 14. The method of claim 12, further comprising:
    - matching criteria associated with the new session at the firewall, wherein the criteria includes one or more of the following;
      
      source zone and IP address, source user or group, destination zone and IP address, service and URL category, and source Host Information Profiles.
  - 15. The method of claim 12, further comprising:
    - blocking or dropping the new session if one or more authentication factors fail or time-out, wherein the one or more authentication factors are required based on the authentication profile.
  - 16. The method of claim 12, further comprising:
    - allowing the new session to access a requested resource if each authentication factor required by the authentication profile is satisfied.

17. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- monitoring a new session at a firewall, wherein the firewall filters inbound traffic by applying a set of rules or policies to prevent unwanted outside traffic from accessing protected resources;
  
  performing a user identification look-up at the firewall based on an IP address associated with the new session to generate the IP address and user binding;
  
  applying an authentication profile based on the new session, wherein the authentication profile is selected by the firewall based on the session and the user identification, and wherein the authentication profile is enforced by the firewall; and
  
  performing an action based on the authentication profile including enforcing a configurable first cache timeout since a last successful authentication for a first factor authentication based on the IP address and user binding, and enforcing a configurable second cache timeout since a last successful authentication for a second factor authentication based on the IP address and user binding, wherein the firewall performs multifactor authentication using the first factor authentication and the second factor authentication to prevent unwanted outside traffic from accessing the protected resources.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The computer program product recited in claim 17, further comprising computer instructions for:
    - matching criteria associated with the new session at the firewall.
  - 19. The computer program product recited in claim 17, further comprising computer instructions for:
    - matching criteria associated with the new session at the firewall, wherein the criteria includes one or more of the following;
      
      source zone and IP address, source user or group, destination zone and IP address, service and URL category, and source Host Information Profiles.
  - 20. The computer program product recited in claim 17, further comprising computer instructions for:
    - blocking or dropping the new session if one or more authentication factors fail or time-out, wherein the one or more authentication factors are required based on the authentication profile.
  - 21. The computer program product recited in claim 17, further comprising computer instructions for:
    - allowing the new session to access a requested resource if each authentication factor required by the authentication profile is satisfied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Murthy, Ashwath Sreenivasa, Ganesan, Karthik, Mangam, Prabhakar M V B R, Jandhyala, Shriram S., Walter, Martin
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US15/281,913
Publication Number

US 20180097787A1
Time in Patent Office

1,215 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0236   Filtering by address, proto...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

Multifactor authentication as a network service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Multifactor authentication as a network service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others