Local authentication of a client at a network device
First Claim
1. A method of controlling access of a client to a network resource, the method comprising the steps of:
- creating and storing client authorization information at a network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and
reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally. As a result, a client may be authenticated locally at a router or similar device, reducing network traffic to the authentication server.
682 Citations
21 Claims
-
1. A method of controlling access of a client to a network resource, the method comprising the steps of:
-
creating and storing client authorization information at a network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and
reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
determining whether a source IP address of the client in a data packet of the request matches information in a filtering mechanism of the network firewall routing device; and
if so, determining whether the source IP address matches the authorization information stored in the network routing device.
-
-
7. A method as recited in claim 1, wherein determining whether the client is authorized to communicate with the network comprises the steps of:
-
determining whether a source IP address of the client in a data packet of the request matches information in an a filtering mechanism of the network firewall routing device;
if a match is found using the filtering mechanism, determining whether the source IP address matches the authorization information stored in the network firewall routing device; and
when the source IP address fails to match the authorization information stored in the network firewall routing device, determining if user identifying information received from the client matches a profile associated with the user that is stored in an authentication server that is coupled to the network firewall routing device.
-
-
8. A method as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether client identifying information in the request matches information in a filtering mechanism of the network firewall routing device;
if a match is found using the filtering mechanism determining whether the client identifying information matches the authorization information stored in the network firewall routing device; and
only when the client identifying information fails to match the authorization information stored in the network firewall routing device, then;
creating and storing new authorization information in the network firewall routing device that is uniquely associated with the client;
requesting login information from the client;
authenticating the login information by communicating with an authentication server that is coupled to the network firewall routing device; and
updating the new authorization information based on information received from the authentication server.
-
-
9. A method as recited in claim 8, wherein:
-
requesting login information from the client comprise sending a Hypertext Markup Language login form from the network firewall routing device to the client to solicit a username and a user password; and
authenticating the login information by communicating with an authentication server that is coupled to the network firewall routing device comprises determining, from a profile associated with a user of the client stored in the authentication server, whether the username and password me valid.
-
-
10. A method as recited in claim 8, further comprising the steps of:
-
creating and storing an inactivity timer for each authentication cache, wherein the inactivity timer expires when no communications are directed from the client to the network resource through the network firewall routing device during a pre-determined period of time;
removing the updated authentication information when the inactivity timer expires.
-
-
11. A method as recited in claim 1, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
-
determining whether a source IP address in the request matches information in a filtering mechanism of the network firewall routing device;
determining whether the source IP address matches the authorization information stored in the network firewall routing device using an authentication cache in the network firewall routing device; and
only when the source IP address fails to match the authorization information stored in the network firewall routing device, then;
creating and storing a new entry in the authentication cache that is uniquely associated with the client;
requesting login information from the client;
authenticating the login information by communicating with an authentication server that is coupled to the network firewall routing device; and
updating the new entry in the authentication cache based on information received from the authentication server.
-
-
12. A method as recited in claim 1, wherein reconfiguring the network firewall routing device comprises the steps of creating and storing one or more commands to the network firewall routing device which, when executed by the network firewall routing device, result in modifying one or more routing interfaces of the network firewall routing device to permit communications between the client and the network resource.
-
13. A method of controlling access of a client to a network resource using a network firewall routing device that is logically interposed between the client and the network resource, the method comprising the steps of:
-
creating and storing client authorization information at the network firewall routing device, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the network firewall device, whether the client is authorized to communicate with the network resource based on the authorization information; and
reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information;
the network firewall routing device comprising a firewall that protects the network resource by selectively blocking messages initiated by client and directed to the network resource, the firewall comprising an external interface and an internal interface, the firewall comprising an Output Access Control List at the internal interface and an Input Access Control List at the external interface, wherein reconfiguring the network firewall routing device comprises;
substituting the IP address in a user profile information associated with a user of the client to create a new user profile information, wherein the user profile associated with the user of the client is received from an authentication server that is coupled to the network firewall routing device; and
adding the new user profile information as temporary entries to the Input Access Control List at the external interface and to the Output Access Control List at the internal interface. - View Dependent Claims (14, 15)
creating and storing an inactivity timer for the authorization information, wherein the inactivity timer expires when no communications are directed from the client to the network resource through the network firewall routing device during a pre-determined period of time;
associating the temporary entries with the authorization information and the client; and
removing the temporary entries and the authorization information from the network firewall routing device if the inactivity timer expires.
-
-
15. A method as recited in claim 14, wherein the authorization information includes a table of hashed entries and wherein associating the temporary entries to the authorization information further comprises storing the temporary entries in the table of hashed entries.
-
16. A method of controlling access of a client to a network resource using a network firewall routing device that is logically interposed between the client and the network resource, the method comprising the steps of:
-
creating and storing client authorization information at the network firewall routing device, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and
reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information;
the network firewall routing device comprising a firewall that protects the network resource by selectively blocking messages initiated by client and directed to the network resource, the firewall comprising an external interface and an internal interface, the firewall comprising an Output Access Control List at the external interface and an Input Access Control List at the internal interface, wherein reconfiguring the network firewall routing device comprises the step of;
substituting the IP address in a user profile information associated with a use of the client to create a new user profile information, wherein the user profile associated with the user of the client is received from an authentication server that is coupled to the network firewall routing device; and
adding the new user profile information as temporary entries to the Input Access Control List at the internal interface and to the Output Access Control List at the external interface. - View Dependent Claims (17, 18)
creating and storing an inactivity timer for the authorization information, wherein the inactivity timer expires when no communications are directed from the client to the network resource through the network firewall routing device during a pre-determined period of time;
associating the temporary entries with the authorization information and the client; and
removing the temporary entries and the authorization information from the network firewall routing device if the inactivity timer expires.
-
-
18. A method as recited in claim 17, wherein the authorization information includes a table of hashed entries and wherein associating the temporary entries to the authorization information further comprises storing the temporary entries in the table of hashed entries.
-
19. A computer-readable medium carrying one or more sequences of one or more instructions for controlling access of a client to a network resource using a network firewall routing device, the one or more sequences of one or more instructions including instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of:
-
creating and storing client authorization information at the network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and
reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information.
-
-
20. A computer system for controlling access of a client to a network resource using a network firewall routing device, comprising:
-
one or more processors;
a storage medium carrying one or more sequences of one or more instructions including instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
creating and storing client authorization information at the network firewall routing device that is logically interposed between the client and the network resource, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and
reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information.
-
-
21. A data packet firewall router that is logically interposed between a client and a network resource and that controls access of the client to the network resource, comprising:
-
one or more processors;
a storage medium carrying one or more sequences of one or more instructions including instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
creating and storing client authorization information at the router, wherein the client authentication information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
receiving a request from the client to communicate with the network resource;
determining, at the router, whether the client is authorized to communicate with the network resource based on the authorization information; and
reconfiguring the router to permit the client to Communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information.
-
Specification