SECURE EXTRANET SERVER

US 20110173443A1
Filed: 01/12/2010
Published: 07/14/2011
Est. Priority Date: 01/12/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method for accepting a message received from an untrusted network by a secure extranet server in communication with a trusted network, the message characterized by a message protocol, the method comprising the steps of:

receiving the message in an external partition of the server;

verifying the message protocol;

checking constraints on the message provided in a security token;

converting the message into an internal message, the internal message characterized by an internal message protocol;

transferring the internal message to an internal partition of the server;

verifying the protocol of the internal message;

accepting the message by the secure extranet server;

attaching an security token to the internal message;

forwarding the accepted message to the trusted network based on the security token;

accessing documents and servers within the trusted network based on the security token; and

checkout and checkin of controlled documents using a single sign-on capability for on-line applications as well as local applications operating on protected files at remote user computers.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Secure Extranet Server (SES) provides for secure and traceable communication and document exchange between a trusted network and an untrusted network by authenticated users. The SES includes a first partition in communication with the untrusted network and a second partition in communication with the trusted network. The second partition maintains a session table and is in communication with a user authentication and authorization module. Communication between the first and second partition is preferably initiated by a request from the second partition. Security tokens attached to messages provide constraint checking on user inputs, access to documents and servers within the trusted network, checkout and checkin of controlled documents, and a single sign-on capability for on-line applications as well as local applications operating on protected files at remote user computers.

62 Citations

View as Search Results

35 Claims

1. A method for accepting a message received from an untrusted network by a secure extranet server in communication with a trusted network, the message characterized by a message protocol, the method comprising the steps of:
- receiving the message in an external partition of the server;
  
  verifying the message protocol;
  
  checking constraints on the message provided in a security token;
  
  converting the message into an internal message, the internal message characterized by an internal message protocol;
  
  transferring the internal message to an internal partition of the server;
  
  verifying the protocol of the internal message;
  
  accepting the message by the secure extranet server;
  
  attaching an security token to the internal message;
  
  forwarding the accepted message to the trusted network based on the security token;
  
  accessing documents and servers within the trusted network based on the security token; and
  
  checkout and checkin of controlled documents using a single sign-on capability for on-line applications as well as local applications operating on protected files at remote user computers.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further including after the step of attaching, the step of formatting the internal message according to the message protocol of the received message.
  - 3. The method of claim 1 wherein the step of verifying the message protocol comprises the step ofverifying an attached security token if the message is part of an ongoing session.
  - 4. The method of claim 1 wherein the step of verifying the message protocol includes the step ofdropping the message if the message does not conform to the message protocol.
  - 5. The method of claim 1 wherein the step of verifying the internal message protocol includes the step ofdropping the internal message if the internal message does not conform to the internal message protocol.

6. A method for sending a message to an untrusted network by a secure extranet server in communication with a trusted network, the message characterized by a message protocol, the method comprising the steps of:
- receiving the message in an internal partition of the server;
  
  extracting attribute information on valid user inputs;
  
  creating at least one security token that is based on the extracted attribute information;
  
  converting the message into an internal message, the internal message characterized by an internal message protocol;
  
  transferring the internal message to an external partition of the server;
  
  converting the message to an external message;
  
  attaching the security token to the external message; and
  
  forwarding the message to the untrusted network with the security token.

7. A secure extranet server for accepting a message received from an untrusted network, the message characterized by a message protocol, the secure extranet server in communication with a trusted network, the secure extranet server comprising:
- (a) means for receiving the message in an external partition of the server;
  
  (b) means for verifying the message protocol;
  
  (c) means for converting the message into an internal message, the internal message characterized by an internal message protocol;
  
  (d) means for transferring the internal message to an internal partition of the server;
  
  (e) means for verifying the protocol of the internal message;
  
  (f) means for accepting the message by the secure extranet server;
  
  (g) means for attaching an security token to the internal message; and
  
  (h) means for forwarding the accepted message to the trusted network based on the security token.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The secure extranet server of claim 7 further comprisingmeans for formatting the internal message according to the message protocol of the received message.
  - 9. The secure extranet server of claim 7 further comprisingmeans for verifying an attached security token if the message is part of an ongoing session.
  - 10. The secure extranet server of claim 7 further comprisingmeans for dropping the message if the message does not conform to the message protocol.
  - 11. The secure extranet server of claim 7 further comprisingmeans for dropping the internal message if the internal message does not conform to the internal message protocol.

12. A secure extranet server for sending a message to an untrusted network, the message characterized by a message protocol, the secure extranet server in communication with a trusted network, the secure extranet server comprising:
- (a) means for receiving the message in an internal partition of the server;
  
  (b) means for converting the message into an internal message, the internal message characterized by an internal message protocol;
  
  (c) means for transferring the internal message to an external partition of the server;
  
  (d) means for converting the message to an external message;
  
  (e) means for sending the message by the secure extranet server;
  
  (f) means for attaching an security token to the external message; and
  
  (g) means for forwarding the message to the untrusted network.

13. A computer-readable medium having computer-executable instructions for performing a method for accepting a message received from an untrusted network by a secure extranet server in communication with a trusted network, the message characterized by a message protocol, the method comprising:
- receiving the message in an external partition of the server;
  
  verifying the message protocol;
  
  converting the message into an internal message, the internal message characterized by an internal message protocol;
  
  transferring the internal message to an internal partition of the server;
  
  verifying the protocol of the internal message;
  
  accepting the message by the secure extranet server;
  
  attaching an security token to the internal message; and
  
  forwarding the accepted message to the trusted network based on the security token.

14. A secure extranet server for restricted access to a resource on a trusted network from an untrusted network, the server comprising:
- an adapter for converting a message having a network protocol to and from an internal message having an internal message protocol different from the network protocol;
  
  a filter for verifying the contents of the internal message;
  
  a message application programming interface for transferring the internal message between the adapter and the filter;
  
  a session table configured to hold at least one characteristic of the internal message;
  
  a manager configured to maintain the session table based on a user authorization and the message;
  
  a converter for converting the internal message to and from a trusted message; and
  
  a dispatcher for receiving and forwarding the trusted message to the resource on the trusted network.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The server according to claim 14 further comprising:
    - an external partition in communication with an untrusted network, the external partition configured to convert a message from the untrusted network to an internal message, the message comprising a data field and a message header, the message header comprises at least one characteristic of the message.
  - 16. The server according to claim 14 further comprising:
    - an internal partition in communication with a trusted network.
  - 17. The server according to claim 16 further comprising:
    - a message application programming interface configured to pass an internal message between an external partition and an internal partition.
  - 18. The secure extranet server of claim 17 wherein the message application programming interface is configured to pass the internal message between the external partition and the internal partition only upon a request originating from the internal partition.
  - 19. The secure extranet server of claim 17 wherein the message application programming interface is configured to pass the internal message between the external partition and the internal partition upon a request originating from the external partition and wherein the dispatcher forwards the internal message based in part on an security token.

20. A secure extranet server for restricted access to a resource on a trusted network from an untrusted network, the server comprising:
- an adapter for converting a message having a network protocol to and from an internal message having an internal message protocol different from the network protocol;
  
  a filter for verifying the contents of the internal message;
  
  a message application programming interface for transferring the internal message between the adapter and the filter;
  
  a session table configured to hold at least one characteristic of the internal message;
  
  a manager configured to maintain the session table based on a user authorization and the message;
  
  a converter for converting the internal message to and from a trusted message;
  
  a dispatcher for receiving and forwarding the trusted message to the resource on the trusted network; and
  
  a file converter for attaching an application cookie to a document controlled by a documentation control platform to enable a remote user outside the trusted network to checkout a file, modify it, and checkin the modified file with the application cookie providing necessary access without multiple signin authentication steps.
- View Dependent Claims (31, 32, 33, 34)
- - 31. A computer program comprising program code means for performing all the steps of the method of claim 20 by adapting a computer.
  - 32. A computer program comprising program code means for performing all the steps of the method of claim 20 by adapting a Web application firewall.
  - 33. A computer program comprising program code means for performing all the steps of the method of claim 20 by adapting a reverse Web proxy server.
  - 34. A computer program comprising program code means for performing all the steps of the method of claim 20 by adapting a load balancing appliance.

21. A method for operating a secure extranet server, the method comprisinga) receiving from a first computer endpoint content description language comprising at least one request for input data and at least one constrain to the expected input data,b) enriching the content description language sent by the first computer endpoint with at least one security token that is based on the at least one request for input data and comprises at least one constraint to the expected input data,c) sending to a second computer endpoint content description language enriched with the at least one security token,d) receiving from the second computer endpoint input data together with the at least one security token,e) parsing input data and the at least one security token sent by the second computer endpoint,f) verifying the input data against the at least one constraint determined in the security token, andg) blocking the transfer of input data which does not conform to the at least one constraint.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method according to claim 21 wherein the system comprisesat least one first computer endpoint comprising at least one Web application server,at least one second computer endpoint comprising a client computer with a Web browser, anda secure extranet server that is placed in front of the at least one Web application server in order to protect the at least one server from hacking attempts by client Web browsers.
  - 23. The method according to claim 21 wherein the transferred content description language comprises hypertext markup language content.
  - 24. The method according to claim 23 wherein parsing content description language comprisesextracting attribute information andcreating at least one security token that is based on the extracted attribute information.
  - 25. The method according to claim 24 wherein attribute information comprises name parameters.
  - 26. The method according to claim 24 wherein attribute information comprises universal resource identifiers.
  - 27. The method according to claim 24 wherein attribute information comprises expected data values.
  - 28. The method according to claim 24 wherein attribute information comprises expected value ranges.
  - 29. The method according to claim 24 wherein attribute information comprises expected value types.
  - 30. The method according to claim 24, wherein enriching content description language with the security token, comprises encrypting and preferably digitally signing the security token and after receiving input data and the at least one security token sent by the second computer endpoint, the security service is decrypting and preferably verifying the security token.

35. A security service apparatus for Web application security filtering, the apparatus comprising:
- a) means for receiving content description language transferred between at least a first and a second computer endpoint through the security service apparatus.b) means for enriching the content description language sent by the first computerendpoint with at least one security token that is based on at least one request for inputdata and at least one constraint to the expected input data,c) means for sending to the second computer endpoint content description languageenriched with the at least one security token,d) means for receiving from the second computer endpoint input data together with the at least one security token,e) means for parsing input data and the at least one security token sent by the second computer endpoint,f) means for verifying the input data against the at least one constraint in the security token, andg) means for blocking the transfer of input data which does not conform to the at least one constraint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Phion AG (Barracuda Networks Incorporated)
Original Assignee
Phion AG (Barracuda Networks Incorporated)
Inventors
OESCH, FRIEDRICH CLAUDE, OSTERWALDER, CYRILL

Application Number

US12/685,708
Publication Number

US 20110173443A1
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

SECURE EXTRANET SERVER

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE EXTRANET SERVER

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links