Local authentication of a client at a network device

US 7,506,054 B1
Filed: 06/30/2003
Issued: 03/17/2009
Est. Priority Date: 07/02/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A system for controlling access of a client to a network resource, the system comprising:

a network resource that is communicatively coupled to a network;

a network firewall routing device that is communicatively coupled to the network and that is logically interposed between the client and the network resource, wherein the network firewall routing device comprises;

a firewall that protects the network resource by means for selectively blocking messages initiated by client and directed to the network resource, wherein the firewall comprises;

an external interface and an internal interface; and

an Output Access Control List at the internal interface and an Input Access Control List at the external interface;

an authentication server that is communicatively coupled to the network and to the network firewall routing device and comprising user profile information;

means for creating and storing client authorization information at the network firewall routing device, based in part on the user profile information, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;

means for receiving a request from the client to communicate with the network resource;

means for determining whether the client is authorized to communicate with the network resource based on the authorization information; and

means for reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information, wherein the means for reconfiguring the network firewall routing device opens a logical passageway for network traffic from the client, wherein the logical passageway does not automatically close when a user terminates a session, and wherein the means for reconfiguring the network firewall routing device further comprises;

means for determining a current IP address of the client;

means for creating a new user profile information, based on the user profile information, that includes the current IP address; and

means for adding the new user profile information as temporary entries to the Input Access Control List at the external interface and to the Output Access Control List at the internal interface.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally. As a result, a client may be authenticated locally at a router or similar device, reducing network traffic to the authentication server.

78 Citations

View as Search Results

30 Claims

1. A system for controlling access of a client to a network resource, the system comprising:
- a network resource that is communicatively coupled to a network;
  
  a network firewall routing device that is communicatively coupled to the network and that is logically interposed between the client and the network resource, wherein the network firewall routing device comprises;
  
  a firewall that protects the network resource by means for selectively blocking messages initiated by client and directed to the network resource, wherein the firewall comprises;
  
  an external interface and an internal interface; and
  
  an Output Access Control List at the internal interface and an Input Access Control List at the external interface;
  
  an authentication server that is communicatively coupled to the network and to the network firewall routing device and comprising user profile information;
  
  means for creating and storing client authorization information at the network firewall routing device, based in part on the user profile information, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
  
  means for receiving a request from the client to communicate with the network resource;
  
  means for determining whether the client is authorized to communicate with the network resource based on the authorization information; and
  
  means for reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information, wherein the means for reconfiguring the network firewall routing device opens a logical passageway for network traffic from the client, wherein the logical passageway does not automatically close when a user terminates a session, and wherein the means for reconfiguring the network firewall routing device further comprises;
  
  means for determining a current IP address of the client;
  
  means for creating a new user profile information, based on the user profile information, that includes the current IP address; and
  
  means for adding the new user profile information as temporary entries to the Input Access Control List at the external interface and to the Output Access Control List at the internal interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A system as recited in claim 1, wherein the means for creating and storing client authorization information comprises means in the network firewall routing device for caching client authorization information for each client that communicates with the network firewall routing device.
  - 3. A system as recited in claim 1, wherein the client authorization information comprises an authentication cache in the network firewall routing device for each client that communicates with the network firewall routing device.
  - 4. A system as recited in claim 1, wherein the client authorization information comprises:
    - a plurality of authentication caches,wherein each authentication cache is uniquely associated with one of a plurality of clients that communicate with the network routing device, andwherein each authentication cache comprises;
      
      information indicating whether the client is authorized to communicate with the network resource, andinformation indicating what access privileges the client is authorized to have with respect to the network resource.
  - 5. A system as recited in claim 1, wherein the means for determining whether the client is authorized to communicate with the network resource comprises means for matching information in the request identifying the client to information in means for filtering in the network routing device and to the authorization information stored in the network firewall routing device.
  - 6. A system as recited in claim 1, wherein the means for determining whether the client is authorized to communicate with the network resource comprises:
    - means for matching a source IP address of the client in a data packet of the request to information in a filtering mechanism of the network routing device; and
      
      means for matching the source IP address to the authorization information stored in the network firewall routing device if the source IP address matches the information in the filtering mechanism of the network routing device.
  - 7. A system as recited in claim 1, wherein the means for determining whether the client is authorized to communicate with the network resource comprises:
    - means for matching a source IP address of the client in a data packet of the request to information in a means for filtering in the network routing device;
      
      means for matching the source IP address to the authorization information stored in the network firewall routing device if the source IP address matches the information in the filtering mechanism of the network routing device; and
      
      means for matching user identifying information received from the client to a profile associated with the user that is stored in the authentication server if the source IP address fails to match the authorization information stored in the network firewall routing device.
  - 8. A system as recited in claim 1, wherein the means for determining whether the client is authorized to communicate with the network resource comprises:
    - means for matching a source IP address of the client in a data packet of the request to information in a filtering mechanism of the network routing device;
      
      means for matching the source IP address to the authorization information stored in the network firewall routing device if the source IP address matches the information in the filtering mechanism of the network routing device; and
      
      means for matching user identifying information received from the client to a profile associated with the user that is stored in a database server and is retrieved from the database server by the authentication server, if the source IP address fails to match the authorization information stored in the network firewall routing device.
  - 9. A system as recited in claim 1, wherein the means for determining whether the client is authorized to communicate with the network resource comprises:
    - means for matching client identifying information in the request to information in a filtering mechanism of the network routing device;
      
      means for matching the client identifying information to the authorization information stored in the network firewall routing device, if a match is found using the filtering mechanism; and
      
      means used, only when the client identifying information fails to match the authorization information stored in the network firewall routing device, for;
      
      creating and storing new authorization information in the network firewall routing device that is uniquely associated with the client;
      
      requesting login information from the client;
      
      authenticating the login information by communicating with the authentication server; and
      
      updating the new authorization information based on information received from the authentication server.
  - 10. A system as recited in claim 9, wherein the means for requesting login information from the client comprises means for sending a Hypertext Markup language login form from the network firewall routing device to the client to solicit a username and a user password;
    - and wherein the means for authenticating the login information comprises means for determining, from a profile associated with a user of the client stored in the authentication server, whether the username and password are valid.
  - 11. A system as recited in claim 9, wherein the means for requesting login information from the client comprises means for sending a Hypertext Markup language login form from the network firewall routing device to the client to solicit a username and a user password;
    - and wherein the means for authenticating the login information comprises;
      
      means for retrieving a profile associated with a user of the client from a database server;
      
      and means for determining, from the profile associated with the user, whether the username and password are valid.
  - 12. A system as recited in claim 9, the system further comprising:
    - means for creating and storing an inactivity timer for each authorization information, wherein the inactivity timer expires when no communications are directed from the client to the network resource through the network firewall routing device during a pre-determined period of time;
      
      means for removing the updated authorization information when the inactivity timer expires.
  - 13. A system as recited in claim 1, wherein the means for determining whether the client is authorized to communicate with the network resource comprises:
    - means for matching a source IP address in the request to information in a filtering mechanism of the network routing device;
      
      means for matching the source IP address to the authorization information stored in the network firewall routing device using an authentication cache in the network firewall routing device; and
      
      means used, only when the source IP address fails to match the authorization information stored in the network firewall routing device, for;
      
      creating and storing a new entry in the authentication cache that is uniquely associated with the client;
      
      requesting login information from the client;
      
      authenticating the login information by communicating with the authentication server; and
      
      updating the new entry in the authentication cache based on information received from the authentication server.
  - 14. A system as recited in claim 1, wherein the means for reconfiguring the network firewall routing device comprises means for creating and storing one or more commands to the network firewall routing device which, when executed by the network firewall routing device, result in modifying one or more routing interfaces of the network firewall routing device to permit communications between the client and the network resource.

15. A system for controlling access to a network resource, the system comprising:
- a network resource that is communicatively coupled to a network;
  
  a client capable of sending a request to communicate with the network resource;
  
  a network firewall routing device that is logically interposed between the client and the network resource and is capable of permitting the client to communicate with the network resource, wherein the network firewall routing device comprises;
  
  a firewall that protects the network resource by selectively blocking messages initiated by client and directed to the network resource, wherein the firewall comprises;
  
  an external interface and an internal interface; and
  
  an Output Access Control List at the internal interface and an Input Access Control List at the external interface;
  
  an authentication server that is communicatively coupled to the network and to the network firewall routing device and comprising user profile information;
  
  means for creating and storing client authorization information at the network firewall routing device, wherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
  
  means for determining, at the network firewall routing device, whether the client is authorized to communicate with the network resource based on the authorization information; and
  
  means for reconfiguring the network firewall routing device to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the authorization information, wherein the means for reconfiguring the network firewall routing device opens a logical passageway for network traffic from the client, wherein the logical passageway does not automatically close when a user terminates a session, and wherein the means for reconfiguring the network firewall routing device further comprises;
  
  means for determining a current IP address of the client;
  
  means for creating a new user profile information, based on the user profile information, that includes the current IP address; and
  
  means for adding the new user profile information as temporary entries to the Input Access Control List at the external interface and to the Output Access Control List at the internal interface.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. A system as recited in claim 15, wherein the client authorization information comprises:
    - a plurality of authentication caches,wherein each authentication cache is uniquely associated with one of a plurality of clients that communicate with the network routing device, andwherein each authentication cache comprises;
      
      information indicating whether the client is authorized to communicate with the network resource, andinformation indicating what access privileges the client is authorized to have with respect to the network resource.
  - 17. A system as recited in claim 15, wherein the means for determining whether the client is authorized to communicate with the network resource comprises:
    - means for matching client identifying information in the request to information in a filtering mechanism of the network routing device; and
      
      means for matching the client identifying information in the request to the authorization information stored in the network firewall routing device if the client identifying information in the request matches the information in the filtering mechanism of the network routing device.
  - 18. A system as recited in claim 15, wherein the means for determining whether the client is authorized to communicate with the network resource comprises:
    - means for matching client identifying information in the request to information in a filtering mechanism of the network routing device;
      
      means for matching a source IP address to the authorization information stored in the network firewall routing device if the client identifying information in the request matches the information in the filtering mechanism of the network routing device; and
      
      means for matching user identifying information received from the client to a profile associated with the user that is stored in a database server and is retrieved from the database server by an authentication server that is coupled to the network firewall routing device, if the client identifying information in the request fails to match the authorization information stored in the network firewall routing device.
  - 19. A system as recited in claim 15, wherein the means for determining whether the client is authorized to communicate with the network resource comprises:
    - means for matching client identifying information in the request to information in a filtering mechanism of the network routing device;
      
      means for matching the client identifying information in the request to the authorization information stored in the network firewall routing device using an authentication cache in the network firewall routing device; and
      
      means, used only when the client identifying information in the request fails to match the authorization information stored in the network firewall routing device, for;
      
      creating and storing a new entry in the authentication cache that is uniquely associated with the client;
      
      requesting login information from the client;
      
      authenticating the login information by communicating with the authentication server; and
      
      updating the new entry in the authentication cache based on information received from the authentication server.
  - 20. A system as recited in claim 19, wherein the means for requesting login information from the client comprises means for sending a Hypertext Markup language login form from the network firewall routing device to the client to solicit a username and a user password;
    - and wherein the means for authenticating the login information by communicating with the authentication server comprises;
      
      means for retrieving a profile associated with a user of the client from a database server; and
      
      means for determining, from the profile associated with the user, whether the username and password are valid.
  - 21. A system as recited in claim 15, wherein the client is a computer system executing a Web browser.

22. A system for authentication comprising:
- a network resource connected to a network;
  
  a client capable of sending a request to communicate with the network resource;
  
  a network firewall routing device that is logically interposed between the client and the network resource and that is reconfigured to permit the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on client authorization information stored in the network firewall routing device, wherein the network firewall routing device comprises;
  
  a firewall that protects the network resource by means for selectively blocking messages initiated by client and directed to the network resource, wherein the firewall comprises;
  
  an external interface and an internal interface;
  
  an Output Access Control List at the internal interface and an Input Access Control List at the external interface;
  
  wherein the network firewall routing device, when reconfigured, is reconfigured by the steps of;
  
  determining a current IP address of the client;
  
  creating a new user profile information, based on the user profile information, that includes the current IP address; and
  
  adding the new user profile information as temporary entries to the Input Access Control List at the external interface and to the Output Access Control List at the internal interface;
  
  wherein the network firewall routing device, when reconfigured, opens a logical passageway for network traffic from the client, wherein the logical passageway does not automatically close when a user terminates a session, andwherein the client authorization information comprises information indicating whether the client is authorized to communicate with the network resource and information indicating what access privileges the client has with respect to the network resource;
  
  a database server that stores a plurality of user profiles, each user profile uniquely associated with one of a plurality of users that can use the client to send requests to communicate with the network resource;
  
  an authentication server that is logically interposed between the network firewall routing device and the database server, and that is capable of communicating with the database server and retrieving from the database server a user profile.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. A system as recited in claim 22, wherein the network resource comprises a target server capable of servicing a request sent under at least one of HyperText Transfer Protocol;
    - File Transfer Protocol; and
      
      Internet Control Message Protocol.
  - 24. A system as recited in claim 22, wherein the client comprises a computer system executing a Web browser.
  - 25. A system as recited in claim 22, wherein the network firewall routing device comprises:
    - one or more processors; and
      
      a storage medium carrying one or more sequences of one or more instructions including instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
      
      creating and storing the client authorization information at the network firewall routing device;
      
      receiving the request from the client to communicate with the network resource;
      
      determining whether the client is authorized to communicate with the network resource based on the client authorization information; and
      
      permitting the client to communicate with the network resource only when the client is authorized to communicate with the network resource based on the client authorization information.
  - 26. A system as recited in claim 25, wherein permitting the client to communicate with the network resource comprises the steps of creating and storing one or more commands which, when executed by the network firewall routing device, result in modifying one or more routing interfaces of the network firewall routing device to permit communications between the client and the network resource.
  - 27. A system as recited in claim 25, wherein determining whether the client is authorized to communicate with the network resource comprises the steps of:
    - determining whether client identifying information in the request matches information in a filtering mechanism of the network firewall routing device;
      
      if a match is found using the filtering mechanism, determining whether the client identifying information matches the client authorization information stored in the network firewall routing device; and
      
      only when the client identifying information fails to match the client authorization information stored in the network firewall routing device, then;
      
      creating and storing new client authorization information in the network firewall routing device that is uniquely associated with the client;
      
      requesting login information from the client;
      
      authenticating the login information by communicating with the authentication server; and
      
      updating the new client authorization information based on information received from the authentication server.
  - 28. A system as recited in claim 27, wherein:
    - requesting login information from the client comprises sending a Hypertext Markup Language login form to the client to solicit a username and a password; and
      
      authenticating the login information by communicating with the authentication server comprises determining, from a profile that is associated with a user of the client and that is retrieved from the database server, whether the username and password are valid.
  - 29. A system as recited in claim 22, wherein the authentication server comprises:
    - one or more processors; and
      
      a storage medium carrying one or more sequences of one or more instructions including instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
      
      receiving client identifying information from the network firewall routing device, wherein the client identifying information comprises a username and a password associated with a user of the client;
      
      retrieving a profile associated with the user from the database server;
      
      determining whether the username and the password in the client identifying information match the username and the password stored in the profile associated with the user; and
      
      only if a match is found, returning to the network firewall routing device information indicating that the username and the password are valid.
  - 30. A system as recited in claim 22, wherein the database server comprises:
    - one or more processors; and
      
      a storage medium carrying one or more sequences of one or more instructions including instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
      
      storing a profile associated with a user of the client, wherein the profile comprises a username and a password; and
      
      retrieving the profile associated with a user of the client upon a request from the authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Fuh, Tzong-Fen, Fan, Serene H., Qu, Diheng
Primary Examiner(s)
Lin; Kenny S
Assistant Examiner(s)
Whipple; Brian P

Application Number

US10/611,460
Time in Patent Office

2,087 Days
Field of Search

709/225
US Class Current

709/225
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 67/306   User profiles

Local authentication of a client at a network device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Local authentication of a client at a network device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links