Controlling concurrent usage of network resources by multiple users at an entry point to a communications network based on identities of the users

US 20030152067A1
Filed: 09/20/2002
Published: 08/14/2003
Est. Priority Date: 02/08/2002
Status: Active Grant

First Claim

Patent Images

1. A method of using a network device of a communications network to control usage of network resources of the communications network by a plurality of users, wherein the network device serves as an entry point to the communications network for the plurality of users and includes a port module, the port module connected by a transmission medium to a first user device used by a first of the plurality of users and located externally to the communications network and the port module connected by the transmission medium to a second user device used by a second of the plurality of users and located externally to the communications network, the method comprising an act of:

(A) configuring the port module with one or more packet rules, wherein at least a first of the one or more packet rules is associated with the identity of the first user and at least one of the packet rules is associated with the identity of the second user.

View all claims

20 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Controlling a user'"'"'s usage of network resources, after the user has been authenticated, without using any network resources beyond the user'"'"'s entry point to the network. A plurality of users may be connected to an entry point of a network of a network device by a shared transmission medium. Each users'"'"' usage of network resources is controlled, after such user has been authenticated, without using any network resources beyond such user'"'"'s entry point to the network. For each one or more users, packet rules may be provisioned to the user'"'"'s entry point to the network, where such entry point may be shared with other users. The packet rules may be applied to each packet received from the user before any network resources beyond the entry point are used. These packet rules may be associated with an identity of the user and then provisioned to the user'"'"'s entry point in response to the user being authenticated. If a plurality of users are connected to an entry point by a shared transmission medium, packet rules associated with the users may be provisioned to the entry point and applied to packets received from the users before any network resources beyond the entry point are used. Such packet rules may be provisioned to a number of network entry devices and may serve as a distributed firewall for users of a network, as opposed to a centralized firewall. An entry port module of a network entry device may be configured based on an identity of one or more users as a result of the authentication of the one or more users, respectively, and each packet received from each user may be examined to control usage of network resources by the user.

Citations

25 Claims

1. A method of using a network device of a communications network to control usage of network resources of the communications network by a plurality of users, wherein the network device serves as an entry point to the communications network for the plurality of users and includes a port module, the port module connected by a transmission medium to a first user device used by a first of the plurality of users and located externally to the communications network and the port module connected by the transmission medium to a second user device used by a second of the plurality of users and located externally to the communications network, the method comprising an act of:
- (A) configuring the port module with one or more packet rules, wherein at least a first of the one or more packet rules is associated with the identity of the first user and at least one of the packet rules is associated with the identity of the second user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising acts of:
    - (B) receiving a packet at the port module from a user device;
      
      (C) determining an identity of a user of the user device; and
      
      (D) if the determined identity is the identity of the first user, before using any of the network resources beyond the network device in response to processing the packet, applying at least the first packet rule to the packet.
  - 3. The method of claim 2, further comprising an act of:
    - (E) if the determined identity is the identity of the second user, before using any of the network resources beyond the network device in response to processing the packet, applying the at least one packet rule to the packet, wherein Act (E) is performed concurrently to the first user being logged on to the communications network.
  - 4. The method of claim 2, further comprising:
    - (E) repeating acts (C) and (D) for all packets received at the port module from the first user device until the first user logs off of the communications network.
  - 5. The method of claim 1, wherein the at least one packet rule is the first packet rule.
  - 6. The method of claim 1, wherein at least one of the following is true:
    - the first packet rule is not associated with the second user and the at least one packet rule is not associated with the first user.
  - 7. The method of claim 1, further comprising:
    - (B) prior to act (A), authenticating the identity of at least the first user, wherein the port module is configured with at least the first packet rule in response to the authentication.
  - 8. The method of claim 1, wherein the identity of the first user is associated with a role assigned to the first user, and the role is associated with at least the first packet rule, and wherein the method further comprises:
    - selecting the first packet rule based on the role.

9. A network device of a communications network for controlling usage of network resources of the communications network by a plurality of users, wherein the network device serves as an entry point to the communications network for the plurality of users and includes a port module, the port module connected by a transmission medium to a first user device used by a first of the plurality of users and located externally to the communications network and the port module connected by the transmission medium to a second user device used by a second of the plurality of users and located externally to the communications network, the port module comprising:
- port configuration logic to configure the port module with one or more packet rules, wherein at least a first of the one or more packet rules is associated with the identity of the first user and at least one of the one or more packet rules is associated with the identity of the second user.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The network device of claim 9, the port module further comprising:
    - a physical port to receive a packet from a user device;
      
      user identification logic to determine an identity of a user of the user device; and
      
      rule application logic to apply at least the first packet rule to the packet, before using any of the network resources beyond the network device in response to processing packet, if the determined identity is the identity of the first user.
  - 11. The network device of claim 10, wherein, concurrently to the first user being logged on to the communication network, the rule application logic is further operative to apply the at least one packet rule to the packet, before using any of the network resources beyond the network device in response to processing the packet, if the determined identity is the identity of the second user.
  - 12. The network device of claim 10, wherein the rule application logic is operative to apply the one or more packet rules to all packets received from the device of the first user at the port module until the first user logs off of the communications network.
  - 13. The network device of claim 9, wherein the at least one packet rule is the first packet rule.
  - 14. The network device of claim 9, wherein the port configuration logic is further operative to configure the port module with a plurality of packet rules, and wherein at least one of the following is true:
    - the at least one packet rule is not associated with the first user and the first packet rule is not associated with the second user.
  - 15. The network device of claim 9, the port module further comprising:
    - authentication logic to authenticate the identity of at least the first user, wherein the configuration logic is operative to configure the port module in response to the authentication.
  - 16. The network device of claim 9, wherein the identity of the first user is associated with a role assigned to the first user, and the role is associated with at least the first packet rule, and wherein the port configuration logic is operative to select at least the first packet rule based on the role.

17. A network device of a communications network for controlling usage of network resources of the communications network by a plurality of users, wherein the network device serves as an entry point to the communications network for the plurality of users and includes a port module, the port module connected by a transmission medium to a first user device used by a first of the plurality of users and located externally to the communications network and the port module is connected by the transmission medium to a second user device used by a second of the plurality of users and located externally to the communications network, the network device comprising:
- means for configuring the port module with one or more packet rules associated with an identity of the first user and an identity of the second user, wherein at least a first of the one or more packet rules is associated with the identity of the first user.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, further comprising:
    - means for receiving a packet at the port module from a user device;
      
      means for determining an identity of a user of the user device; and
      
      means for applying at least the first packet rule to the packet if the determined identity is the identity of the first user, before using any of the network resources beyond the network device in response to processing the packet.
  - 19. The system of claim 18, further comprising:
    - means for applying the at least one packet rule to the packet if the determined identity is the identity of the second user, before using any of the network resources beyond the network device in response to processing the packet, wherein Act (E) is performed concurrently to the first user being logged on to the communications network.
  - 20. The system of claim 18, further comprising:
    - means for determining an identity of a user of the user device and means for applying at least the first packet rule to the packet if the determined identity is the identity of the first user, before using any of the network resources beyond the network device in response to processing the packet for all packets received at the port module from the first user device until the first user logs off of the communications network.
  - 21. The system of claim 17, wherein the at least one packet rule is the first packet rule.
  - 22. The system of claim 17, wherein at least one of the following is true:
    - the first packet rule is not associated with the second user and the at least one packet rule is not associated with the first user.
  - 23. The system of claim 17, further comprising:
    - means for authenticating the identity of at least the first user prior to configuring the port module with the one or more rules, wherein the port module is configured with at least the first packet rule in response to the authentication.
  - 24. The system of claim 17, wherein the identity of the first user is associated with a role assigned to the first user, and the role is associated with at least the first packet rule, and the system further comprises:
    - means for selecting the first packet rule based on the role.

25. A computer program product, comprising:
- a computer-readable medium; and
  
  computer-readable signals stored on the computer-readable medium that define instructions that, as a result of being executed by a computer, instruct the computer to perform a process of using a network device of a communications network to control usage of network resources of the communications network by a plurality of users, wherein the network device serves as an entry point to the communications network for the plurality of users and includes a port module, the port module connected by a transmission medium to a first user device used by a first of the plurality of users and located externally to the communications network and the port module connected by the transmission medium to a second user device used by a second of the plurality of users and located externally to the communications network, the process comprising an act of;
  
  (A) configuring the port module with one or more packet rules, wherein at least a first of the one or more packet rules is associated with the identity of the first user and at least one of the packet rules is associated with the identity of the second user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Richmond, James, Kjendal, David L.

Granted Patent

US 6,990,592 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/352
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

Controlling concurrent usage of network resources by multiple users at an entry point to a communications network based on identities of the users

First Claim

20 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling concurrent usage of network resources by multiple users at an entry point to a communications network based on identities of the users

First Claim

20 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links