Multilayer access control security system

US 7,900,240 B2
Filed: 05/28/2004
Issued: 03/01/2011
Est. Priority Date: 05/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method for more efficiently controlling access to a computer system through a network device having a plurality of security system sublayers, a first security system sublayer of the network device controlling access of a user prior to a second security system sublayer of the network device controlling access of the user, the method comprising:

receiving, by a network device, user identification information corresponding to a user;

retrieving, by the network device, a set of access policies corresponding to the user, the access policies configured via a policy language;

generating, by the network device responsive to authenticating the user, at least one access rule specific to the user for each of a plurality of security system sublayers based on the set of access policies corresponding to the user, each of the plurality of security system sublayers operating at different layers of network communications;

installing, by the network device, a user specific filter on each of the plurality of security system sublayers of the network device, the user specific filter automatically converted from the at least one generated access rule for the user for each of the plurality of security system sublayers;

receiving, by the network device, from the user, a request to access a computer system resource;

determining, by the network device, the user is not permitted to access at least a portion of the computer system resource based on the user identification information and a first user specific filter of the user of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and

dropping, by the network device, the request prior to a second user specific filter of the user of a second plurality of user specific filters of a second security system sublayer of the network device processing the request.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-based system provides secure, configurable access to computer network resources. A human-readable language is provided for defining access policy rules. Rules in this language are converted in an automated fashion into filters applied within the various subsystems and components in a multi-layer security system. Network users are authenticated by an access control security system that obtains basic information about that user. Based on the user ID, a set of abstract policies can be retrieved. The retrieved policies are associated with the user and the groups associated with that user. Based on the retrieved rules, a set of rules for multiple layers of the network are generated and applied to those subsystems. Two or more of the subsystems may be placed in series with different types of processing occurring in each of the subsystems, reducing the workload of subsequent subsystems.

Citations

27 Claims

1. A method for more efficiently controlling access to a computer system through a network device having a plurality of security system sublayers, a first security system sublayer of the network device controlling access of a user prior to a second security system sublayer of the network device controlling access of the user, the method comprising:
- receiving, by a network device, user identification information corresponding to a user;
  
  retrieving, by the network device, a set of access policies corresponding to the user, the access policies configured via a policy language;
  
  generating, by the network device responsive to authenticating the user, at least one access rule specific to the user for each of a plurality of security system sublayers based on the set of access policies corresponding to the user, each of the plurality of security system sublayers operating at different layers of network communications;
  
  installing, by the network device, a user specific filter on each of the plurality of security system sublayers of the network device, the user specific filter automatically converted from the at least one generated access rule for the user for each of the plurality of security system sublayers;
  
  receiving, by the network device, from the user, a request to access a computer system resource;
  
  determining, by the network device, the user is not permitted to access at least a portion of the computer system resource based on the user identification information and a first user specific filter of the user of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and
  
  dropping, by the network device, the request prior to a second user specific filter of the user of a second plurality of user specific filters of a second security system sublayer of the network device processing the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the requested computer system resource is associated with at least one of the plurality of security system sublayers, and the determining step is also based on the at least one sublayer with which the resource is associated.
  - 3. The method of claim 1, wherein:
    - the generating also includes retrieving data corresponding to a set of human readable access policies and the at least one access rule for each of the plurality of security system sublayers is based on the human readable access policies; and
      
      the human readable access policies have been entered by a human operator.
  - 4. The method of claim 1, wherein the generating further comprises replacing the at least one generated access rule with at least one replacement access rule if the at least one generated access rule conflicts with a previously generated at least one access rule.
  - 5. The method of claim 1, wherein the generating is further based on one or more groups with which the user is associated.
  - 6. The method of claim 1, wherein the plurality of security system sublayers includes a firewall layer and a transport layer.
  - 7. The method of claim 6, wherein at least one user specific filter of the user generated for the firewall layer includes at least one of a port user specific filter of the user, a packet authentication user specific filter of the user and a NAT translation user specific filter of the user.
  - 8. The method of claim 1, wherein the plurality of security system sublayers includes an application layer.
  - 9. The method of claim 1, further comprising removing the installed user specific filter from the sublayers when the user logs out.
  - 10. The method of claim 1, further comprising removing the installed user specific filter from the sublayers when the session for the user ends.
  - 11. The method of claim 1, comprising determining, by the network device, if the user is permitted to access at least a portion of the computer system resource based on the user identification information and a third user specific filter of the user of a third plurality of user specific filters of a third security system sublayer of the plurality of security system sublayers, the third security system sublayer processing the request prior to the first user specific filter of the user of the first plurality of user specific filters of the first security system sublayer.
  - 12. The method of claim 1 further comprising each sublayer of the plurality of security system sublayers providing access control to a predetermined layer of network stack of the device.
  - 13. The method of claim 1, further comprising installing the user specific filter on the first security system sublayer responsive to the determination that the first user specific filter was not installed on the first security system sublayer.
  - 14. The method of claim 1, further comprising not installing the user specific filter on the first security system sublayer responsive to the determination that the user specific filter was installed on the first security system sublayer.

15. A non-transitory computer readable medium having program instructions stored thereon that instruct a network device comprising a plurality of security system sublayers to more efficiently control access by a user to a computer system via the network device, a first security system sublayer of the network device controlling access of a user prior to a second security system sublayer of the network device controlling access of the user, wherein the instructions comprise instructions to:
- receive, by a network device, user identification information corresponding to a user;
  
  retrieve, by the network device, a set of access policies corresponding to the user, the access policies configured via a policy language;
  
  generate, by the network device responsive to authenticating the user, at least one-access rule specific to the user for each of a plurality of security system sublayers based on the set of access policies corresponding to the user, each of the plurality of security system sublayers operating at different layers of network communications;
  
  install, by the network device, a user specific filter on each of the plurality of security system sublayers of the network device, the user specific filter automatically converted from at least one generated access rule for the user for each of the plurality of security system sublayers;
  
  determine, by the network device, whether the user is not permitted to access at least a portion of the computer system resource based on the user identification information and a first user specific filter of the user of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and
  
  drop, by the network device, the request prior to a second user specific filter of the user of a second plurality of user specific filters of a second security system sublayer of the network device processes the request.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable medium of claim 15, wherein the requested computer system resource is associated with at least one of the plurality of security system sublayers, and the determining step is also based on the at least one sublayer with which the resource is associated.
  - 17. The computer readable medium of claim 15, wherein the instructions further instruct the network device to, in the generating step, retrieve data corresponding to a set of human readable access policies, wherein the human readable access policies have been entered by a human operator;
    - andwherein the generating step is further based on the human readable access policies.
  - 18. The computer readable medium of claim 15, wherein the plurality of security system sublayers includes a firewall layer and a transport layer.
  - 19. The computer readable medium of claim 15 wherein the network device determines if the user is permitted to access at least a portion of the computer system resource based on the user identification information and a third user specific filter of the user of a third plurality of user specific filters of a third security sublayer of the plurality of security system sublayers, the third security system sublayer processing the request prior to the first user specific filter of the user of the first plurality of user specific filters of the first security system sublayer.
  - 20. The computer readable medium of claim 15 wherein each sublayer of the plurality of security system sublayers provides access control to a predetermined layer of network stack of the device.

21. A computer system with a plurality of security system sublayers, the system comprising:
- a network device comprising a processor;
  
  means of a network device for receiving user identification information corresponding to a user;
  
  means of the network device for retrieving a set of access policies corresponding to the user, the access policies configured via a policy language;
  
  means of the network device, for generating, responsive to authenticating the user, at least one access rule specific to the user for each of a plurality of security system sublayers based on the set of access policies corresponding to the user, each of the plurality of security system sublayers operating at different layers of network communications;
  
  means of the network device for installing a user specific filter on each of the plurality of security system sublayers of the network device, the user specific filter automatically converted from the at least one generated access rule for the user for each of the plurality of security system sublayers;
  
  means of the network device, for receiving from the user a request to access a computer system resource;
  
  means of the network device for determining the user is not permitted to access at least a portion of a the computer system resource based on the user identification information and a first user specific filter of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and
  
  means of the network device for dropping the request prior to a second user specific filter of a second plurality of user specific filters of a second security system sublayer of the network device processing the request.

22. A method of providing secure, configurable access to a computer system through a network device comprising a plurality of security system sublayers, the method comprising:
- generating, by a network device, for a user, responsive to authenticating the user, at least one access rule specific to the user for each of a plurality of security system sublayers based on a set of retrieved access policies corresponding to the user and configured via a policy language, wherein the sublayers correspond to a hierarchy of complexity;
  
  installing, by the network device, on each of the plurality of security system sublayers of the network device a user specific filter, the user specific filter automatically converted from the at least one generated access rule for the user for each of the plurality of security system sublayers, each of the plurality of security system sublayers operating at different layers of network communications;
  
  distributing at least one of the generated access rules to at least one of the plurality of security system sublayers;
  
  receiving, from the user, a request to access a computer system resource; and
  
  determining whether the user is not permitted to access at least a portion of a computer system resource based on the user identification information and a first user specific filter of the user of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and
  
  dropping, by the network device, the request prior to a second user specific filter of the user of a second plurality of user specific filters of a second security system sublayer of the network device processing the request.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The method of claim 22, wherein the requested computer system resource is associated with at least one of the plurality of security system sublayers, and the determining step is also based on the at least one sublayer with which the resource is associated.
  - 24. The method of claim 22, wherein said generating includes retrieving data corresponding to a set of human readable access policies, wherein the human readable access policies have been entered by a human operator, and wherein each access rule is further based on the human readable access policies.
  - 25. The method of claim 22, wherein said generating includes replacing the generated access rule with a replacement rule if the generated access rule conflicts with a previously generated access rule.
  - 26. The method of claim 22, wherein said generating is also based on one or more groups with which the user is associated.
  - 27. The method of claim 22, wherein the plurality of security system sublayers includes a firewall layer and a transport layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Murgia, Marco A., Baskaran, Ashwin, Terzis, Andreas
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US10/857,224
Publication Number

US 20040243835A1
Time in Patent Office

2,468 Days
Field of Search

726/1, 726/2, 726/3, 726/11, 726/26, 726/4, 726/27, 726/14, 726/12, 726/28, 713/150, 713/165, 709/225, 709/229, 709/227, 370/392, 370/401
US Class Current

726/2
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Multilayer access control security system

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Multilayer access control security system

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links