APPLICATION PROTECTION ARCHITECTURE WITH TRIANGULATED AUTHORIZATION
First Claim
1. A method performed by a network element, the method comprising:
- receiving at a network element a packet of a network transaction from a client system over a first network for accessing a destined server of a datacenter over a second network, the network element operating as a security gateway to the datacenter, wherein each client of the first network has to go through the network element in order to access the datacenter over the second network;
in response to the packet, obtaining one or more user attributes associated with a user of the client system from an identity store, the user attributes including a user identifier that identifies the user and a machine identifier that identifies the client system; and
performing authentication and/or authorization on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter.
3 Assignments
0 Petitions
Accused Products
Abstract
Application protection architecture with triangulated authorization is described herein. According to one embodiment, a packet of a network transaction is received at a network element from a client system over a first network for accessing a destined server of a datacenter over a second network, where network element operates as a security gateway to the datacenter. In response to the packet, one or more user attributes associated with a user of the client system are obtained from an identity store, where the user attributes include a user identifier that identifies the user and a machine identifier that identifies the client system. Authentication and/or authorization are performed on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter. Other methods and apparatuses are also described.
186 Citations
25 Claims
-
1. A method performed by a network element, the method comprising:
-
receiving at a network element a packet of a network transaction from a client system over a first network for accessing a destined server of a datacenter over a second network, the network element operating as a security gateway to the datacenter, wherein each client of the first network has to go through the network element in order to access the datacenter over the second network; in response to the packet, obtaining one or more user attributes associated with a user of the client system from an identity store, the user attributes including a user identifier that identifies the user and a machine identifier that identifies the client system; and performing authentication and/or authorization on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A machine-readable medium having instructions stored therein, which when executed from a machine, cause the machine to perform a method, the method comprising:
-
receiving at a network element a packet of a network transaction from a client system over a first network for accessing a destined server of a datacenter over a second network, the network element operating as a security gateway to the datacenter, wherein each client of the first network has to go through the network element in order to access the datacenter over the second network; in response to the packet, obtaining one or more user attributes associated with a user of the client system from an identity store, the user attributes including a user identifier that identifies the user and a machine identifier that identifies the client system; and performing authentication and/or authorization on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A network element, comprising:
-
an attribute collector; an authentication and authorization unit coupled to the attribute collector; and wherein in response to a packet of a network transaction received from a client system over a first network for accessing a server of a datacenter over a second network, the attribute collector is configured to obtain one or more user attributes from an identity store, the user attributes including a user identifier that identifies the user and a machine identifier that identifies the client system, wherein the authentication and authorization unit is configured to authenticate and/or authorize the packet based on the user attributes to determine whether a user of the client system is eligible to access the server of the datacenter, and wherein the network element operates as a security gateway to the datacenter and each client of the first network has to go through the security gateway in order to access a server of the second network. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
Specification