Identity Propagation

US 20140237539A1
Filed: 02/21/2013
Published: 08/21/2014
Est. Priority Date: 02/21/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

authenticating an endpoint based on a user identity and a credential;

generating a hypertext transfer protocol (HTTP) packet including the user identity;

sending the HTTP packet including the user identity to a policy enforcement device; and

receiving traffic from the policy enforcement device, wherein the traffic is filtered according the user identity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols.

Citations

20 Claims

1. A method comprising:
- authenticating an endpoint based on a user identity and a credential;
  
  generating a hypertext transfer protocol (HTTP) packet including the user identity;
  
  sending the HTTP packet including the user identity to a policy enforcement device; and
  
  receiving traffic from the policy enforcement device, wherein the traffic is filtered according the user identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the policy enforcement device is configured to store the identity information in an identity cache.
  - 3. The method of claim 2, further comprising:
    - sending a subsequent connection request to the policy enforcement device, wherein the subsequent connection request includes a session identifier.
  - 4. The method of claim 3, wherein the session identifier is included in a user hint transmission control protocol (TCP) option in a synchronization packet as the subsequent connection request.
  - 5. The method of claim 3, wherein the subsequent connection request is defined using file transfer protocol (FTP), a simple mail transfer protocol (SMTP), or another transmission control protocol.
  - 6. The method of claim 1, wherein the HTTP packet including the user identity is sent to the policy enforcement device through a network address translation (NAT) device.
  - 7. The method of claim 1, wherein the user identity comprises data indicative of a username and a group name.
  - 8. The method of claim 1, further comprising:
    - detecting a restart announcement from the policy enforcement device, wherein the HTTP packet including the user identity is generated in response to the restart announcement.

9. An apparatus comprising:
- a communication interface configured to receive a transmission control protocol (TCP) packet from a host device; and
  
  a controller configured to access a user identity based on the TCP packet from the host device and insert the user identity into the TCP packet for a policy enforcement device, wherein the user identity is defined by a preceding hypertext transfer protocol packet received from the host device, and wherein traffic is filtered according the user identity by the policy enforcement device.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein the controller is configured to authenticate the host device based on a credential.
  - 11. The apparatus of claim 9, wherein the policy enforcement device is configured to store the identity information in an identity database.
  - 12. The apparatus of claim 9, wherein the controller is configured to forward subsequent TCP flows to the policy enforcement device, wherein the subsequent TCP flows include a session identifier.
  - 13. The apparatus of claim 12, wherein the session identifier is included in a user hint TCP option in the subsequent TCP flows.
  - 14. The apparatus of claim 9, wherein the user identity comprises data indicative of a username and a group name.
  - 15. The apparatus of claim 9, wherein the TCP packet including the user identity is sent to the policy enforcement device through a network address translation (NAT) device.

16. A method comprising:
- receiving a packet including a session identification value;
  
  extracting the session identification value from the packet;
  
  querying an identity database using the session identification value to access user identity information for a source of the packet according to an internet protocol (IP) address of the source of the packet;
  
  generating a web security packet comprising a header including the user identity information; and
  
  forwarding the web security packet to a policy decision point.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, further comprising:
    - receiving a policy rule from the policy decision point; and
      
      filtering traffic for the source of the packet according to the policy rule.
  - 18. The method of claim 16, wherein the user identity information is included in a user hint transmission control protocol (TCP) option in the packet.

19. An apparatus comprising:
- a memory configured to store session identification values in association with user identities;
  
  a processor configured to extract a user identity from an a hypertext transfer protocol (HTTP) packet and generate a web security packet comprising a header including the user identity; and
  
  a communication device configured to forward the web security packet to a policy decision point.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19, wherein the processor is configured to filter traffic for a source of the HTTP packet according to a policy rule received from the policy decision point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wing, Daniel G., Chivukula, Srinivas, Reddy, Tirumaleswar, Patil, Prashanth

Granted Patent

US 9,154,484 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/146   Markers for unambiguous ide...

H04L 69/161   Implementation details of T...

H04L 69/22   Parsing or analysis of headers

Identity Propagation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identity Propagation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links