Access control management system utilizing network and application layer access control lists

US 7,054,944 B2
Filed: 12/19/2001
Issued: 05/30/2006
Est. Priority Date: 12/19/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

determining a private network address for a user in connection with the user accessing a network resource on a network;

determining an application layer access control list entry for the user based on an access control policy;

generating a network layer access control list entry for the user based on the determined private network address;

sending the determined application layer access control list entry to nodes on the network that do not support network layer packet filtering;

sending the generated network layer access control list entry to nodes on the network that support network layer packet filtering;

translating a public network address to the private network address for the user accessing the network resource; and

allowing or blocking the user access to the network resource based on at least one of the application layer access control list entry and the network layer access control list entry.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of access control management includes determining a private network address for a user in connection with the user accessing a network resource, determining an access control list entry for the user based on an access control policy, translating a public network address to the private network address for the user accessing the network resource, and allowing or blocking the user access based on the access control list entry, wherein determining the access control list entry is performed before translating the public network address to the private network address.

150 Citations

18 Claims

1. A method comprising:
- determining a private network address for a user in connection with the user accessing a network resource on a network;
  
  determining an application layer access control list entry for the user based on an access control policy;
  
  generating a network layer access control list entry for the user based on the determined private network address;
  
  sending the determined application layer access control list entry to nodes on the network that do not support network layer packet filtering;
  
  sending the generated network layer access control list entry to nodes on the network that support network layer packet filtering;
  
  translating a public network address to the private network address for the user accessing the network resource; and
  
  allowing or blocking the user access to the network resource based on at least one of the application layer access control list entry and the network layer access control list entry.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the generated network layer access control list entry comprises at least one of a destination address, a protocol layer designation, a source port, a destination port, the determined private network address, and an indication of allowed or denied access to the network resource.
  - 3. The method of claim 1, wherein determining the private network address comprises allocating a network address based on a dynamic host configuration protocol (DHCP).
  - 4. The method of claim 1, wherein determining an application layer access control list entry further comprises retrieving an application layer access control list entry stored in a database, andwherein a server computer on the network that does not support network layer packet filtering uses an application layer protocol based on an open system interconnection (OSI) model.
  - 5. The method of claim 1, further comprising storing the access control policy on a storage medium connected to a first computer in the network, the access control policy including defined roles for each user allowed to access a resource in the network.
  - 6. The method of claim 1, further comprising:
    - releasing the private network address following completion of the access to the network resource.
  - 7. The method of claim 6, further comprising:
    - de-installing the network layer access control entry following completion of the access to the network resource.

8. An article comprising a machine-readable medium that stores machine-executable instructions, the instructions causing a machine to:
- determine a private network address for a user in connection with the user accessing a network resource on a network;
  
  determine an application layer access control list entry for the user based on an access control policy;
  
  generate a network layer access control list entry for the user based on the determined private network address;
  
  send the determined application layer access control list entry to nodes on the network that do not support network layer packet filtering;
  
  send the generated network layer access control list entry to nodes on the network that support network layer packet filtering;
  
  translate a public network address to the private network address for the user accessing the network resource; and
  
  allow or block the user access to the network resource based on at least one of the application layer access control list entry and the network control access list entry.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The article of claim 8, wherein the generated network layer access control list entry comprises at least one of a destination address, a protocol layer designation, a source port, a destination port, the determined private network address, and an indication of allowed or denied access to the network resource.
  - 10. The article of claim 8, wherein determining the private network address comprises allocating a network address based on a dynamic host configuration protocol (DHCP).
  - 11. The article of claim 8, wherein determining an application layer access control list entry further comprises retrieving an application layer access control list entry stored in a database, andwherein a server computer on the network that does not support network layer packet filtering uses an application layer protocol based on an open system interconnection (OSI) model.
  - 12. The article of claim 8, further comprising storing the access control policy on a storage medium connected to a first computer in the network, the access control policy including defined roles for each user allowed to access a resource in the network.
  - 13. The article of claim 8, further comprising:
    - releasing the private network address following completion of the access to the network resource.
  - 14. The article of claim 13, further comprising:
    - de-installing the network layer access control entry following completion of the access to the network resource.

15. An apparatus comprising:
- a first memory that stores executable instructions;
  
  a first processor that executes the instructions from the first memory to;
  
  determine a private network address for a user in connection with the user accessing a network resource on a network;
  
  determine an application layer access control list entry for the user based on an access control policy;
  
  generate a network layer access control list entry for the user based on the determine private network address;
  
  send the determined application layer access control list entry to nodes on the network that do not support network layer packet filtering;
  
  send the generated network layer access control list entry to nodes on the network that support network layer packet filtering;
  
  translate a public network address to the private network address for the user accessing the network resource; and
  
  allow or block the user access to the network resource based on at least one of the application layer access control list entry and the network layer access control list entry.
- View Dependent Claims (16, 17, 18)
- - 16. The apparatus of claim 15, wherein the generated network layer access control list entry comprises at least one of a destination address, a protocol layer designation, a source port, a destination port, the determined private network address, and an indication of allowed or denied access to the network resource.
  - 17. The apparatus of claim 15, wherein determining the private network address comprises assigning a network address based on a dynamic host configuration protocol (DHCP).
  - 18. The apparatus of claim 15, wherein the nodes on the network that support network layer packet filtering executes instructions to block or allow access to the network resource based on the network layer access control list entry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Diep, Timothy, Tang, Puqi, Hlasnik, Wayne
Primary Examiner(s)
Vaughn, Jr., William C.

Application Number

US10/029,708
Publication Number

US 20030115344A1
Time in Patent Office

1,623 Days
Field of Search

709/229, 713/201
US Class Current

709/229
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 61/2557   Translation policies or rules

H04L 61/50   Address allocation

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Access control management system utilizing network and application layer access control lists

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

150 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Access control management system utilizing network and application layer access control lists

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links