Multilayer access control security system
First Claim
1. A method for more efficiently controlling access to a computer system through a network device having a plurality of security system sublayers, a first security system sublayer of the network device controlling access of a user prior to a second security system sublayer of the network device controlling access of the user, the method comprising:
- receiving, by a network device, user identification information corresponding to a user;
retrieving, by the network device, a set of access policies corresponding to the user, the access policies configured via a policy language;
generating, by the network device responsive to authenticating the user, at least one access rule specific to the user for each of a plurality of security system sublayers based on the set of access policies corresponding to the user, each of the plurality of security system sublayers operating at different layers of network communications;
installing, by the network device, a user specific filter on each of the plurality of security system sublayers of the network device, the user specific filter automatically converted from the at least one generated access rule for the user for each of the plurality of security system sublayers;
receiving, by the network device, from the user, a request to access a computer system resource;
determining, by the network device, the user is not permitted to access at least a portion of the computer system resource based on the user identification information and a first user specific filter of the user of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and
dropping, by the network device, the request prior to a second user specific filter of the user of a second plurality of user specific filters of a second security system sublayer of the network device processing the request.
12 Assignments
0 Petitions
Accused Products
Abstract
A computer-based system provides secure, configurable access to computer network resources. A human-readable language is provided for defining access policy rules. Rules in this language are converted in an automated fashion into filters applied within the various subsystems and components in a multi-layer security system. Network users are authenticated by an access control security system that obtains basic information about that user. Based on the user ID, a set of abstract policies can be retrieved. The retrieved policies are associated with the user and the groups associated with that user. Based on the retrieved rules, a set of rules for multiple layers of the network are generated and applied to those subsystems. Two or more of the subsystems may be placed in series with different types of processing occurring in each of the subsystems, reducing the workload of subsequent subsystems.
-
Citations
27 Claims
-
1. A method for more efficiently controlling access to a computer system through a network device having a plurality of security system sublayers, a first security system sublayer of the network device controlling access of a user prior to a second security system sublayer of the network device controlling access of the user, the method comprising:
-
receiving, by a network device, user identification information corresponding to a user; retrieving, by the network device, a set of access policies corresponding to the user, the access policies configured via a policy language; generating, by the network device responsive to authenticating the user, at least one access rule specific to the user for each of a plurality of security system sublayers based on the set of access policies corresponding to the user, each of the plurality of security system sublayers operating at different layers of network communications; installing, by the network device, a user specific filter on each of the plurality of security system sublayers of the network device, the user specific filter automatically converted from the at least one generated access rule for the user for each of the plurality of security system sublayers; receiving, by the network device, from the user, a request to access a computer system resource; determining, by the network device, the user is not permitted to access at least a portion of the computer system resource based on the user identification information and a first user specific filter of the user of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and dropping, by the network device, the request prior to a second user specific filter of the user of a second plurality of user specific filters of a second security system sublayer of the network device processing the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium having program instructions stored thereon that instruct a network device comprising a plurality of security system sublayers to more efficiently control access by a user to a computer system via the network device, a first security system sublayer of the network device controlling access of a user prior to a second security system sublayer of the network device controlling access of the user, wherein the instructions comprise instructions to:
-
receive, by a network device, user identification information corresponding to a user; retrieve, by the network device, a set of access policies corresponding to the user, the access policies configured via a policy language; generate, by the network device responsive to authenticating the user, at least one-access rule specific to the user for each of a plurality of security system sublayers based on the set of access policies corresponding to the user, each of the plurality of security system sublayers operating at different layers of network communications; install, by the network device, a user specific filter on each of the plurality of security system sublayers of the network device, the user specific filter automatically converted from at least one generated access rule for the user for each of the plurality of security system sublayers; determine, by the network device, whether the user is not permitted to access at least a portion of the computer system resource based on the user identification information and a first user specific filter of the user of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and drop, by the network device, the request prior to a second user specific filter of the user of a second plurality of user specific filters of a second security system sublayer of the network device processes the request. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A computer system with a plurality of security system sublayers, the system comprising:
-
a network device comprising a processor; means of a network device for receiving user identification information corresponding to a user; means of the network device for retrieving a set of access policies corresponding to the user, the access policies configured via a policy language; means of the network device, for generating, responsive to authenticating the user, at least one access rule specific to the user for each of a plurality of security system sublayers based on the set of access policies corresponding to the user, each of the plurality of security system sublayers operating at different layers of network communications; means of the network device for installing a user specific filter on each of the plurality of security system sublayers of the network device, the user specific filter automatically converted from the at least one generated access rule for the user for each of the plurality of security system sublayers; means of the network device, for receiving from the user a request to access a computer system resource; means of the network device for determining the user is not permitted to access at least a portion of a the computer system resource based on the user identification information and a first user specific filter of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and means of the network device for dropping the request prior to a second user specific filter of a second plurality of user specific filters of a second security system sublayer of the network device processing the request.
-
-
22. A method of providing secure, configurable access to a computer system through a network device comprising a plurality of security system sublayers, the method comprising:
-
generating, by a network device, for a user, responsive to authenticating the user, at least one access rule specific to the user for each of a plurality of security system sublayers based on a set of retrieved access policies corresponding to the user and configured via a policy language, wherein the sublayers correspond to a hierarchy of complexity; installing, by the network device, on each of the plurality of security system sublayers of the network device a user specific filter, the user specific filter automatically converted from the at least one generated access rule for the user for each of the plurality of security system sublayers, each of the plurality of security system sublayers operating at different layers of network communications; distributing at least one of the generated access rules to at least one of the plurality of security system sublayers; receiving, from the user, a request to access a computer system resource; and determining whether the user is not permitted to access at least a portion of a computer system resource based on the user identification information and a first user specific filter of the user of a first plurality of user specific filters of a first security system sublayer of the plurality of security system sublayers; and dropping, by the network device, the request prior to a second user specific filter of the user of a second plurality of user specific filters of a second security system sublayer of the network device processing the request. - View Dependent Claims (23, 24, 25, 26, 27)
-
Specification