Method for providing user authentication/authorization and distributed firewall utilizing same

US 20060015935A1
Filed: 09/22/2005
Published: 01/19/2006
Est. Priority Date: 10/26/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of providing user authentication/authorization in a distributed firewall on an end system, comprising the steps of:

receiving a connection request from a user;

performing main mode (MM) authentication of the connection request via Internet key exchange (IKE) protocol based on an aggregate of users listed in a connection policy;

receiving communications from the user;

performing quick mode (QM) authentication of the communications via IKE based on a rule for the user in the connection policy;

completing the QM authentication when the communications are within a scope of the rule for the user in the connection policy; and

enforcing the rule for the user for subsequent communication when the QM completes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The distributed firewall performs user authentication at a first level to establish a user security context for traffic from that user, and an authority context provides authorization for subsequent traffic. This authority context may be based on an underlying policy for particular types of traffic, access to particular applications, etc. Additionally, the system includes the ability to allow a user/process/application to define its own access control. The linking of the user security context from the traffic to the application is accomplished by enabling IPSec on a socket and forcing the socket to be bound in exclusive mode. The most common policy definitions may be included by default. Extensions of the Internet key exchange protocol (IKE) to provide the desired user authentication plus application/purpose are also provided. The architecture includes pluggable authorization module(s) that are called after IKE has successfully authenticated the peer, but before the connection is allowed to complete.

51 Citations

View as Search Results

21 Claims

1. A method of providing user authentication/authorization in a distributed firewall on an end system, comprising the steps of:
- receiving a connection request from a user;
  
  performing main mode (MM) authentication of the connection request via Internet key exchange (IKE) protocol based on an aggregate of users listed in a connection policy;
  
  receiving communications from the user;
  
  performing quick mode (QM) authentication of the communications via IKE based on a rule for the user in the connection policy;
  
  completing the QM authentication when the communications are within a scope of the rule for the user in the connection policy; and
  
  enforcing the rule for the user for subsequent communication when the QM completes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the step of performing MM authentication comprises the steps of:
    - checking a certificate of the connection request against an aggregate listing of all authorized users in the connection policy; and
      
      completing MM authentication when the certificate matches an entry in the aggregate listing.
  - 3. The method of claim 1, further comprising the step of transmitting a secure notify message to the user when the communications attempt to exceed the rule for the user in the connection policy.
  - 4. The method of claim 1, wherein the step of enforcing the rule for the user for subsequent communication comprises the steps of enabling IPSec on a socket for the communication, and forcing the socket to be bound in exclusive mode.
  - 5. The method of claim 1, wherein the end system has multiple accounts thereon, wherein the step of receiving a connection request from a user includes the step of receiving a connection request having an account ID hint included therewith, and wherein the step of performing main mode (MM) authentication of the connection request via Internet key exchange (IKE) protocol includes the step of performing MM authentication of the connection request via IKE based on an aggregate of users listed in a connection policy for one of the accounts identified by the account ID hint.
  - 6. The method of claim 5, wherein the step of performing quick mode (QM) authentication of the communications via IKE based on a rule for the user in the connection policy comprises the step of performing QM authentication based on a rule for the user in the connection policy for one of the accounts identified by the account ID hint.
  - 7. The method of claim 1, further comprising the step of downloading the connection policy from a central administration.
  - 8. The method of claim 1, further comprising the steps of displaying an access control user interface, receiving input from a user of the end system, using the input to define the rules of the connection policy.

9. In a computer system having a graphical user interface including a display and a user interface selection device, a method of displaying and selecting a connection policy on the display comprises the steps of:
- retrieving a set of applications processes to which access controls may be defined;
  
  retrieving a listing of authorized users;
  
  displaying the set of applications in association with users who are authorized to access each application defined in the connection policy;
  
  receiving a user input signal indicating a desired modification to the displayed associations and thereafter modifying the connection policy in accordance with the user input; and
  
  displaying the set of applications in association with a modified list of users who are authorized to access each application defined in the modified connection policy.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein the step of receiving a user input indicating a desired modification to the displayed associations comprises the step of receiving a user input indicating a desired addition of a user for a selected application process, further comprising the steps of displaying a list of all authorized users, receiving an authorized user selection input to add a new authorized user association to the selected application process.
  - 11. The method of claim 9, wherein the step of receiving a user input indicating a desired modification to the displayed associations comprises the step of receiving a user input indicating a desired removal of a user for a selected application process, further comprising the steps of displaying a list of all authorized users associated with the selected application process, receiving an authorized user deletion input to remove an authorized user association from the selected application process.
  - 12. The method of claim 9, further comprising the steps of displaying a user selectable indicator to secure the computer system, receiving a user input selection of the user selectable indicator, and thereafter securing the computer system in accordance with the connection policy.
  - 13. The method of claim 12, further comprising the steps of displaying a user selectable indicator indicating the that the computer system is secure, receiving a user input selection of the user selectable indicator, and thereafter un-securing the computer system.

14. A computer-readable medium having computer-executable instructions for performing the steps of:
- receiving a connection request from a user;
  
  performing main mode (MM) authentication of the connection request via Internet key exchange (IKE) protocol based on an aggregate of users listed in a connection policy;
  
  receiving communications from the user;
  
  performing quick mode (QM) authentication of the communications via IKE based on a rule for the user in the connection policy;
  
  completing the QM authentication when the communications are within a scope of the rule for the user in the connection policy; and
  
  enforcing the rule for the user for subsequent communication when the QM completes.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The computer-readable medium of claim 14, wherein the step of performing MM authentication comprises the steps of:
    - checking a certificate of the connection request against an aggregate listing of all authorized users in the connection policy; and
      
      completing MM authentication when the certificate matches an entry in the aggregate listing.
  - 16. The computer-readable medium of claim 14, further comprising the step of transmitting a secure notify message to the user when the communications attempt to exceed the rule for the user in the connection policy.
  - 17. The computer-readable medium of claim 14, wherein the step of enforcing the rule for the user for subsequent communication comprises the steps of:
    - enabling IPSec on a socket for the communication; and
      
      forcing the socket to be bound in exclusive mode.
  - 18. The computer-readable medium of claim 14, wherein the end system has multiple accounts thereon, wherein the step of receiving a connection request from a user includes the step of receiving a connection request having an account ID hint included therewith, and wherein the step of performing main mode (MM) authentication of the connection request via Internet key exchange (IKE) protocol includes the step of performing MM authentication of the connection request via IKE based on an aggregate of users listed in a connection policy for one of the accounts identified by the account ID hint.
  - 19. The computer-readable medium of claim 18, wherein the step of performing quick mode (QM) authentication of the communications via IKE based on a rule for the user in the connection policy comprises the step of performing QM authentication based on a rule for the user in the connection policy for one of the accounts identified by the account ID hint.
  - 20. The computer-readable medium of claim 14, further comprising the step of downloading the connection policy from a central administration.
  - 21. The computer-readable medium of claim 14, further comprising the steps of:
    - displaying an access control user interface;
      
      receiving input from a user of the end system; and
      
      using the input to define the rules of the connection policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Pall, Gurdeep S., Swander, Brian D., Palekar, Ashwin, Dixon, William H., Aboba, Bernard D.

Application Number

US11/232,553
Publication Number

US 20060015935A1
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0218 Distributed architectures, ...

H04L 63/164 at the network layer

Method for providing user authentication/authorization and distributed firewall utilizing same

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method for providing user authentication/authorization and distributed firewall utilizing same

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links