Generalized policy server

US 7,821,926 B2
Filed: 08/31/2007
Issued: 10/26/2010
Est. Priority Date: 03/10/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A method for controlling access to information in a network, the method comprising:

maintaining a local copy of one or more policies in a memory of a local access device, the one or more policies limiting access to information in a local area network associated with the local access device, and wherein a change in the local copy is propagated to one or more other policy databases in a global network by a policy manager server in communication with the local access device;

receiving a request from a user, the request received by the local access device, the request concerning access to information in the local area network;

executing instructions stored in memory of the local access device, wherein execution of the instructions by a processor;

consults the local copy of the one or more policies, wherein the local copy includes any changes made at the one or more other policy databases in the global network,determines that the user is authorized or unauthorized to access the information based on at least the local copy of the one or more policies, andcontrols access to information in the local area network based on the determination that the user is authorized or unauthorized.

View all claims

28 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter use a local copy of an access control database to determine whether an access request made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to of access policies which define access in terms of the user groups and information sets.

Citations

25 Claims

1. A method for controlling access to information in a network, the method comprising:
- maintaining a local copy of one or more policies in a memory of a local access device, the one or more policies limiting access to information in a local area network associated with the local access device, and wherein a change in the local copy is propagated to one or more other policy databases in a global network by a policy manager server in communication with the local access device;
  
  receiving a request from a user, the request received by the local access device, the request concerning access to information in the local area network;
  
  executing instructions stored in memory of the local access device, wherein execution of the instructions by a processor;
  
  consults the local copy of the one or more policies, wherein the local copy includes any changes made at the one or more other policy databases in the global network,determines that the user is authorized or unauthorized to access the information based on at least the local copy of the one or more policies, andcontrols access to information in the local area network based on the determination that the user is authorized or unauthorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the one or more policies include information concerning a user group.
  - 3. The method of claim 2, wherein the one or more policies further include an information set associated with the user group.
  - 4. The method of claim 1, wherein the one or more policies include information concerning a trust level.
  - 5. The method of claim 4, wherein the one or more policies further include a sensitivity level associated with the trust level.
  - 6. The method of claim 1, wherein the one or more policies include information concerning identity certificates.
  - 7. The method of claim 1, wherein the one or more policies include information concerning Internet Protocol (IP) addresses.
  - 8. The method of claim 1, further comprising authenticating the user prior to determining that the user is authorized or unauthorized to access the information.
  - 9. The method of claim 8, wherein authenticating the user includes determining that the user belongs to one or more user groups.
  - 10. The method of claim 8, wherein authenticating the user includes determining a trust level of the user access request.
  - 11. The method of claim 8, wherein authenticating the user includes evaluating an identity certificate associated with the user.
  - 12. The method of claim 8, wherein authenticating the user includes determining an Internet Protocol (IP) address of the user.
  - 13. The method of claim 1, wherein receiving the change includes determining that the change was made by a network administrator.
  - 14. The method of claim 13, wherein receiving the update further includes determining update privileges of the network administrator based on at least administrative policies.

15. A system for controlling access to information in a network, the system comprising:
- a local server in a local area network that provides authorized users access to information in the network;
  
  a local policy database that stores a local copy of one or more policies limiting access to the information at the local server;
  
  a policy server that propagates changes in the local copy to one or more other policy databases in a global network; and
  
  a local access filter stored in memory and executable by a processor to;
  
  consult the local copy of one or more policies in response to a request from a user, the request concerning access to information in the local server, wherein the local copy includes any changes made at the one or more other policy databases in the global network,determine that a user is authorized or unauthorized to receive access to information from the local server based on at least the local copy of the one or more policies, andcontrol access to the information in the local server based on the determination that the user is authorized or unauthorized.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The system of claim 15, wherein the local policy database also stores information concerning the authorized users.
  - 17. The system of claim 15, wherein the local policy database also stores information concerning members of one or more user groups.
  - 18. The system of claim 15, wherein the local policy database also stores information concerning one or more information sets.
  - 19. The system of claim 15, wherein the local policy database also stores information concerning associations between a user group and an information set.
  - 20. The system of claim 15, wherein the local policy database also stores information concerning associations between a trust level and a sensitivity level.
  - 21. The system of claim 15, wherein the local policy database also stores one or more policies limiting who submit updates concerning policies.
  - 22. The system of claim 15, wherein the local policy database also stores information concerning identity certificates.
  - 23. The system of claim 15, wherein the local policy database also stores information concerning Internet Protocol (IP) addresses.

24. A Non-transistory computer-readable storage medium having stored thereupon a program, the program being executable by a processor to perform a method for controlling access to network information, the method comprising:
- maintaining a local copy of one or more policies, the one or more policies limiting access to information in a local network, wherein a change in the local copy is propagated to one or more other policy databases in a global network;
  
  receiving a request from a user, the request concerning access to information in the local network;
  
  consulting the local copy of the one or more policies, wherein the local copy includes any changes made at the one or more other policy databases in the global network,determining that the user is authorized or unauthorized to access the information based on at least the local copy of the one or more policies; and
  
  controlling access to the information in the local network based on the determination that the user is authorized or unauthorized.
- View Dependent Claims (25)
- - 25. The Non-transistory computer-readable storage medium of claim 24, the method further comprising receiving an update from one or more other policy databases in the network and updating the local copy of the one or more policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Schneider, David S., Lipstone, Laurence R., Hannel, Clifford L.
Primary Examiner(s)
Vu; Thong H

Application Number

US11/897,626
Publication Number

US 20080028436A1
Time in Patent Office

1,152 Days
Field of Search

707/10, 455/435
US Class Current

370/229
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Generalized policy server

First Claim

28 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Generalized policy server

First Claim

28 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links