APPLICATION NETWORK APPLIANCE WITH BUILT-IN VIRTUAL DIRECTORY INTERFACE

US 20090064300A1
Filed: 04/11/2008
Published: 03/05/2009
Est. Priority Date: 08/28/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method performed by a network element, the method comprising:

receiving at a network element a packet of a network transaction from a client requesting accessing a server of a datacenter having a plurality of servers, the network element operating as a security gateway to the datacenter;

in response to the packet, obtaining user attributes associated with a user of the network transaction from a plurality of directory servers via a virtual directory interface (VDI), wherein the VDI is embedded within the network element; and

authenticating and authorizing the user of network transaction using at least the user attributes obtained via the VDI to determine whether the user is eligible to access the server of the datacenter.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application network appliance with a built-in virtual directory interface is described herein. According to one embodiment, a network element includes a virtual directory interface (VDI) coupled to multiple directory servers, and an authentication and authorization unit coupled to the VDI. In response to a packet of a network transaction received from a client over a first network for accessing a server of a datacenter over a second network, the authentication and authorization unit obtains user attributes from the directory servers via the VDI and performs authentication and authorization using the user attributes to determine whether a user of the client is eligible to access the server of the datacenter, where the network element operates as a security gateway to the datacenter. Other methods and apparatuses are also described.

Citations

24 Claims

1. A method performed by a network element, the method comprising:
- receiving at a network element a packet of a network transaction from a client requesting accessing a server of a datacenter having a plurality of servers, the network element operating as a security gateway to the datacenter;
  
  in response to the packet, obtaining user attributes associated with a user of the network transaction from a plurality of directory servers via a virtual directory interface (VDI), wherein the VDI is embedded within the network element; and
  
  authenticating and authorizing the user of network transaction using at least the user attributes obtained via the VDI to determine whether the user is eligible to access the server of the datacenter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the VDI is configured to access the directory servers via a converged datacenter fabric without having to use a TCP connection.
  - 3. The method of claim 2, wherein the VDI is configured to provide a common interface to retrieve the user attributes from a plurality of identity stores located in the directory servers which require different protocols to access the identity stores.
  - 4. The method of claim 3, wherein the VDI is configured to provide a single VDI view representing all user attributes that are associated with the user retrieved from the identity stores.
  - 5. The method of claim 1, wherein the authentication and authorization is a part of layer 5 to layer 7 (layer 5-7) services performed within the network element.
  - 6. The method of claim 1, wherein the user attributes comprise at least one of a department of an enterprise associated with the user, a role of the user within the enterprise, a project in which the user is a member, a seniority of the user within the enterprise, and a citizenship of the user.
  - 7. The method of claim 1, wherein authenticating and authorizing the user further comprises authenticating and authorizing using environment attributes and subject attributes, wherein the environment attributes comprise at least one of network access methods, a location associated with the client, and a time and date associated with the network transaction, threat condition and emergency/weather alarm, wherein the subject attributes comprise at least one of protocol attributes, content attributes, resource attributes, and data attributes, and wherein the authentication and authorization are performed further using machine attributes including at least one of model identifier of a device and software image type and/or version.
  - 8. The method of claim 4, wherein the VDI is configured to dynamically join different data sets obtained from different identity stores to provide the single VDI view, wherein the VDI is configured to consolidate different schemas associated with the different identity stores by mapping attribute names of the identity stores with attribute names obtained from the packet of the network transaction.

9. A machine-readable medium having instructions stored therein, which when executed by a machine, cause the machine to perform a method, the method comprising:
- receiving at a network element a packet of a network transaction from a client requesting accessing a server of a datacenter having a plurality of servers, the network element operating as a security gateway to the datacenter;
  
  in response to the packet, obtaining user attributes associated with a user of the network transaction from a plurality of directory servers via a virtual directory interface (VDI), wherein the VDI is embedded within the network element; and
  
  authenticating and authorizing the user of network transaction using at least the user attributes obtained via the VDI to determine whether the user is eligible to access the server of the datacenter.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The machine-readable medium of claim 9, wherein the VDI is configured to access the directory servers via a converged datacenter fabric without having to use a TCP connection.
  - 11. The machine-readable medium of claim 10, wherein the VDI is configured to provide a common interface to retrieve the user attributes from a plurality of identity stores located in the directory servers which require different protocols to access the identity stores.
  - 12. The machine-readable medium of claim 11, wherein the VDI is configured to provide a single VDI view representing all user attributes that are associated with the user retrieved from the identity stores.
  - 13. The machine-readable medium of claim 9, wherein the authentication and authorization is a part of layer 5 to layer 7 (layer 5-7) services performed within the network element.
  - 14. The machine-readable medium of claim 9, wherein the user attributes comprise at least one of a department of an enterprise associated with the user, a role of the user within the enterprise, a project in which the user is a member, a seniority of the user within the enterprise, and a citizenship of the user.
  - 15. The machine-readable medium of claim 9, wherein authenticating and authorizing the user further comprises authenticating and authorizing using environment attributes and subject attributes, wherein the environment attributes comprise at least one of network access methods, a location associated with the client, and a time and date associated with the network transaction, threat condition and emergency/weather alarm, wherein the subject attributes comprise at least one of protocol attributes, content attributes, resource attributes, and data attributes, and wherein the authentication and authorization are performed further using machine attributes including at least one of model identifier of a device and software image type and/or version.
  - 16. The machine-readable medium of claim 12, wherein the VDI is configured to dynamically join different data sets obtained from different identity stores to provide the single VDI view, wherein the VDI is configured to consolidate different schemas associated with the different identity stores by mapping attribute names of the identity stores with attribute names obtained from the packet of the network transaction.

17. A network element, comprising:
- a virtual directory interface (VDI) coupled to a plurality of directory servers; and
  
  an authentication and authorization unit coupled to the VDI,wherein in response to a packet of a network transaction received from a client over a first network for accessing a server of a datacenter over a second network, the authentication and authorization unit is configured to obtain one or more user attributes from at least one of the directory server via the VDI,wherein the authentication and authorization unit is configured to authenticate and/or authorize the packet based on at least the user attributes to determine whether a user of the client is eligible to access the server of the datacenter, andwherein the network element operates as a security gateway to the datacenter and each client of the first network has to go through the security gateway in order to access a server of the second network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The network element of claim 17, wherein the VDI is configured to access the directory servers via a converged datacenter fabric without having to use a TCP connection.
  - 19. The network element of claim 18, wherein the VDI is configured to provide a common interface to retrieve the user attributes from a plurality of identity stores located in the directory servers which require different protocols to access the identity stores.
  - 20. The network element of claim 19, wherein the VDI is configured to provide a single VDI view representing all user attributes that are associated with the user retrieved from the identity stores.
  - 21. The network element of claim 17, wherein the authentication and authorization is a part of layer 5 to layer 7 (layer 5-7) services performed within the network element.
  - 22. The network element of claim 17, wherein the user attributes comprise at least one of a department of an enterprise associated with the user, a role of the user within the enterprise, a project in which the user is a member, a seniority of the user within the enterprise, and a citizenship of the user.
  - 23. The network element of claim 17, wherein authenticating and authorizing the user further comprises authenticating and authorizing using environment attributes and subject attributes, wherein the environment attributes comprise at least one of network access methods, a location associated with the client, and a time and date associated with the network transaction, threat condition and emergency/weather alarm, wherein the subject attributes comprise at least one of protocol attributes, content attributes, resource attributes, and data attributes, and wherein the authentication and authorization are performed further using machine attributes including at least one of model identifier of a device and software image type and/or version.
  - 24. The network element of claim 20, wherein the VDI is configured to dynamically join different data sets obtained from different identity stores to provide the single VDI view, wherein the VDI is configured to consolidate different schemas associated with the different identity stores by mapping attribute names of the identity stores with attribute names obtained from the packet of the network transaction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Rohati Systems, Inc. (Cisco Systems, Inc.)
Inventors
Patra, Abhijit, Prabhu, Kirti, Thakar, Anant, Bagepalli, Nagaraj, Gandhi, Prashant

Application Number

US12/101,872
Publication Number

US 20090064300A1
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 47/20   Traffic policing

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/321   Interlayer communication pr...

H04L 9/3242   involving keyed hash functi...

Y10T 70/5827   Axially movable clutch

APPLICATION NETWORK APPLIANCE WITH BUILT-IN VIRTUAL DIRECTORY INTERFACE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION NETWORK APPLIANCE WITH BUILT-IN VIRTUAL DIRECTORY INTERFACE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links