MONITORING REMOTE ACCESS TO AN ENTERPRISE NETWORK

US 20130067072A1
Filed: 11/18/2011
Published: 03/14/2013
Est. Priority Date: 09/12/2011
Status: Active Grant

First Claim

Patent Images

1. A method of operating a computing device comprising at least one processor for monitoring remote access to an enterprise network, the method comprising, with the at least one processor:

generating, for a first entity accessing a resource on the enterprise network through a remote client computer, a first identifier of at least one first security association between the first entity and the resource;

associating, based on the first identifier, the at least one first security association with a first entity session created for the first entity, wherein each of the at least one first security association in the first entity session has the first identifier;

determining, based on an identity of the remote client computer, that the first entity session belongs to a connection between the remote client computer and the enterprise network, wherein the connection comprises security associations created for resources on the enterprise network that are accessed through the remote client computer connected to the enterprise network; and

providing a representation of the connection based on the determination, the representation indicating that the resource is accessed by the first entity through the remote client computer over the connection.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques to provide an improved representation of remote network access for a network administrator managing and controlling access to resources on an enterprise network. The representation indicates resources accessed by a remote computer or by a user of that computer and provides associated information useful for managing remote network access. To create the representation, multiple security associations formed between a remote client computer and resources on the enterprise network are associated with entity sessions, based on identical session identifiers generated for each security association within an entity session. The entity sessions may be aggregated into a to DirectAccess “connection” between the remote client computer and the enterprise network, based on an identity of the remote client computer. Resources accessed over the connection may be identified using a session identifier of each entity session so that security associations in that entity session may be matched with the resources.

10 Citations

View as Search Results

20 Claims

1. A method of operating a computing device comprising at least one processor for monitoring remote access to an enterprise network, the method comprising, with the at least one processor:
- generating, for a first entity accessing a resource on the enterprise network through a remote client computer, a first identifier of at least one first security association between the first entity and the resource;
  
  associating, based on the first identifier, the at least one first security association with a first entity session created for the first entity, wherein each of the at least one first security association in the first entity session has the first identifier;
  
  determining, based on an identity of the remote client computer, that the first entity session belongs to a connection between the remote client computer and the enterprise network, wherein the connection comprises security associations created for resources on the enterprise network that are accessed through the remote client computer connected to the enterprise network; and
  
  providing a representation of the connection based on the determination, the representation indicating that the resource is accessed by the first entity through the remote client computer over the connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - generating the first identifier based on at least one parameter of the at least one first security association.
  - 3. The method of claim 2, wherein:
    - the first entity comprises at least one selected from the group consisting of a user of the remote client computer that has a user account with the enterprise network and the remote client computer that has a computer account with the enterprise network.
  - 4. The method of claim 1, wherein:
    - the at least one first security association is generated for an IPsec session between the remote client computer and the resource.
  - 5. The method of claim 1, wherein:
    - the connection comprises a remote network access connection; and
      
      the remote client computer is connected to the corporate network using DirectAccess.
  - 6. The method of claim 1, wherein providing the representation on the connection based on the determination comprises:
    - determining, based on the first identifier, that the resource is accessed over the connection.
  - 7. The method of claim 1, further comprising:
    - generating, for a second entity accessing a second resource on the enterprise network through the remote client computer, a second identifier for at least one second security association between the second entity and the second resource;
      
      associating, based on the second identifier, the at least one second security association with a second entity session created for the second entity, wherein each of the at least one second security association in the second entity session has the second identifier;
      
      determining, based on the identity of the remote client computer, that the second entity session belongs to the connection between the remote client computer and the enterprise network; and
      
      providing a representation of the connection based on the determination, the representation indicating that the second resource is accessed by the second entity through the remote client computer over the connection.
  - 8. The method of claim 1, wherein:
    - providing the representation comprises displaying the representation on a user interface.
  - 9. The method of claim 8, further comprising:
    - enabling a user to provide input with respect to the representation.
  - 10. The method of claim 1, further comprising:
    - providing information obtained in conjunction with the connection, the information comprising at least one parameter of the connection.
  - 11. The method of claim 10, wherein:
    - the information further comprises resource usage information on the connection.
  - 12. The method of claim 1, wherein:
    - an identity of the remote client computer comprises an IP address of the remote client computer.

13. A computer comprising at least one processor, the computer adapted to, with the at least one processor:
- generate, for an entity accessing a resource on the enterprise network through a remote client computer, an identifier for at least one security association between the entity and the resource;
  
  associate, based on the identifier, the at least one security association with an entity session created for the entity, wherein each of the at least one security association in the entity session has the identifier;
  
  determine, based on an identity of the remote client computer, that the entity session belongs to a connection between the remote client computer and the enterprise network, wherein the connection comprises security associations created for resources on the enterprise network that are accessed through the remote client computer connected to the enterprise network; and
  
  provide a representation of the connection based on the determination, the representation indicating that the resource is accessed by the entity through the remote client computer over the connection.
- View Dependent Claims (14, 15, 16)
- - 14. The computer of claim 13, wherein the computer is adapted to:
    - provide the representation of the connection by;
      
      determining, based on the identifier, that the resource is accessed over the connection.
  - 15. The computer of claim 13, wherein:
    - the remote client computer is connected to the enterprise network using DirectAccess.
  - 16. The computer of claim 13, further adapted to:
    - provide the representation by displaying the representation on a user interface.

17. At least one computer-readable storage medium comprising computer-executable instructions that, when executed by at least one processor, implement a method of monitoring remote access to an enterprise network, the method comprising:
- generating, for an entity accessing a resource on the enterprise network through a remote client computer, an identifier for at least one security association between the entity and the resource;
  
  associating, based on the identifier, the at least one security association with an entity session created for the entity, wherein each of the at least one security association in the entity session has the identifier;
  
  determining, based on an identity of the remote client computer, that the entity session belongs to a connection between the remote client computer and the enterprise network, wherein the connection comprises security associations created for resources on the enterprise network that are accessed through the remote client computer connected to the enterprise network; and
  
  providing information on the connection based on the determination, the representation indicating that the resource is accessed by the entity through the remote client computer over the connection.
- View Dependent Claims (18, 19, 20)
- - 18. The at least one computer-readable storage medium of claim 17, wherein:
    - the remote client computer is connected to the enterprise network using DirectAccess.
  - 19. The at least one computer-readable storage medium of claim 17, whereinproviding the information on the connection based on the determination comprises:
    - determining, based on the identifier, that the resource is accessed over the connection.
  - 20. The at least one computer-readable storage medium of claim 17, wherein:
    - the resource comprises at least one application server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Diaz-Cuellar, Gerardo, Gupta, Dhiraj K., Saxena, Ashish, Tiwari, Abhishek

Granted Patent

US 8,775,614 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3065   Monitoring arrangements det...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/133   Protocols for remote proced...

MONITORING REMOTE ACCESS TO AN ENTERPRISE NETWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MONITORING REMOTE ACCESS TO AN ENTERPRISE NETWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links