TECHNIQUES FOR SECURE ACCESS MANAGEMENT IN VIRTUAL ENVIRONMENTS

US 20110214176A1
Filed: 02/27/2010
Published: 09/01/2011
Est. Priority Date: 02/27/2010
Status: Active Grant

First Claim

Patent Images

1. A method implemented and residing within a non-transitory computer-readable storage medium that is executed by a processor, the processor configured to perform the method, comprising:

receiving a virtual machine (VM) request from a portal;

instantiating a VM to be accessed at a dynamically created Internet Protocol (IP) address and at a dynamically created communication port number;

acquiring a secure token for a communication session to the VM; and

returning the IP address, the port number, and the secure token back to the portal for the portal to communicate to an identity service that dynamically generates policy to be enforced during the communication session, the identity service also providing the IP address, the port number, and the secure token to an authenticated principal to use during the communication session with the VM and the identity service provides the policy to a secure socket layer virtual private network (SSL VPN) server for the SSL VPN server to enforce the policy when the principal initiates the communication session with the VM via a SSL VPN connection through the SSL VPN.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for secure access management to virtual environments are provided. A user authenticates to a portal for purposes of establishing a virtual machine (VM). The portal interacts with a cloud server and an identity server to authenticate the user, to acquire an Internet Protocol (IP) address and port number for the VM, and to obtain a secure token. The user then interacts with a secure socket layer virtual private network (SSL VPN) server to establish a SSL VPN session with the VM. The SSL VPN server also authenticates the token through the identity server and acquires dynamic policies to enforce during the SSL VPN session between the user and the VM (the VM managed by the cloud server).

308 Citations

20 Claims

1. A method implemented and residing within a non-transitory computer-readable storage medium that is executed by a processor, the processor configured to perform the method, comprising:
- receiving a virtual machine (VM) request from a portal;
  
  instantiating a VM to be accessed at a dynamically created Internet Protocol (IP) address and at a dynamically created communication port number;
  
  acquiring a secure token for a communication session to the VM; and
  
  returning the IP address, the port number, and the secure token back to the portal for the portal to communicate to an identity service that dynamically generates policy to be enforced during the communication session, the identity service also providing the IP address, the port number, and the secure token to an authenticated principal to use during the communication session with the VM and the identity service provides the policy to a secure socket layer virtual private network (SSL VPN) server for the SSL VPN server to enforce the policy when the principal initiates the communication session with the VM via a SSL VPN connection through the SSL VPN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein receiving further includes detecting with the VM request a principal identity for the principal that originated the VM request to the portal.
  - 3. The method of claim 1, wherein receiving further includes redirecting, by the portal, the principal to the identity service for authentication of the principal.
  - 4. The method of claim 1, wherein receiving further includes presenting, by the portal, a list of available VMs to the principal, the VM request generated by the portal once the principal selects the VM from the list.
  - 5. The method of claim 1, wherein instantiating further includes using the IP address of a previous different VM that is being recycled for use with the VM to satisfy the VM request, a previous communication with the different VM terminated when the VM request is received for processing.
  - 6. The method of claim 1, wherein acquiring further includes requesting the portal to generate and supply the secure token.
  - 7. The method of claim 1, wherein acquiring further includes requesting the identity service to generate and supply the secure token.
  - 8. The method of claim 1, wherein acquiring further includes requesting both the portal and identity service to cooperate with one another to construct and supply the secure token.

9. A method implemented and residing within a computer-readable storage medium that is executed by a processor of a network to perform the method, comprising:
- receiving a request for a secure socket layer virtual private network (SSL VPN) connection to a Virtual Machine (VM), the request received from a principal to establish a SSL VPN communication session with the VM;
  
  requesting an identity service to authenticate the request on behalf of the principal;
  
  obtaining policies from the identity service for enforcement during the SSL VPN communication session;
  
  connecting the principal to the VM via the SSL VPN communication session when the principal is authenticated, connection achieved via an Internet Protocol (IP) address and port number combination acquired with the request; and
  
  enforcing the policies during the SSL VPN communication session.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein receiving further includes parsing the IP address, the port number, an identity for the principal, and a secure token from the request.
  - 11. The method of claim 10, wherein requesting further includes passing the identity and the secure token to the identity service for purposes of authenticating the request.
  - 12. The method of claim 9, wherein obtaining further includes evaluating at least one policy returned from the identity service that matches the IP address and port number received with the request.
  - 13. The method of claim 9, wherein obtaining further includes acquiring the policies from the identity service as an assertion.
  - 14. The method of claim 9, wherein connecting further includes passing a secure token acquired with the request to the VM to establish the SSL VPN communication session, the secure token validated by the VM before the SSL VPN communication session is permitted to proceed.
  - 15. The method of claim 9, wherein enforcing further includes enlisting a policy enforcer to dynamically evaluate and enforce the policies during the SSL VPN communication session.

16. A multiprocessor-implemented system, comprising:
- a portal server;
  
  an identity server;
  
  a cloud server; and
  
  a secure socket layer virtual private network (SSL VPN) server;
  
  wherein the portal server is configured to facilitate authenticating a principal via the identity server for access to a virtual machine (VM), the cloud server is configured to dynamically instantiate the VM at a specified Internet Protocol (IP) address and port number and the cloud server is configured to provide access to the VM during a SSL VPN session when a secure token is presented, the SSL VPN server is configured to interact with the identity server, the principal, and the cloud server to authenticate the principal and establish the SSL VPN session at the specified IP address and port number with the secure token.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the identity server is configured to dynamically associate policies that are to be enforced by the SSL VPN server during the SSL VPN session, the policies based on an identity for the principal.
  - 18. The system of claim 17, wherein the identity server is configured to supply the policies to the SSL VPN server as an assertion.
  - 19. The system of claim 18, wherein the assertion includes policies identifying the following:
    - a role for the principal, the specified IP address, the port number, a time interval for allowing the SSL VPN session between the principal and the VM, an action for the SSL VPN server to take on successfully evaluation of the policies, and another action for the SSL server to take on unsuccessful evaluation of the policies.
  - 20. The system of claim 18, wherein the SSL VPN server is configured to terminate the SSL VPN session when one of the policies are violated during the SSL VPN session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Burch, Lloyd Leon, Earl, Douglas Garry, Mukkara, Prakash Umasankar

Granted Patent

US 8,984,621 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

G06F 21/33   using certificates

G06F 21/53   by executing in a restricte...

G06F 2221/2149   Restricted operating enviro...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 67/10   in which an application is ...

TECHNIQUES FOR SECURE ACCESS MANAGEMENT IN VIRTUAL ENVIRONMENTS

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

308 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR SECURE ACCESS MANAGEMENT IN VIRTUAL ENVIRONMENTS

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

308 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links