APPLICATION PROTECTION ARCHITECTURE WITH TRIANGULATED AUTHORIZATION

US 20090064287A1
Filed: 04/11/2008
Published: 03/05/2009
Est. Priority Date: 08/28/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method performed by a network element, the method comprising:

receiving at a network element a packet of a network transaction from a client system over a first network for accessing a destined server of a datacenter over a second network, the network element operating as a security gateway to the datacenter, wherein each client of the first network has to go through the network element in order to access the datacenter over the second network;

in response to the packet, obtaining one or more user attributes associated with a user of the client system from an identity store, the user attributes including a user identifier that identifies the user and a machine identifier that identifies the client system; and

performing authentication and/or authorization on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Application protection architecture with triangulated authorization is described herein. According to one embodiment, a packet of a network transaction is received at a network element from a client system over a first network for accessing a destined server of a datacenter over a second network, where network element operates as a security gateway to the datacenter. In response to the packet, one or more user attributes associated with a user of the client system are obtained from an identity store, where the user attributes include a user identifier that identifies the user and a machine identifier that identifies the client system. Authentication and/or authorization are performed on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter. Other methods and apparatuses are also described.

186 Citations

25 Claims

1. A method performed by a network element, the method comprising:
- receiving at a network element a packet of a network transaction from a client system over a first network for accessing a destined server of a datacenter over a second network, the network element operating as a security gateway to the datacenter, wherein each client of the first network has to go through the network element in order to access the datacenter over the second network;
  
  in response to the packet, obtaining one or more user attributes associated with a user of the client system from an identity store, the user attributes including a user identifier that identifies the user and a machine identifier that identifies the client system; and
  
  performing authentication and/or authorization on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the user attributes further comprise a work department of an organization associated with the user, a role within the work department of the user, and a project involved by the user.
  - 3. The method of claim 2, wherein the user attributes further comprise a seniority of the user within the organization, a citizenship of the user, and security clearance information associated with the user.
  - 4. The method of claim 1, wherein the user attributes are obtained from a plurality of identity stores in a plurality of directory servers via a virtual directory interface (VDI), including Active Directory, LDAP, SQL stores, Unix NIS directory, and RADIUS.
  - 5. The method of claim 1, wherein the authentication and/or authorization using the user attributes is part of a layer 7 access control process performed within the network element.
  - 6. The method of claim 1, wherein the authentication and/or authorization is performed further based on one or more environment attributes associated with the user and an organization associated with the datacenter.
  - 7. The method of claim 6, wherein the environment attributes identify a location of the user and/or the client system in view of the organization associated with the datacenter, including at least one of a source IP address, destination IP address, network environment attributes, network access methods, time of accesses, threat conditions, weather alerts, and emergency conditions.
  - 8. The method of claim 7, wherein the network access methods comprise at least one of a LAN access, WLAN access, Wi-Fi access, mobile access, mobile phone access, dial-up access, and VPN access.
  - 9. The method of claim 6, wherein the authentication and/or authorization is performed further based on one or more of protocol, content, and resource and data attributes associated with the network transaction.

10. A machine-readable medium having instructions stored therein, which when executed from a machine, cause the machine to perform a method, the method comprising:
- receiving at a network element a packet of a network transaction from a client system over a first network for accessing a destined server of a datacenter over a second network, the network element operating as a security gateway to the datacenter, wherein each client of the first network has to go through the network element in order to access the datacenter over the second network;
  
  in response to the packet, obtaining one or more user attributes associated with a user of the client system from an identity store, the user attributes including a user identifier that identifies the user and a machine identifier that identifies the client system; and
  
  performing authentication and/or authorization on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The machine-readable medium of claim 10, wherein the user attributes further comprise a work department of an organization associated with the user, a role within the work department of the user, and a project involved by the user.
  - 12. The machine-readable medium of claim 11, wherein the user attributes further comprise a seniority of the user within the organization, a citizenship of the user, and security clearance information associated with the user.
  - 13. The machine-readable medium of claim 10, wherein the user attributes are obtained from a plurality of identity stores in a plurality of directory servers via a virtual directory interface (VDI), including Active Directory, LDAP, SQL stores, Unix NIS directory, and RADIUS.
  - 14. The machine-readable medium of claim 10, wherein the authentication and/or authorization using the user attributes is part of a layer 7 access control process performed within the network element.
  - 15. The machine-readable medium of claim 10, wherein the authentication and/or authorization is performed further based on one or more environment attributes associated with the user and an organization associated with the datacenter.
  - 16. The machine-readable medium of claim 15, wherein the environment attributes identify a location of the user and/or the client system in view of the organization associated with the datacenter, including at least one of a source IP address, destination IP address, network environment attributes, network access methods, time of accesses, threat conditions, weather alerts, and emergency conditions.
  - 17. The machine-readable medium of claim 16, wherein the network access methods comprise at least one of a LAN access, WLAN access, Wi-Fi access, mobile access, mobile phone access, dial-up access, and VPN access.
  - 18. The machine-readable medium of claim 15, wherein the authentication and/or authorization is performed further based on one or more of protocol, content, and resource and data attributes associated with the network transaction.

19. A network element, comprising:
- an attribute collector;
  
  an authentication and authorization unit coupled to the attribute collector; and
  
  wherein in response to a packet of a network transaction received from a client system over a first network for accessing a server of a datacenter over a second network, the attribute collector is configured to obtain one or more user attributes from an identity store, the user attributes including a user identifier that identifies the user and a machine identifier that identifies the client system,wherein the authentication and authorization unit is configured to authenticate and/or authorize the packet based on the user attributes to determine whether a user of the client system is eligible to access the server of the datacenter, andwherein the network element operates as a security gateway to the datacenter and each client of the first network has to go through the security gateway in order to access a server of the second network.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The network element of claim 19, further comprising a user attribute manager coupled to the attribute collector to manage the user attributes, wherein the user attributes further comprise a work department of an organization associated with the user, a role within the work department of the user, and a project involved by the user.
  - 21. The network element of claim 20, wherein the user attributes further comprise a seniority of the user within the organization, a citizenship of the user, and security clearance information associated with the user.
  - 22. The network element of claim 19, wherein the authentication and/or authorization using the user attributes is part of a layer 7 access control process performed within the network element.
  - 23. The network element of claim 19, further comprising a virtual directory interface (VDI) to access different identity stores of a plurality of directory servers to obtain the user attributes, including Active Directory, LDAP, SQL stores, Unix NIS directory, and RADIUS.
  - 24. The network element of claim 19, further comprising an environment attribute manager to manage environment attributes, wherein the authentication and/or authorization is performed further based on one or more environment attributes associated with the user and an organization associated with the datacenter, and wherein the environment attributes identify a location of the user and/or the client system in view of the organization associated with the datacenter, including at least one of a source IP address, destination IP address, network environment attributes, network access methods, time of accesses, threat conditions, weather alerts, and emergency conditions.
  - 25. The network element of claim 24, further comprising a content attribute manager for managing protocol, content, and resource and data attributes, wherein the authentication and/or authorization is performed further based on one or more of protocol, content, and resource attributes associated with the network transaction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Rohati Systems, Inc. (Cisco Systems, Inc.)
Inventors
Patra, Abhijit, Prabhu, Kirti, Thakar, Anant, Bagepalli, Nagaraj, Gandhi, Prashant

Application Number

US12/101,857
Publication Number

US 20090064287A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 47/20   Traffic policing

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/321   Interlayer communication pr...

H04L 9/3242   involving keyed hash functi...

Y10T 70/5827   Axially movable clutch

APPLICATION PROTECTION ARCHITECTURE WITH TRIANGULATED AUTHORIZATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

186 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION PROTECTION ARCHITECTURE WITH TRIANGULATED AUTHORIZATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links