Secure network file access controller implementing access control and auditing
First Claim
1. A secure portal for network file access transactions between client computer systems and network storage resources, said secure portal comprising:
- a) a network interface supporting network connections to a client system and a network storage resource, respectively; and
b) an access controller coupled to said network interface, said access controller operative to terminate a first network file access transaction between said client system and a virtual mount point supported by said access controller, wherein said access controller includes a policy parser, responsive to a client system identifier, authorization data including a user session identifier that references a session related group of one or more user processes executing on the client system identified by said client system identifier, a virtual mount point identifier, and a request identifier provided with a first network file request received within said first network file access transaction, operative to selectively enable initiation of a second network file access transaction between said access controller and a defined mount point of said network storage resource dependent on a defined combination including said client system identifier, said virtual mount point identifier, and said request identifier, said second network file access transaction including a second network file request having a modified correspondence with said first network file request to support completion of said first network file access transaction relative to said defined mount point.
4 Assignments
0 Petitions
Accused Products
Abstract
A network file access appliance operates as a secure portal for network file access operations between client computer systems and network storage resources. The file access appliance terminates network file access transactions, identified by packet information including client system, mount point, and file request identifiers, between client systems and mount points supported by the access controller. A policy parser determines, based on the packet information, to selectively initiate network file access transactions between the access controller and network storage resources to enable completion of selected network file access transactions directed from the clients to the network file access appliance. The network file access transactions directed to the network storage resources are modified counterparts of policy selected client network file access transactions modified to reference mapped network storage resource mount points and support the secure transfer and storage of network file data.
-
Citations
27 Claims
-
1. A secure portal for network file access transactions between client computer systems and network storage resources, said secure portal comprising:
-
a) a network interface supporting network connections to a client system and a network storage resource, respectively; and
b) an access controller coupled to said network interface, said access controller operative to terminate a first network file access transaction between said client system and a virtual mount point supported by said access controller, wherein said access controller includes a policy parser, responsive to a client system identifier, authorization data including a user session identifier that references a session related group of one or more user processes executing on the client system identified by said client system identifier, a virtual mount point identifier, and a request identifier provided with a first network file request received within said first network file access transaction, operative to selectively enable initiation of a second network file access transaction between said access controller and a defined mount point of said network storage resource dependent on a defined combination including said client system identifier, said virtual mount point identifier, and said request identifier, said second network file access transaction including a second network file request having a modified correspondence with said first network file request to support completion of said first network file access transaction relative to said defined mount point. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A network file access controller providing secure access controls over accesses by client computer systems to network storage resources, said network file access controller comprising:
-
a) a client network interface presenting a plurality of client mount points for connecting to logical network storage resources;
b) a storage network interface coupleable to a plurality of network storage resources;
c) a file access processor, responsive to session and control information provided by a client computer system in a network data packet within a client network file transaction, operative to selectively perform a storage network file transaction to support completion of said client network file transaction, wherein said session and control information includes a target client mount point specification, a process identifier, and a file access request, and wherein said process identifier references a session related group of one or more user processes executing on said client computer system; and
d) a policy parser, responsive to said file access processor, operative to evaluate a plurality of predefined access constraints against said session and control information to enable said storage network file transaction. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A method of controlling access by client systems to network storage resources, said method comprising the steps of:
-
a) terminating first network file request transactions, including first file access requests and client and session identifications, initiated by client systems directed against first network files identified by first path specifications, wherein a session identification references a session related group of one or more user processes executing on the client system identified by the associated client identification;
b) selecting predetermined ones of said first file access requests discriminated by said first path specifications by comparison of said first file access requests and said client and session identifications against a predefined set of policy specifications; and
c) initiating second network file request transactions, including second file access requests, against second network files, identified by second file path specifications, stored by network storage resources, wherein said second file access requests correspond to said predetermined ones of said first file access requests to enable completion of said first network file request transactions, and wherein said second file path specifications correspond to said first file path specifications of said predetermined ones of said first file access requests. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A method of operating a secure portal appliance to control access to files stored on network storage resources, said method comprising the steps of:
-
a) establishing a plurality of virtual mount points accessible by client systems for establishing network file access connections within which to receive first network file access requests, wherein said first network file access requests include client session information that identifies the user session processes executing on a client system that originates a corresponding one of said first network file access requests;
b) evaluating said first network file access requests, including said client session information, against a predetermined set of access policies associated by said virtual mount points to identify a second network file requests executable to selectively complete said first network file access requests; and
c) issuing said second network file requests to access network file data to enable selective completion of said first network file access requests. - View Dependent Claims (23, 24, 25, 26, 27)
-
Specification