System, apparatuses, methods, and computer-readable media for identification of user and/or source of communication in a network
First Claim
1. (new) A method comprising:
- transforming a user identifier and a source identifier for a header of a packet.
3 Assignments
0 Petitions
Accused Products
Abstract
A method, system and program for preventing intrusion in a communications network. A source node initiates a request for network services, such as session establishment, database access, or application access. Known network resources and authorized user information is stored in a database at a network portal along with access policy rules that are device and user dependent. Identification of the source node is required before the source node can construct a transformed packet header that is included with a synchronization packet before transmission to a destination node. An appliance or firewall in the communications network receives and authenticates the synchronization packet before releasing the packet to its intended destination. The authentication process includes verification of the access policy associated with the source node. Once received at the destination node, the transformed packet header is reformed by extracting a key index value. The extracted key index is subsequently used to transform the packet header in the response transmitted to the source node.
118 Citations
168 Claims
-
1. (new) A method comprising:
transforming a user identifier and a source identifier for a header of a packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
19. (new) A method comprising:
-
retrieving a first key from a table using a first key index;
transforming a user identifier using the first key to form a transformed user identifier;
appending the first key index to the transformed user identifier; and
inserting the transformed user identifier with appended first key index in a first field of a packet header. - View Dependent Claims (20, 21, 22)
-
-
23. (new) A method comprising:
-
retrieving a key from a table using a key index;
transforming a source identifier using the key to form a transformed source identifier;
appending the key index to the transformed source identifier; and
inserting the transformed source identifier with appended key index in a field of the packet header. - View Dependent Claims (24)
-
-
25. (new) A method comprising:
providing at least one node with software for transforming a user identifier and source identifier to form a transformed header in a packet. - View Dependent Claims (26, 27, 28, 29)
-
30. (new) A method comprising:
reforming a user identifier and a source identifier of a header of a packet. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
43. (new) A method comprising:
providing at least one node with software for reforming a user identifier and source identifier from a packet received from at least one other node to determine whether the packet is permitted to be passed to a destination indicated by a header of the packet. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
-
66. (new) A method comprising:
determining whether a synchronization packet has a non-zero value in an acknowledgement field of a header of the packet. - View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79)
-
80. (new) A method comprising:
inserting a non-zero value into an acknowledgement field of a header of a synchronization (SYN) packet. - View Dependent Claims (81, 82)
-
83. (new) A method comprising:
determining whether a packet originated from a trusted entity, the determining performed by establishing whether an acknowledgement field of a header of the packet has a non-zero value. - View Dependent Claims (84, 85, 86, 87, 88, 89)
-
90. (new) A method comprising:
-
determining whether a request to access a network resource originates from a trusted entity;
if the request to access the network resource originates from a trusted entity, permitting the request to access the network resource if an access policy permits the trusted entity to access to the network resource or if no policy exists relative to the trusted entity; and
if the request to access the network resource does not originate from a trusted entity, prohibiting the request to access the network resource unless an exception policy permits the untrusted entity to access the network resource. - View Dependent Claims (91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101)
-
-
102. (new) A method comprising:
storing a table of general keys in association with corresponding general key indexes, and a table of session keys in association with corresponding session key indexes, for use in transforming user and source identifiers. - View Dependent Claims (103, 104)
-
105. (new) A method comprising:
storing a table of general keys in association with corresponding general key indexes, and a table of session keys in association with corresponding session key indexes, for use in reforming user and source identifiers. - View Dependent Claims (106)
- 107. (new) A computer-readable medium storing a table of general keys in association with corresponding general key indexes, and a table of session keys in association with corresponding session key indexes, for use in transforming user and source identifiers.
- 110. (new) A computer-readable medium storing a table of general keys in association with corresponding general key indexes, and a table of session keys in association with corresponding session key indexes, for use in reforming user and source identifiers.
-
112. (new) A method comprising:
distributing first and second key tables to at least one node for use in establishing an entity associated with the node as a trusted entity. - View Dependent Claims (113, 114, 115, 116)
-
117. (new) A method comprising:
-
executing software comparing a source identifier of a node with a source identifier included in the software;
if the source identifier of the node matches the source identifier of the software, continuing to execute the software; and
if the source identifier of the node does not match the source identifier of the software, terminating execution of the software. - View Dependent Claims (118, 119, 120)
-
-
121. (new) A method comprising:
providing an identifier identifying a node in software, the software executable by the node to compare the source identifier of the software with the source identifier of the node, the software continuing to execute if the identifier of the software matches the identifier of the node, and the software terminating execution if the identifier of the software does not match the identifier of the node. - View Dependent Claims (122, 123, 124, 125, 126)
-
127. (new) A system for entities to communicate via a network, the system comprising:
-
a first node executing software for transforming a user identifier and source identifier included in a request to access a network resource, the first node transmitting the request on the network. a second node connected to communicate with the first node via the network, the second node receiving the request from the first node and reforming the user identifier and source identifier contained in the request, the second node using the user identifier and the source identifier to determine whether the request is to be passed or terminated; and
a third node connected to communicate with the second node, the third node indicated as the destination of the request for access to the network resource and receiving and executing the request if passed from the second node. - View Dependent Claims (128, 129, 130, 131, 132, 133, 134, 135)
-
-
136. (new) An apparatus connected to communicate via a network, the apparatus comprising:
a node connected to the network, for transforming a user identifier and source identifier for inclusion in a request for transmission on the network. - View Dependent Claims (137, 138, 139, 140, 141, 142, 143, 144, 145)
-
146. (new) An apparatus connected to communicate via a network, the apparatus comprising:
a node for receiving a request to access a network resource via the network, the node determining whether the request contains a transformed user identifier and source identifier, and if the request contains the transformed user identifier and source identifier, the node reforms the user identifier and source identifier. - View Dependent Claims (147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165)
-
166. (new) An apparatus receiving a packet requesting a network service, the apparatus comprising:
a node connected to receive a packet, the node determining whether the packet is a synchronization packet, and if the packet is a synchronization packet, the node determining whether an acknowledgement field of the packet contains a non-zero-value, if the packet has a non-zero value, the packet continuing to process the packet to provide the requested network service, and if the synchronization packet has a zero value in the acknowledgement field of the packet, the node dropping the packet. - View Dependent Claims (167, 168)
Specification