Multilayer access control security system

US 20040243835A1
Filed: 05/28/2004
Published: 12/02/2004
Est. Priority Date: 05/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a computer system, the method comprising:

receiving user identification information corresponding to a user;

retrieving a set of access policies corresponding to the user;

generating, based on the access policies, at least one access rule for each of a plurality of security system sublayers;

distributing each generated access rule to each of the security system sublayers;

receiving, from the user, a request to access a computer system resource; and

determining whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-based system provides secure, configurable access to computer network resources. A human-readable language is provided for defining access policy rules. Rules in this language are converted in an automated fashion into filters applied within the various subsystems and components in a multi-layer security system. Network users are authenticated by an access control security system that obtains basic information about that user. Based on the user ID, a set of abstract policies can be retrieved. The retrieved policies are associated with the user and the groups associated with that user. Based on the retrieved rules, a set of rules for multiple layers of the network are generated and applied to those subsystems. Two or more of the subsystems may be placed in series with different types of processing occurring in each of the subsystems, reducing the workload of subsequent subsystems.

451 Citations

21 Claims

1. A method of controlling access to a computer system, the method comprising:
- receiving user identification information corresponding to a user;
  
  retrieving a set of access policies corresponding to the user;
  
  generating, based on the access policies, at least one access rule for each of a plurality of security system sublayers;
  
  distributing each generated access rule to each of the security system sublayers;
  
  receiving, from the user, a request to access a computer system resource; and
  
  determining whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the requested computer system resource is associated with at least one of the sublayers, and the determining step is also based on the at least one sublayer with which the resource is associated.
  - 3. The method of claim 1, wherein:
    - the generating includes retrieving data corresponding to a set of human readable access policies and the least one access rule for each of a plurality of security system sublayers is based on the human readable access policies; and
      
      the human readable access policies have been entered by a human operator.
  - 4. The method of claim 1, wherein the generating further comprises replacing the generated access rule with a replacement access rule if the generated access rule conflicts with a previously-generated access rule.
  - 5. The method of claim 1, wherein the generating is further based on one or more groups with which the user is associated.
  - 6. The method of claim 1, wherein the plurality of security system sublayers includes a firewall layer and a transport layer.
  - 7. The method of claim 6, wherein the at least one access rule generated for the firewall layer includes at least one of a port filter rule, a packet authentication rule and a NAT translation rule.
  - 8. The method of claim 1, wherein the plurality of security system sublayers includes an application layer.
  - 9. The method of claim 1, further comprising removing the generated access rules from the sublayers when the user logs out.
  - 10. The method of claim 1, further comprising removing the generated access rules from the sublayers when a session for the user ends.

11. A carrier containing program instructions that instruct a computing device to control access to a computer system, wherein the instructions comprise instructions to:
- receive user identification information corresponding to a user;
  
  retrieve a set of access policies corresponding to the user;
  
  generate, based on the access policies, at least one access rule for each of a plurality of security system sublayers;
  
  distribute each generated access rule to each of the security system sublayers;
  
  receive, from the user, a request to access a computer system resource; and
  
  determine whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules.
- View Dependent Claims (12, 13, 14)
- - 12. The carrier of claim 11, wherein the requested computer system resource is associated with at least one of the sublayers, and the determining step is also based on the at least one sublayer with which the resource is associated.
  - 13. The carrier of claim 11, wherein:
    - the instructions further instruct the computing device to, in the generating step, retrieve data corresponding to a set of human readable access rules, wherein the human readable access rules have been entered by a human operator; and
      
      wherein the generating step is further based on the human readable access policies.
  - 14. The carrier of claim 11, wherein the plurality of security system sublayers includes a firewall layer and a transport layer.

15. A computer security system, comprising:
- means for receiving user identification information corresponding to a user;
  
  means for retrieving a set of access policies corresponding to the user;
  
  means for generating, based on the access policies, at least one access rule for each of a plurality of security system sublayers;
  
  means for distributing each generated access rule to each of the security system sublayers;
  
  means for receiving, from the user, a request to access a computer system resource; and
  
  means for determining whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules.

16. A method of controlling access to a computer system, comprising:
- generating, for a user, at least one access rule for each of a plurality of security system sublayers, wherein the sublayers correspond to a hierarchy of complexity;
  
  distributing at least one of the generated access rules to at least one of the security system sublayers;
  
  receiving, from the user, a request to access a computer system resource; and
  
  determining whether the user is permitted to access at least a portion of a computer system resource based on the user identification information and each of the generated access rules that have been distributed to the sublayers, wherein the determining is done by applying the system rules for in order of the complexity of the corresponding sublayers.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, wherein the requested computer system resource is associated with at least one of the sublayers, and the determining step is also based on the at least one sublayer with which the resource is associated.
  - 18. The method of claim 16, wherein said generating includes retrieving data corresponding to a set of human readable access policies, wherein the human readable access policies have been entered by a human operator, and wherein each access rule is further based on the human readable access policies.
  - 19. The method of claim 16, wherein said generating includes replacing the generated access rule with a replacement access rule if the generated access rule conflicts with a previously-generated access rule.
  - 20. The method of claim 16, wherein said generating is also based on one or more groups with which the user is associated.
  - 21. The method of claim 16, wherein the plurality of security system sublayers includes a firewall layer and a transport layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Murgia, Marco A., Baskaran, Ashwin, Terzis, Andreas

Granted Patent

US 7,900,240 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Multilayer access control security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

451 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Multilayer access control security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

451 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links