Apparatus and method for managing access to one or more network resources

US 8,037,519 B2
Filed: 08/31/2007
Issued: 10/11/2011
Est. Priority Date: 08/31/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a processor; and

a memory comprising computer program code, the memory and computer program code configured to, with the processor, cause the apparatus to at least;

receive a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit;

determine whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and

cause instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus is provided that includes a processor configured to receive a captured traffic unit (CTU) intended for a network service, the CTU being one into which incoming traffic has been assembled based on a filter describing which incoming traffic to capture and how to assemble the respective incoming traffic into the CTU. The processor is also configured to determine whether to allow the CTU to pass to one or more applications configured to implement the respective network service based on a passlet including permissions to a particular user. The processor is further configured to instruct a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU based on the determination. In this regard, the processor is configured to perform the above functions under control of a security framework implemented in middleware between a user-level domain and a system-level domain.

19 Citations

View as Search Results

22 Claims

1. An apparatus comprising:
- a processor; and
  
  a memory comprising computer program code, the memory and computer program code configured to, with the processor, cause the apparatus to at least;
  
  receive a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit;
  
  determine whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and
  
  cause instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus according to claim 1, wherein the one or more filters of the list of one or more filters describe how to assemble incoming traffic into different captured traffic units for different network services.
  - 3. The apparatus according to claim 1, wherein the device hosting the network service for which the captured traffic unit is intended is within a personal network comprising a plurality of devices, each device within the personal network being configured to host one or more services, and each device within the personal network comprising a firewall configured to allow captured traffic units to pass to one or more applications configured to implement the respective one or more services.
  - 4. The apparatus according to claim 1, wherein the memory and computer program code are configured to, with the processor, cause the apparatus to receive the captured traffic unit, determine whether to allow the captured traffic unit to pass to one or more applications, and cause instruction of the firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit under control of a security framework implemented in middleware between a user-level domain and a system-level domain.
  - 5. The apparatus according to claim 4, wherein being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more applications comprises being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more legacy applications designed and operable without regard to the security framework.
  - 6. The apparatus according to claim 5, wherein the filter based on which the incoming traffic has been assembled into the captured traffic unit is associated with the network service for which the captured traffic unit is intended, andwherein being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more applications comprises being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more legacy applications for which support has been added to the security framework, based on the passlet comprising one or more access permissions to the particular user for accessing the respective network service.
  - 7. The apparatus according to claim 5, wherein the filter based on which the incoming traffic has been assembled into the captured traffic unit is a default filter unassociated with any network service including the network service for which the captured traffic unit is intended, andwherein being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more applications comprises being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more legacy applications for which the security framework is unaware, based on the device passlet comprising one or more access permissions to the particular user for accessing the device hosting the respective network service.

8. A method comprising:
- receiving a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit;
  
  determining whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and
  
  causing instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination,wherein at least determining whether to allow the captured traffic unit and causing instruction of the firewall to allow or reject the captured traffic unit are performed by an apparatus comprising a processor and memory comprising computer program code, the memory and computer program code configured to, with the processor, cause the apparatus to at least determine whether to allow the captured traffic unit and cause instruction of the firewall to allow or reject the captured traffic unit.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method according to claim 8, wherein the one or more filters of the list of one or more filters describe how to assemble incoming traffic into different captured traffic units for different network services.
  - 10. The method according to claim 8, wherein the device hosting the network service for which the captured traffic unit is intended is within a personal network comprising a plurality of devices, each device within the personal network being configured to host one or more services, and each device within the personal network comprising a firewall configured to allow captured traffic units to pass to one or more applications configured to implement the respective one or more services.
  - 11. The method according to claim 8, wherein receiving the captured traffic unit, determining whether to allow the captured traffic unit to pass to one or more applications, and causing instruction of the firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit occur within a security framework implemented in middleware between a user-level domain and a system-level domain.
  - 12. The method according to claim 11, wherein determining whether to allow the captured traffic unit to pass to one or more applications comprises determining whether to allow the captured traffic unit to pass to one or more legacy applications designed and operable without regard to the security framework.
  - 13. The method according to claim 12, wherein the filter based on which the incoming traffic has been assembled into the captured traffic unit is associated with the network service for which the captured traffic unit is intended, andwherein determining whether to allow the captured traffic unit to pass to one or more applications comprises determining whether to allow the captured traffic unit to pass to one or more legacy applications for which support has been added to the security framework, based on the passlet comprising one or more access permissions to the particular user for accessing the respective network service.
  - 14. The method according to claim 12, wherein the filter based on which the incoming traffic has been assembled into the captured traffic unit is a default filter unassociated with any network service including the network service for which the captured traffic unit is intended, andwherein determining whether to allow the captured traffic unit to pass to one or more applications comprises determining whether to allow the captured traffic unit to pass to one or more legacy applications for which the security framework is unaware, based on the device passlet comprising one or more access permissions to the particular user for accessing the device hosting the respective network service.

15. A computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable storage medium comprising a non-transitory computer-readable storage medium, the computer-readable storage medium and computer-readable program code portions being configured to, with a processor, cause an apparatus to at least:
- receive a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit;
  
  determine whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and
  
  cause instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-readable storage medium according to claim 15, wherein the one or more filters of the list of one or more filters describe how to assemble incoming traffic into different captured traffic units for different network services.
  - 17. The computer-readable storage medium according to claim 15, wherein the device hosting the network service for which the captured traffic unit is intended is within a personal network comprising a plurality of devices, each device within the personal network being configured to host one or more services, and each device within the personal network comprising a firewall configured to allow captured traffic units to pass to one or more applications configured to implement the respective one or more services.
  - 18. The computer-readable storage medium according to claim 15, wherein the computer-readable storage medium and computer-readable program code portions are configured to, with the processor, cause the apparatus to receive the captured traffic unit, determine whether to allow the captured traffic unit to pass to one or more applications, and cause instruction of the firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit under control of a security framework implemented in middleware between a user-level domain and a system-level domain.
  - 19. The computer-readable storage medium according to claim 18, wherein being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more applications comprises being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more legacy applications designed and operable without regard to the security framework.
  - 20. The computer-readable storage medium according to claim 19, wherein the filter based on which the incoming traffic has been assembled into the captured traffic unit is associated with the network service for which the captured traffic unit is intended, andwherein being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more applications comprises being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more legacy applications for which support has been added to the security framework, based on the passlet comprising one or more access permissions to the particular user for accessing the respective network service.
  - 21. The computer-readable storage medium according to claim 19, wherein the filter based on which the incoming traffic has been assembled into the captured traffic unit is a default filter unassociated with any network service including the network service for which the captured traffic unit is intended, andwherein being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more applications comprises being configured to cause the apparatus to determine whether to allow the captured traffic unit to pass to one or more legacy applications for which the security framework is unaware, based on the device passlet comprising one or more access permissions to the particular user for accessing the device hosting the respective network service.

22. An apparatus comprising:
- means for receiving a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit;
  
  means for determining whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and
  
  means for causing instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Reynolds, Franklin, Kalofonos, Dimitris
Primary Examiner(s)
Gergiso; Techane

Application Number

US11/848,702
Publication Number

US 20090059952A1
Time in Patent Office

1,502 Days
Field of Search

726/13, 370/229
US Class Current

726/13
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/102 Entity profiles

Apparatus and method for managing access to one or more network resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for managing access to one or more network resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links