SECURE EXTRANET SERVER
First Claim
1. A method for accepting a message received from an untrusted network by a secure extranet server in communication with a trusted network, the message characterized by a message protocol, the method comprising the steps of:
- receiving the message in an external partition of the server;
verifying the message protocol;
checking constraints on the message provided in a security token;
converting the message into an internal message, the internal message characterized by an internal message protocol;
transferring the internal message to an internal partition of the server;
verifying the protocol of the internal message;
accepting the message by the secure extranet server;
attaching an security token to the internal message;
forwarding the accepted message to the trusted network based on the security token;
accessing documents and servers within the trusted network based on the security token; and
checkout and checkin of controlled documents using a single sign-on capability for on-line applications as well as local applications operating on protected files at remote user computers.
3 Assignments
0 Petitions
Accused Products
Abstract
A Secure Extranet Server (SES) provides for secure and traceable communication and document exchange between a trusted network and an untrusted network by authenticated users. The SES includes a first partition in communication with the untrusted network and a second partition in communication with the trusted network. The second partition maintains a session table and is in communication with a user authentication and authorization module. Communication between the first and second partition is preferably initiated by a request from the second partition. Security tokens attached to messages provide constraint checking on user inputs, access to documents and servers within the trusted network, checkout and checkin of controlled documents, and a single sign-on capability for on-line applications as well as local applications operating on protected files at remote user computers.
62 Citations
35 Claims
-
1. A method for accepting a message received from an untrusted network by a secure extranet server in communication with a trusted network, the message characterized by a message protocol, the method comprising the steps of:
-
receiving the message in an external partition of the server; verifying the message protocol; checking constraints on the message provided in a security token; converting the message into an internal message, the internal message characterized by an internal message protocol; transferring the internal message to an internal partition of the server; verifying the protocol of the internal message; accepting the message by the secure extranet server; attaching an security token to the internal message; forwarding the accepted message to the trusted network based on the security token; accessing documents and servers within the trusted network based on the security token; and checkout and checkin of controlled documents using a single sign-on capability for on-line applications as well as local applications operating on protected files at remote user computers. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for sending a message to an untrusted network by a secure extranet server in communication with a trusted network, the message characterized by a message protocol, the method comprising the steps of:
-
receiving the message in an internal partition of the server; extracting attribute information on valid user inputs; creating at least one security token that is based on the extracted attribute information; converting the message into an internal message, the internal message characterized by an internal message protocol; transferring the internal message to an external partition of the server; converting the message to an external message; attaching the security token to the external message; and forwarding the message to the untrusted network with the security token.
-
-
7. A secure extranet server for accepting a message received from an untrusted network, the message characterized by a message protocol, the secure extranet server in communication with a trusted network, the secure extranet server comprising:
-
(a) means for receiving the message in an external partition of the server; (b) means for verifying the message protocol; (c) means for converting the message into an internal message, the internal message characterized by an internal message protocol; (d) means for transferring the internal message to an internal partition of the server; (e) means for verifying the protocol of the internal message; (f) means for accepting the message by the secure extranet server; (g) means for attaching an security token to the internal message; and (h) means for forwarding the accepted message to the trusted network based on the security token. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A secure extranet server for sending a message to an untrusted network, the message characterized by a message protocol, the secure extranet server in communication with a trusted network, the secure extranet server comprising:
-
(a) means for receiving the message in an internal partition of the server; (b) means for converting the message into an internal message, the internal message characterized by an internal message protocol; (c) means for transferring the internal message to an external partition of the server; (d) means for converting the message to an external message; (e) means for sending the message by the secure extranet server; (f) means for attaching an security token to the external message; and (g) means for forwarding the message to the untrusted network.
-
-
13. A computer-readable medium having computer-executable instructions for performing a method for accepting a message received from an untrusted network by a secure extranet server in communication with a trusted network, the message characterized by a message protocol, the method comprising:
-
receiving the message in an external partition of the server; verifying the message protocol; converting the message into an internal message, the internal message characterized by an internal message protocol; transferring the internal message to an internal partition of the server; verifying the protocol of the internal message; accepting the message by the secure extranet server; attaching an security token to the internal message; and forwarding the accepted message to the trusted network based on the security token.
-
-
14. A secure extranet server for restricted access to a resource on a trusted network from an untrusted network, the server comprising:
-
an adapter for converting a message having a network protocol to and from an internal message having an internal message protocol different from the network protocol; a filter for verifying the contents of the internal message; a message application programming interface for transferring the internal message between the adapter and the filter; a session table configured to hold at least one characteristic of the internal message; a manager configured to maintain the session table based on a user authorization and the message; a converter for converting the internal message to and from a trusted message; and a dispatcher for receiving and forwarding the trusted message to the resource on the trusted network. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A secure extranet server for restricted access to a resource on a trusted network from an untrusted network, the server comprising:
-
an adapter for converting a message having a network protocol to and from an internal message having an internal message protocol different from the network protocol; a filter for verifying the contents of the internal message; a message application programming interface for transferring the internal message between the adapter and the filter; a session table configured to hold at least one characteristic of the internal message; a manager configured to maintain the session table based on a user authorization and the message; a converter for converting the internal message to and from a trusted message; a dispatcher for receiving and forwarding the trusted message to the resource on the trusted network; and a file converter for attaching an application cookie to a document controlled by a documentation control platform to enable a remote user outside the trusted network to checkout a file, modify it, and checkin the modified file with the application cookie providing necessary access without multiple signin authentication steps. - View Dependent Claims (31, 32, 33, 34)
-
-
21. A method for operating a secure extranet server, the method comprising
a) receiving from a first computer endpoint content description language comprising at least one request for input data and at least one constrain to the expected input data, b) enriching the content description language sent by the first computer endpoint with at least one security token that is based on the at least one request for input data and comprises at least one constraint to the expected input data, c) sending to a second computer endpoint content description language enriched with the at least one security token, d) receiving from the second computer endpoint input data together with the at least one security token, e) parsing input data and the at least one security token sent by the second computer endpoint, f) verifying the input data against the at least one constraint determined in the security token, and g) blocking the transfer of input data which does not conform to the at least one constraint.
-
35. A security service apparatus for Web application security filtering, the apparatus comprising:
-
a) means for receiving content description language transferred between at least a first and a second computer endpoint through the security service apparatus. b) means for enriching the content description language sent by the first computer endpoint with at least one security token that is based on at least one request for input data and at least one constraint to the expected input data, c) means for sending to the second computer endpoint content description language enriched with the at least one security token, d) means for receiving from the second computer endpoint input data together with the at least one security token, e) means for parsing input data and the at least one security token sent by the second computer endpoint, f) means for verifying the input data against the at least one constraint in the security token, and g) means for blocking the transfer of input data which does not conform to the at least one constraint.
-
Specification