System and Method for Providing Access Control

US 20120117615A1
Filed: 01/09/2012
Published: 05/10/2012
Est. Priority Date: 10/10/2002
Status: Active Grant

First Claim

Patent Images

1. A method for network access control, comprising:

at a control device, receiving a first network communication from a first application running on a client device communicatively connected to the control device, the network communication being destined for a network communicatively connected to the control device;

determining whether the client device is authorized to access the network based on at least one interface specific rule;

if the client device is not authorized to access the network, applying a first global rule;

if the client device is authorized to access the network, applying a second global rule;

receiving a second network communication from the first application or a second application running on the client device;

processing the second network communication according to a plurality of stages, including a client discrimination stage and a user specific rule stage;

at the client discrimination stage;

extracting information associated with the client device from the second network communication; and

associating the second network communication with user specific traffic control rules and user specific firewall rules; and

at the user specific rule stage;

accessing the user specific traffic control rules and the user specific firewall rules based on the extracted information associated with the client device; and

applying the user specific traffic control rules and the user specific firewall rules to the second network communication as governed by user specific provisioning rules.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A control device may be configured to monitor a network connection. An application running on a client device may send a first network communication destined for a network communicatively connected to the control device. Depending upon whether the client device is authorized to access the network, different global rules may be applied. The first application or a second application running on the client device may send a second network communication. The control device may process the second network communication according to a plurality of stages. Specifically, the control device may extract information associated with the client device from the second network communication and associate user specific rules at a client discrimination stage. The control device may, at a user specific rule stage, access these rules and apply accordingly to the second network communication as governed by user specific provisioning rules.

Citations

31 Claims

1. A method for network access control, comprising:
- at a control device, receiving a first network communication from a first application running on a client device communicatively connected to the control device, the network communication being destined for a network communicatively connected to the control device;
  
  determining whether the client device is authorized to access the network based on at least one interface specific rule;
  
  if the client device is not authorized to access the network, applying a first global rule;
  
  if the client device is authorized to access the network, applying a second global rule;
  
  receiving a second network communication from the first application or a second application running on the client device;
  
  processing the second network communication according to a plurality of stages, including a client discrimination stage and a user specific rule stage;
  
  at the client discrimination stage;
  
  extracting information associated with the client device from the second network communication; and
  
  associating the second network communication with user specific traffic control rules and user specific firewall rules; and
  
  at the user specific rule stage;
  
  accessing the user specific traffic control rules and the user specific firewall rules based on the extracted information associated with the client device; and
  
  applying the user specific traffic control rules and the user specific firewall rules to the second network communication as governed by user specific provisioning rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the first and second global rules comprise firewall rules.
  - 3. The method of claim 1, wherein the first global rule specifies a requirement for virus scanning.
  - 4. The method of claim 1, wherein the at least one interface specific rule, the first global rule, the second global rule, the user specific traffic control rules, and the user specific firewall rules are stored on the control device.
  - 5. The method of claim 1, further comprising:
    - determining if the first network communication is associated with a user that has been authenticated; and
      
      if the user has not been authenticated, capturing a network application session until the user is authenticated.
  - 6. The method of claim 5, wherein the network communication is destined for a network application on the network, further comprising:
    - detecting, based on information in the first network communication, whether the network application session between the first application on the client device and the network application on the network is stateful.
  - 7. The method of claim 5, wherein the act of capturing comprises caching or suspending the network application session.
  - 8. The method of claim 5, wherein the act of capturing comprises maintaining the session on behalf of the first application until the user is authenticated.
  - 9. The method of claim 5, wherein the act of determining if the first network communication is associated with a user that has been authenticated comprises comparing one or more identifiers extracted from the first network communication with stored identifiers associated with previously authenticated users.
  - 10. The method of claim 5, wherein an authentication application performs the act of determining if the first network communication is associated with a user that has been authenticated, and wherein the authentication application is executable on the control device or on a server computer communicatively connected to the control device.
  - 11. The method of claim 5, wherein if the user has not been authenticated, further comprising causing a login web page to be presented on the client device requesting credentials of the user.
  - 12. The method of claim 1, wherein the first application is not the second application.

13. A computer program product comprising at least one non-transitory computer readable storage medium storing instructions translatable by a control device to perform:
- in response to receiving a first network communication from a first application running on a client device communicatively connected to the control device, the network communication being destined for a network communicatively connected to the control device, determining whether the client device is authorized to access the network based on at least one interface specific rule;
  
  if the client device is not authorized to access the network, applying a first global rule;
  
  if the client device is authorized to access the network, applying a second global rule;
  
  in response to receiving a second network communication from the first application or a second application running on the client device, processing the second network communication according to a plurality of stages, including a client discrimination stage and a user specific rule stage, wherein,at the client discrimination stage;
  
  information associated with the client device is extracted from the second network communication; and
  
  the second network communication is associated with user specific traffic control rules and user specific firewall rules; and
  
  at the user specific rule stage;
  
  the user specific traffic control rules and the user specific firewall rules are accessed based on the extracted information associated with the client device; and
  
  the user specific traffic control rules and the user specific firewall rules are applied to the second network communication as governed by user specific provisioning rules.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The computer program product of claim 13, wherein the first and second global rules comprise firewall rules.
  - 15. The computer program product of claim 13, wherein the first global rule specifies a requirement for virus scanning.
  - 16. The computer program product of claim 13, wherein the instructions are further translatable by the control device to perform:
    - determining if the first network communication is associated with a user that has been authenticated; and
      
      if the user has not been authenticated, capturing a network application session until the user is authenticated.
  - 17. The computer program product of claim 16, wherein the network communication is destined for a network application on the network, and wherein the instructions are further translatable by the control device to perform:
    - detecting, based on information in the first network communication, whether the network application session between the first application on the client device and the network application on the network is stateful.
  - 18. The computer program product of claim 16, wherein the act of capturing comprises caching or suspending the network application session.
  - 19. The computer program product of claim 16, wherein the act of capturing comprises maintaining the session on behalf of the first application until the user is authenticated.
  - 20. The computer program product of claim 16, wherein the act of determining if the first network communication is associated with a user that has been authenticated comprises comparing one or more identifiers extracted from the first network communication with stored identifiers associated with previously authenticated users.
  - 21. The computer program product of claim 16, wherein the instructions are further translatable by the control device to perform:
    - if the user has not been authenticated, causing a login web page to be presented on the client device requesting credentials of the user.

22. An apparatus, comprising:
- at least one processor; and
  
  at least one non-transitory computer readable storage medium storing instructions translatable by the at least one processor to perform;
  
  in response to receiving a first network communication from a first application running on a client device communicatively connected to the apparatus, the network communication being destined for a network communicatively connected to the apparatus, determining whether the client device is authorized to access the network based on at least one interface specific rule;
  
  if the client device is not authorized to access the network, applying a first global rule;
  
  if the client device is authorized to access the network, applying a second global rule;
  
  in response to receiving a second network communication from the first application or a second application running on the client device, processing the second network communication according to a plurality of stages, including a client discrimination stage and a user specific rule stage, wherein,at the client discrimination stage;
  
  information associated with the client device is extracted from the second network communication; and
  
  the second network communication is associated with user specific traffic control rules and user specific firewall rules; and
  
  at the user specific rule stage;
  
  the user specific traffic control rules and the user specific firewall rules are accessed based on the extracted information associated with the client device; and
  
  the user specific traffic control rules and the user specific firewall rules are applied to the second network communication as governed by user specific provisioning rules.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The apparatus of claim 22, wherein the first and second global rules comprise firewall rules.
  - 24. The apparatus of claim 22, wherein the first global rule specifies a requirement for virus scanning.
  - 25. The apparatus of claim 22, wherein the at least one interface specific rule, the first global rule, the second global rule, the user specific traffic control rules, and the user specific firewall rules are stored on the apparatus.
  - 26. The apparatus of claim 22, wherein the instructions are further translatable by the at least one processor to perform:
    - determining if the first network communication is associated with a user that has been authenticated; and
      
      if the user has not been authenticated, capturing a network application session until the user is authenticated.
  - 27. The apparatus of claim 26, wherein the network communication is destined for a network application on the network, and wherein the instructions are further translatable by the at least one processor to perform:
    - detecting, based on information in the first network communication, whether the network application session between the first application on the client device and the network application on the network is stateful.
  - 28. The apparatus of claim 26, wherein the act of capturing comprises caching or suspending the network application session.
  - 29. The apparatus of claim 26, wherein the act of capturing comprises maintaining the session on behalf of the first application until the user is authenticated.
  - 30. The apparatus of claim 26, wherein the act of determining if the first network communication is associated with a user that has been authenticated comprises comparing one or more identifiers extracted from the first network communication with stored identifiers associated with previously authenticated users.
  - 31. The apparatus of claim 26, wherein the instructions are further translatable by the at least one processor to perform:
    - if the user has not been authenticated, causing a login web page to be presented on the client device requesting credentials of the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netskope Incorporated
Original Assignee
Rocksteady Technologies LLC
Inventors
MacKinnon, Richard, Looney, Kelly, White, Eric

Granted Patent

US 8,484,695 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 67/306   User profiles

System and Method for Providing Access Control

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Providing Access Control

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links