Techniques for eliminating redundant access checking by access filters

US 6,105,027 A
Filed: 03/04/1998
Issued: 08/15/2000
Est. Priority Date: 03/10/1997
Status: Expired due to Term

First Claim

Patent Images

1. An access filter which is used as one of a plurality of access filters in a network, the access filter serving to make a determination whether a request for access by a user to an information resource will be permitted and the network further including a client from which the user makes the request via a path in the network that includes at least one of the acess filters and a server that provides the information resource in response to the request, the access filter comprising:

a local copy of access control information that indicates whether the user may access the resource;

an access checker which employs the local copy to make the determination; and

an access check confirmer that determines whether another access filter in the path has already made the determination and only causes the access checker to make the determination if no other access filter has done so.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to of access policies which define access in terms of the user groups and information sets. The rights of administrators are similarly determined by administrative policies. Access is further permitted only if the trust levels of a mode of identification of the user and of the path in the network by which the access is made are sufficient for the sensitivity level of the information resource. If necessary, the access filter automatically encrypts the request with an encryption method whose trust level is sufficient. The first access filter in the path performs the access check and encrypts and authenticates the request; the other access filters in the path do not repeat the access check.

605 Citations

14 Claims

1. An access filter which is used as one of a plurality of access filters in a network, the access filter serving to make a determination whether a request for access by a user to an information resource will be permitted and the network further including a client from which the user makes the request via a path in the network that includes at least one of the acess filters and a server that provides the information resource in response to the request, the access filter comprising:
- a local copy of access control information that indicates whether the user may access the resource;
  
  an access checker which employs the local copy to make the determination; and
  
  an access check confirmer that determines whether another access filter in the path has already made the determination and only causes the access checker to make the determination if no other access filter has done so.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The access filter set forth in claim 1 further comprising:
    - an encrypter/decrypter for encrypting and decrypting the request; and
      
      when the determination is that the request will be permitted, the encrypter/decrypter encrypts the request.
  - 3. The access filter set forth in claim 2 wherein:
    - each of the access filters has a key for encrypting requests to be decrypted by the access filter;
      
      each of the access filters has routing information from which the last access filter in the path can be determined and key information which gives the access filter access to the key belonging to the last access filter; and
      
      when the access filter is the other access filter, the encrypter/decrypter encrypts the request using the key belonging to the last access filter.
  - 4. The access filter set forth in claim 2 wherein:
    - the encrypter encrypts the request such that the request can be decrypted by the encrypter/decrypter in the last access filter in the path.
  - 5. The access filter set forth in claim 4 wherein:
    - the encrypter can encrypt the request according to a plurality of encryption methods;
      
      the access control information associates a sensitivity level with the resource and a trust level with each of the plurality of encryption methods; and
      
      the encrypter encrypts the request using an encryption method of the plurality such that the trust level of the encryption method is at least equal to the sensitivity level of the resource.
  - 6. The access filter set forth in claim 2 wherein:
    - the client encrypts the request; and
      
      the access filter employes the encrypter-decrypter to decrypt the request prior to making the determination.
  - 7. The access filter set forth in any one of claims 1 through 6 further comprising:
    - an authenticator for making an authentication for the request;
      
      when the determination is that the request will be permitted, the access filter employs the authenticator to produce authentication information that authenticates the request and adds the authentication information to the request; and
      
      the access check confirmer determines from the added authentication information whether another access filter has already made the determination.
  - 8. The access filter set forth in claim 1 further comprising:
    - an editor for making a change in the local copy of the access control information; and
      
      a change propagator for propagating the change to others of the plurality of access filters.
  - 9. The access filter set forth in claim 8 wherein:
    - the access control information further indicates whether a given user may make a change in a predetermined part of the local copy; and
      
      the access checker further employs the local copy when a user employs the editor to make a particular change to make a determination whether the user is permitted to make the particular change.
  - 10. The access filter set forth in claim 9 wherein:
    - the access control information further permits a given user who may make a change in the predetermined part to delegate making the change to another user.
  - 11. A data storage device for use in a system including a processor, the data storage device being characterized in that:
    - the data storage device contains code which, when executed in the processor, implements the access filter set forth in claim 1.
  - 12. The access filter set firth in claim 1 wherein:
    - the access filter is implemented as an application program executing under an operating system.
  - 13. The access filter set forth in claim 1 wherein:
    - the access filter is implemented as a component of an operating system.
  - 14. The access filter set forth in claim 1 wherein:
    - the access filter is implemented as a component of a router in the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dropbox, Inc.
Original Assignee
Internet Dynamics, Inc. (SonicWall Holdings Ltd.)
Inventors
Schneider, David S., Lipstone, Laurence R., Jensen, Daniel, Ribet, Michael B.
Primary Examiner(s)
HOMERE, JEAN RAYMOND

Application Number

US09/034,587
Time in Patent Office

895 Days
Field of Search

707/9, 707/10, 395/200.33, 395/200.47, 395/200.59, 395/187.01, 709/201, 709/205, 709/217, 709/225, 709/229
US Class Current

1/1
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Y10S 707/99939   Privileged access

Techniques for eliminating redundant access checking by access filters

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

605 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for eliminating redundant access checking by access filters

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

605 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links