Time-based network authentication challenges

US 10,701,049 B2
Filed: 09/30/2016
Issued: 06/30/2020
Est. Priority Date: 09/30/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor a new session at a firewall to identify a user associated with the new session;

perform a user identification look-up at the firewall based on an IP address and port number associated with the new session;

generate an IP/user binding based on the user identification look-up at the firewall;

determine a resource on a network for which access is being requested that is associated with the new session;

select an authentication profile based on the IP/user binding and the resource for which access is being requested that is associated with the new session, wherein the authentication profile includes an authentication factor, wherein the authentication factor is a time-based authentication factor;

apply the authentication profile selected based on the IP/user binding and the resource for which access is being requested that is associated with the new session, wherein the authentication profile is enforced by the firewall;

generate a timestamp for the authentication factor associated with the user after the user successfully authenticates for access to the resource based on the authentication profile;

intercept another request from the user for access to the resource at the firewall; and

determine whether the timestamp for the authentication factor is expired based on the authentication profile using a configurable cache timeout since a last successful authentication for the authentication factor associated with the IP/user binding and the resource that is performed for authentication enforcement for the resource, wherein if the timestamp for the authentication factor is expired based on the authentication profile, then the user is requested to authenticate again prior to allowing access to the resource; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for time-based network authentication challenges are disclosed. In some embodiments, a system, process, and/or computer program product for time-based network authentication challenges includes monitoring a session at a firewall to identify a user associated with the session, generating a timestamp for an authentication factor associated with the user after the user successfully authenticates for access to a resource based on an authentication profile, intercepting another request from the user for access to the resource at the firewall, and determining whether the timestamp for the authentication factor is expired based on the authentication profile.

41 Citations

View as Search Results

21 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor a new session at a firewall to identify a user associated with the new session;
  
  perform a user identification look-up at the firewall based on an IP address and port number associated with the new session;
  
  generate an IP/user binding based on the user identification look-up at the firewall;
  
  determine a resource on a network for which access is being requested that is associated with the new session;
  
  select an authentication profile based on the IP/user binding and the resource for which access is being requested that is associated with the new session, wherein the authentication profile includes an authentication factor, wherein the authentication factor is a time-based authentication factor;
  
  apply the authentication profile selected based on the IP/user binding and the resource for which access is being requested that is associated with the new session, wherein the authentication profile is enforced by the firewall;
  
  generate a timestamp for the authentication factor associated with the user after the user successfully authenticates for access to the resource based on the authentication profile;
  
  intercept another request from the user for access to the resource at the firewall; and
  
  determine whether the timestamp for the authentication factor is expired based on the authentication profile using a configurable cache timeout since a last successful authentication for the authentication factor associated with the IP/user binding and the resource that is performed for authentication enforcement for the resource, wherein if the timestamp for the authentication factor is expired based on the authentication profile, then the user is requested to authenticate again prior to allowing access to the resource; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21)
- - 2. The system recited in claim 1, wherein the firewall performs multifactor authentication as a network service.
  - 3. The system recited in claim 1, wherein the authentication profile is for a first authentication factor.
  - 4. The system recited in claim 1, wherein the authentication profile is for a first authentication factor and a second authentication factor.
  - 5. The system recited in claim 1, wherein the authentication profile is for a plurality of authentication factors for performing multifactor authentication.
  - 6. The system recited in claim 1, wherein the authentication profile is a multifactor authentication profile.
  - 7. The system recited in claim 1, wherein the processor is further configured to:
    - determine that the timestamp for the authentication factor is not expired based on the authentication profile; and
      
      allow the new session to access the resource.
  - 8. The system recited in claim 1, wherein the processor is further configured to:
    - determine that the timestamp for the authentication factor is expired based on the authentication profile; and
      
      require that the user authenticate again prior to allowing access to the resource.
  - 9. The system recited in claim 1, wherein the timestamp is for a first authentication factor, and wherein the processor is further configured to:
    - determine that the timestamp for the first authentication factor is expired based on the authentication profile; and
      
      require that the user authenticate again prior to allowing access to the resource.
  - 10. The system recited in claim 1, wherein the timestamp is for a second authentication factor, and wherein the processor is further configured to:
    - determine that the timestamp for the authentication factor is expired based on the authentication profile; and
      
      require that the user authenticate again for a first authentication factor and the second authentication factor prior to allowing access to the resource.
  - 21. The system recited in claim 1, wherein the processor is further configured to:
    - enforce a first authentication profile for a first resource on an enterprise network, wherein the first authentication profile only includes a single authentication factor and a first configurable cache timeout associated with the single authentication factor;
      
      enforce a second authentication profile for a second resource on the enterprise network, wherein the second authentication profile includes a plurality of authentication factors and a second configurable cache timeout associated with at least one of the plurality of authentication factors; and
      
      require that the user authenticate again in order to access the second resource to enforce the second authentication profile based on the second configurable cache timeout.

11. A method, comprising:
- monitoring a new session at a firewall to identify a user associated with the new session;
  
  performing a user identification look-up at the firewall based on an IP address and port number associated with the new session;
  
  generating an IP/user binding based on the user identification look-up at the firewall;
  
  determining a resource on a network for which access is being requested that is associated with the new session;
  
  selecting an authentication profile based on the IP/user binding and the resource for which access is being requested that is associated with the new session, wherein the authentication profile includes an authentication factor, wherein the authentication factor is a time-based authentication factor;
  
  applying the authentication profile selected based on the IP/user binding and the resource for which access is being requested that is associated with the new session, wherein the authentication profile is enforced by the firewall;
  
  generating a timestamp for the authentication factor associated with the user after the user successfully authenticates for access to the resource based on the authentication profile;
  
  intercepting another request from the user for access to the resource at the firewall; and
  
  determining whether the timestamp for the authentication factor is expired based on the authentication profile using a configurable cache timeout since a last successful authentication for the authentication factor associated with the IP/user binding and the resource that is performed for authentication enforcement for the resource, wherein if the timestamp for the authentication factor is expired based on the authentication profile, then the user is requested to authenticate again prior to allowing access to the resource.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising:
    - determining that the timestamp for the authentication factor is not expired based on the authentication profile; and
      
      allowing the new session to access the resource.
  - 13. The method of claim 11, further comprising:
    - determining that the timestamp for the authentication factor is expired based on the authentication profile; and
      
      requiring that the user authenticate again prior to allowing access to the resource.
  - 14. The method of claim 11, wherein the timestamp is for a first authentication factor, and further comprising:
    - determining that the timestamp for the first authentication factor is expired based on the authentication profile; and
      
      requiring that the user authenticate again prior to allowing access to the resource.
  - 15. The method of claim 11, wherein the timestamp is for a second authentication factor, and further comprising:
    - determining that the timestamp for the authentication factor is expired based on the authentication profile; and
      
      requiring that the user authenticate again for a first authentication factor and the second authentication factor prior to allowing access to access the resource.

16. A computer program product, the computer program product being embodied in a non-transitory, tangible computer readable storage medium and comprising computer instructions for:
- monitoring a new session at a firewall to identify a user associated with the new session;
  
  performing a user identification look-up at the firewall based on an IP address and port number associated with the new session;
  
  generating an IP/user binding based on the user identification look-up at the firewall;
  
  determining a resource on a network for which access is being requested that is associated with the new session;
  
  selecting an authentication profile based on the IP/user binding and the resource for which access is being requested that is associated with the new session, wherein the authentication profile includes an authentication factor, wherein the authentication factor is a time-based authentication factor;
  
  applying the authentication profile selected based on the IP/user binding and the resource for which access is being requested that is associated with the new session, wherein the authentication profile is enforced by the firewall;
  
  generating a timestamp for the authentication factor associated with the user after the user successfully authenticates for access to the resource based on the authentication profile;
  
  intercepting another request from the user for access to the resource at the firewall; and
  
  determining whether the timestamp for the authentication factor is expired based on the authentication profile using a configurable cache timeout since a last successful authentication for the authentication factor associated with the IP/user binding and the resource that is performed for authentication enforcement for the resource, wherein if the timestamp for the authentication factor is expired based on the authentication profile, then the user is requested to authenticate again prior to allowing access to the resource.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product recited in claim 16, further comprising computer instructions for:
    - determining that the timestamp for the authentication factor is not expired based on the authentication profile; and
      
      allowing the new session to access the resource.
  - 18. The computer program product recited in claim 16, further comprising computer instructions for:
    - determining that the timestamp for the authentication factor is expired based on the authentication profile; and
      
      requiring that the user authenticate again prior to allowing access to the resource.
  - 19. The computer program product recited in claim 16, wherein the timestamp is for a first authentication factor, and further comprising computer instructions for:
    - determining that the timestamp for the first authentication factor is expired based on the authentication profile; and
      
      requiring that the user authenticate again prior to allowing access to the resource.
  - 20. The computer program product recited in claim 16, wherein the timestamp is for a second authentication factor, and further comprising computer instructions for:
    - determining that the timestamp for the authentication factor is expired based on the authentication profile; and
      
      requiring that the user authenticate again for a first authentication factor and the second authentication factor prior to allowing access to the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Murthy, Ashwath Sreenivasa, Mangam, Prabhakar M V B R, Jandhyala, Shriram S., Li, Qiuming, Yin, Yongjie
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Nguy, Chi D

Application Number

US15/281,946
Publication Number

US 20180097789A1
Time in Patent Office

1,369 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/0227   Filtering policies mail mes...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

Time-based network authentication challenges

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Time-based network authentication challenges

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others