Method for providing user authentication/authorization and distributed firewall utilizing same
First Claim
1. A method of providing user authentication/authorization in a distributed firewall on an end system, comprising the steps of:
- receiving a connection request from a user;
performing main mode (MM) authentication of the connection request via Internet key exchange (IKE) protocol based on an aggregate of users listed in a connection policy;
receiving communications from the user;
performing quick mode (QM) authentication of the communications via IKE based on a rule for the user in the connection policy;
completing the QM authentication when the communications are within a scope of the rule for the user in the connection policy; and
enforcing the rule for the user for subsequent communication when the QM completes.
1 Assignment
0 Petitions
Accused Products
Abstract
The distributed firewall performs user authentication at a first level to establish a user security context for traffic from that user, and an authority context provides authorization for subsequent traffic. This authority context may be based on an underlying policy for particular types of traffic, access to particular applications, etc. Additionally, the system includes the ability to allow a user/process/application to define its own access control. The linking of the user security context from the traffic to the application is accomplished by enabling IPSec on a socket and forcing the socket to be bound in exclusive mode. The most common policy definitions may be included by default. Extensions of the Internet key exchange protocol (IKE) to provide the desired user authentication plus application/purpose are also provided. The architecture includes pluggable authorization module(s) that are called after IKE has successfully authenticated the peer, but before the connection is allowed to complete.
-
Citations
21 Claims
-
1. A method of providing user authentication/authorization in a distributed firewall on an end system, comprising the steps of:
-
receiving a connection request from a user;
performing main mode (MM) authentication of the connection request via Internet key exchange (IKE) protocol based on an aggregate of users listed in a connection policy;
receiving communications from the user;
performing quick mode (QM) authentication of the communications via IKE based on a rule for the user in the connection policy;
completing the QM authentication when the communications are within a scope of the rule for the user in the connection policy; and
enforcing the rule for the user for subsequent communication when the QM completes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. In a computer system having a graphical user interface including a display and a user interface selection device, a method of displaying and selecting a connection policy on the display comprises the steps of:
-
retrieving a set of applications processes to which access controls may be defined;
retrieving a listing of authorized users;
displaying the set of applications in association with users who are authorized to access each application defined in the connection policy;
receiving a user input signal indicating a desired modification to the displayed associations and thereafter modifying the connection policy in accordance with the user input; and
displaying the set of applications in association with a modified list of users who are authorized to access each application defined in the modified connection policy. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer-readable medium having computer-executable instructions for performing the steps of:
-
receiving a connection request from a user;
performing main mode (MM) authentication of the connection request via Internet key exchange (IKE) protocol based on an aggregate of users listed in a connection policy;
receiving communications from the user;
performing quick mode (QM) authentication of the communications via IKE based on a rule for the user in the connection policy;
completing the QM authentication when the communications are within a scope of the rule for the user in the connection policy; and
enforcing the rule for the user for subsequent communication when the QM completes. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification