System, apparatuses, methods, and computer-readable media using identification data in packet communications
First Claim
1. A method for restricting access to one or more resources within a computer network, comprising the steps of:
- assigning a unique user identifier to each authorized human user of the computer network;
retrieving the unique user identifier associated with a respective authorized human user logged into a source node;
upon initiation of a TCP/IP communication attempt at the source node, wherein the TCP/IP communication attempt is associated with a request by the respective authorized human user for access to a specific resource within the computer network, wherein the TCP/IP communication attempt includes a synchronization packet having a header, inserting the unique user identifier assigned to the respective authorized human user logged into the source node into the header of the synchronization packet;
intercepting the synchronization packet within the computer network without allowing the TCP/IP communication attempt to proceed;
extracting the unique user identifier from the header of the synchronization packet;
identifying the respective authorized human user logged into the source node based on the extracted unique user identifier;
determining whether the respective authorized human user is authorized to access the specific resource; and
if the respective authorized human user is authorized to access the specific resource, allowing the TCP/IP communication attempt to proceed and granting the respective authorized human user access to the specific resource at a destination node within the computer network.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems and computer-readable data storage media for authentication and/or access authorization in a communications network. A source node initiates a request for network services, such as session establishment, database access, or application access. Known network resources, authorized user, and/or source information are stored in a database at a network portal along with access policy rules that can be device and/or user dependent. A source node can construct a packet header including a user identifier indicating the user originating the request, and/or a source identifier indicating the hardware from which the request is originated. At least one of these identifiers are included with a synchronization packet for transmission to a destination node. An appliance or firewall in the communications network receives, authenticates, and determines whether resource access is authorized before releasing the packet to its intended destination.
126 Citations
57 Claims
-
1. A method for restricting access to one or more resources within a computer network, comprising the steps of:
-
assigning a unique user identifier to each authorized human user of the computer network; retrieving the unique user identifier associated with a respective authorized human user logged into a source node; upon initiation of a TCP/IP communication attempt at the source node, wherein the TCP/IP communication attempt is associated with a request by the respective authorized human user for access to a specific resource within the computer network, wherein the TCP/IP communication attempt includes a synchronization packet having a header, inserting the unique user identifier assigned to the respective authorized human user logged into the source node into the header of the synchronization packet; intercepting the synchronization packet within the computer network without allowing the TCP/IP communication attempt to proceed; extracting the unique user identifier from the header of the synchronization packet; identifying the respective authorized human user logged into the source node based on the extracted unique user identifier; determining whether the respective authorized human user is authorized to access the specific resource; and if the respective authorized human user is authorized to access the specific resource, allowing the TCP/IP communication attempt to proceed and granting the respective authorized human user access to the specific resource at a destination node within the computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 54)
-
-
15. A method for preventing unauthorized access to one or more resources within a computer network, wherein the computer network includes a plurality of authorized human users and wherein a unique user identifier is assigned to each of the plurality of authorized human users, comprising the steps of:
-
maintaining the plurality of unique user identifiers in a database; intercepting a TCP/IP communication attempt from an undetermined user, wherein the TCP/IP communication attempt includes a synchronization packet having a header and wherein the TCP/IP communication represents a request for access to a specific resource within the computer network; obtaining data from the header of the synchronization packet; comparing the data obtained from the header with the plurality of unique user identifiers maintained in the database to determine if the undetermined user is one of the plurality of authorized human users logged into an authorized computer of the computer network; and denying the request for access to the specific resource if the data obtained from the header does not match one of the plurality of unique user identifiers in the database. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 55)
-
-
28. A method for managing communications within a computer network, comprising the steps of:
-
assigning a unique user identifier to each authorized human user of the computer network; retrieving the unique user identifier associated with a respective authorized human user accessing a specific source node of the computer network; upon initiation of a TCP/IP communication attempt by the respective authorized human user accessing the specific source node of the computer network, wherein the TCP/IP communication attempt is targeted to a destination node of the computer network and wherein the TCP/IP communication attempt includes a synchronization packet having a header, inserting the unique user identifier assigned to the respective authorized human user accessing the specific source node into the header of the synchronization packet; intercepting the synchronization packet within the computer network prior to receipt by the destination node; extracting the unique user identifier from the header of the synchronization packet to identify the respective authorized human user initiating the TCP/IP communication attempt; determining if the respective authorized human user is allowed to communicate with the destination node; and if the respective authorized human user is allowed to communicate with the destination node, allowing the TCP/IP communication between the specific source node and the destination node to proceed. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 56)
-
-
38. A method for authorizing communications within a computer network, comprising the steps of:
-
assigning a unique user identifier to each authorized human user of the computer network; assigning a unique source identifier to each authorized computer within the computer network; upon initiation of a TCP/IP communication attempt initiated by a specific authorized human user logged in to a specific authorized computer, wherein the TCP/IP communication attempt is targeted to a destination node in the computer network and wherein the TCP/IP communication attempt includes a synchronization packet having a header, retrieving and inserting the unique user identifier assigned to the specific authorized human user and the unique source identifier assigned to the specific authorized computer into the header of the synchronization packet; intercepting the synchronization packet within the computer network prior to receipt by the destination node; extracting the unique user identifier and unique source identifier from the header of the synchronization packet to identify the specific authorized human user and the specific authorized computer initiating the TCP/IP communication attempt; determining whether the specific authorized human user and specific authorized computer are each authorized to communicate with the destination node; and if the specific authorized human user and specific authorized computer are each authorized to communicate with the destination node, allowing the TCP/IP communication attempt with the destination node to continue. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 57)
-
Specification