APPARATUS AND METHOD FOR MANAGING ACCESS TO ONE OR MORE NETWORK RESOURCES

US 20090059952A1
Filed: 08/31/2007
Published: 03/05/2009
Est. Priority Date: 08/31/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a processor configured to receive a captured traffic unit (CTU) intended for a network service, the CTU being one into which incoming traffic has been assembled based on a filter describing which incoming traffic to capture and how to assemble the respective incoming traffic into the CTU,wherein the processor is configured to determine whether to allow the CTU to pass to one or more applications configured to implement the respective network service based on a passlet including one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, andwherein the processor is configured to instruct a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU based on the determination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus is provided that includes a processor configured to receive a captured traffic unit (CTU) intended for a network service, the CTU being one into which incoming traffic has been assembled based on a filter describing which incoming traffic to capture and how to assemble the respective incoming traffic into the CTU. The processor is also configured to determine whether to allow the CTU to pass to one or more applications configured to implement the respective network service based on a passlet including permissions to a particular user. The processor is further configured to instruct a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU based on the determination. In this regard, the processor is configured to perform the above functions under control of a security framework implemented in middleware between a user-level domain and a system-level domain.

24 Citations

View as Search Results

25 Claims

1. An apparatus comprising:
- a processor configured to receive a captured traffic unit (CTU) intended for a network service, the CTU being one into which incoming traffic has been assembled based on a filter describing which incoming traffic to capture and how to assemble the respective incoming traffic into the CTU,wherein the processor is configured to determine whether to allow the CTU to pass to one or more applications configured to implement the respective network service based on a passlet including one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, andwherein the processor is configured to instruct a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU based on the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. An apparatus according to claim 1, wherein the processor is configured to determine whether to allow the CTU to pass further based on a service mapping document (SMD) for the respective network service, the SMD describing how to map one or more user-level permissions to one or more corresponding system-level actions.
  - 3. An apparatus according to claim 1, wherein the processor is configured to receive a CTU into which incoming traffic has been assembled based on a filter from a list of filters according to which incoming traffic is to be assembled into different CTUs for different network services.
  - 4. An apparatus according to claim 1, wherein the processor is configured to receive a CTU intended for a network service hosted by a device within a personal network including a plurality of devices, each device within the personal network being configured to host one or more services, and including a firewall configured to allow CTUs to pass to one or more applications configured to implement the respective one or more services.
  - 5. An apparatus according to claim 1, wherein the processor is configured to receive the CTU, determine whether to allow the CTU to pass to one or more applications, and instruct a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU under control of a security framework implemented in middleware between a user-level domain and a system-level domain.
  - 6. An apparatus according to claim 5, wherein the processor is configured to determine whether to allow the CTU to pass to one or more legacy applications designed and operable without regard to the security framework.
  - 7. An apparatus according to claim 6, wherein the processor is configured to receive a CTU into which incoming traffic has been assembled based on a filter associated with the respective network service, andwherein the processor is configured to determine whether to allow the CTU to pass to one or more legacy applications for which support has been added to the security framework, based on a passlet including one or more access permissions to a particular user for accessing the respective network service.
  - 8. An apparatus according to claim 6, wherein the processor is configured to receive a CTU into which incoming traffic has been assembled based on a default filter unassociated with any network service, andwherein the processor is configured to determine whether to allow the CTU to pass to one or more legacy applications for which the security framework is unaware, based on a device passlet including one or more access permissions to a particular user for accessing a device hosting the respective network service.

9. A method comprising:
- receiving a captured traffic unit (CTU) intended for a network service, the CTU being one into which incoming traffic has been assembled based on a filter describing which incoming traffic to capture and how to assemble the respective incoming traffic into the CTU;
  
  determining whether to allow the CTU to pass to one or more applications configured to implement the respective network service based on a passlet including one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service; and
  
  instructing a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU based on the determination.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A method according to claim 9, wherein determining whether to allow the CTU to pass comprises determining whether to allow the CTU to pass further based on a service mapping document (SMD) for the respective network service, the SMD describing how to map one or more user-level permissions to one or more corresponding system-level actions.
  - 11. A method according to claim 9, wherein receiving a CTU intended for a network service comprises receiving a CTU into which incoming traffic has been assembled based on a filter from a list of filters according to which incoming traffic is to be assembled into different CTUs for different network services.
  - 12. A method according to claim 9, wherein receiving a CTU comprises receiving a CTU intended for a network service hosted by a device within a personal network including a plurality of devices, each device within the personal network being configured to host one or more services, and including a firewall configured to allow CTUs to pass to one or more applications configured to implement the respective one or more services.
  - 13. A method according to claim 9, wherein receiving a CTU, determining whether to allow the CTU to pass to one or more applications, and instructing a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU occur within a security framework implemented in middleware between a user-level domain and a system-level domain.
  - 14. A method according to claim 13, wherein determining whether to allow the CTU to pass to one or more applications comprises determining whether to allow the CTU to pass to one or more legacy applications designed and operable without regard to the security framework.
  - 15. A method according to claim 14, wherein receiving a CTU intended for a network service comprises receiving a CTU into which incoming traffic has been assembled based on a filter associated with the respective network service, andwherein determining whether to allow the CTU to pass to one or more applications comprises determining whether to allow the CTU to pass to one or more legacy applications for which support has been added to the security framework, based on a passlet including one or more access permissions to a particular user for accessing the respective network service.
  - 16. A method according to claim 14, wherein receiving a CTU intended for a network service comprises receiving a CTU into which incoming traffic has been assembled based on a default filter unassociated with any network service, andwherein determining whether to allow the CTU to pass to one or more applications comprises determining whether to allow the CTU to pass to one or more legacy applications for which the security framework is unaware, based on a device passlet including one or more access permissions to a particular user for accessing a device hosting the respective network service.

17. A computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising:
- a first executable portion configured to receive a captured traffic unit (CTU) intended for a network service, the CTU being one into which incoming traffic has been assembled based on a filter describing which incoming traffic to capture and how to assemble the respective incoming traffic into the CTU;
  
  a second executable portion configured to determine whether to allow the CTU to pass to one or more applications configured to implement the respective network service based on a passlet including one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service; and
  
  a third executable portion configured to instruct a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU based on the determination.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. A computer-readable storage medium according to claim 17, wherein the second executable portion is configured to determine whether to allow the CTU to pass further based on a service mapping document (SMD) for the respective network service, the SMD describing how to map one or more user-level permissions to one or more corresponding system-level actions.
  - 19. A computer-readable storage medium according to claim 17, wherein the first executable portion is configured to receive a CTU intended for a network service comprises receiving a CTU into which incoming traffic has been assembled based on a filter from a list of filters according to which incoming traffic is to be assembled into different CTUs for different network services.
  - 20. A computer-readable storage medium according to claim 17, wherein the first executable portion is configured to receive a CTU intended for a network service hosted by a device within a personal network including a plurality of devices, each device within the personal network being configured to host one or more services, and including a firewall configured to allow CTUs to pass to one or more applications configured to implement the respective one or more services.
  - 21. A computer-readable storage medium according to claim 17, wherein the first, second and third executable portions form part of a security framework implemented in middleware between a user-level domain and a system-level domain
  - 22. A computer-readable storage medium according to claim 21, wherein the second executable portion is configured to determine whether to allow the CTU to pass to one or more legacy applications designed and operable without regard to the security framework.
  - 23. A computer-readable storage medium according to claim 22, wherein the first executable portion is configured to receive a CTU into which incoming traffic has been assembled based on a filter associated with the respective network service, andwherein the second executable portion is configured to determine whether to allow the CTU to pass to one or more legacy applications for which support has been added to the security framework, based on a passlet including one or more access permissions to a particular user for accessing the respective network service.
  - 24. A computer-readable storage medium according to claim 22, wherein the first executable portion is configured to receive a CTU into which incoming traffic has been assembled based on a default filter unassociated with any network service, andwherein the second executable portion is configured to determine whether to allow the CTU to pass to one or more legacy applications for which the security framework is unaware, based on a device passlet including one or more access permissions to a particular user for accessing a device hosting the respective network service.

25. An apparatus comprising:
- a first means for receiving a captured traffic unit (CTU) intended for a network service, the CTU being one into which incoming traffic has been assembled based on a filter describing which incoming traffic to capture and how to assemble the respective incoming traffic into the CTU;
  
  a second means for determining whether to allow the CTU to pass to one or more applications configured to implement the respective network service based on a passlet including one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service; and
  
  a third means for instructing a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU based on the determination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Reynolds, Franklin, Kalofonos, Dimitris

Granted Patent

US 8,037,519 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/465
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/102 Entity profiles

APPARATUS AND METHOD FOR MANAGING ACCESS TO ONE OR MORE NETWORK RESOURCES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR MANAGING ACCESS TO ONE OR MORE NETWORK RESOURCES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links