Apparatus and method for managing access to one or more network resources
First Claim
1. An apparatus comprising:
- a processor; and
a memory comprising computer program code, the memory and computer program code configured to, with the processor, cause the apparatus to at least;
receive a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit;
determine whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and
cause instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination.
2 Assignments
0 Petitions
Accused Products
Abstract
An apparatus is provided that includes a processor configured to receive a captured traffic unit (CTU) intended for a network service, the CTU being one into which incoming traffic has been assembled based on a filter describing which incoming traffic to capture and how to assemble the respective incoming traffic into the CTU. The processor is also configured to determine whether to allow the CTU to pass to one or more applications configured to implement the respective network service based on a passlet including permissions to a particular user. The processor is further configured to instruct a firewall to allow the CTU to pass to the respective one or more applications or to reject the CTU based on the determination. In this regard, the processor is configured to perform the above functions under control of a security framework implemented in middleware between a user-level domain and a system-level domain.
19 Citations
22 Claims
-
1. An apparatus comprising:
-
a processor; and a memory comprising computer program code, the memory and computer program code configured to, with the processor, cause the apparatus to at least; receive a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit; determine whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and cause instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
receiving a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit; determining whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and causing instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination, wherein at least determining whether to allow the captured traffic unit and causing instruction of the firewall to allow or reject the captured traffic unit are performed by an apparatus comprising a processor and memory comprising computer program code, the memory and computer program code configured to, with the processor, cause the apparatus to at least determine whether to allow the captured traffic unit and cause instruction of the firewall to allow or reject the captured traffic unit. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable storage medium comprising a non-transitory computer-readable storage medium, the computer-readable storage medium and computer-readable program code portions being configured to, with a processor, cause an apparatus to at least:
-
receive a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit; determine whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and cause instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. An apparatus comprising:
-
means for receiving a captured traffic unit intended for a network service, the captured traffic unit being one into which incoming traffic has been assembled based on a filter, from a list of one or more filters, describing which incoming traffic to capture and how to assemble the respective incoming traffic into the captured traffic unit; means for determining whether to allow the captured traffic unit to pass to one or more applications configured to implement the respective network service based on a passlet and a service mapping document for the respective network service, the passlet comprising one or more access permissions to a particular user for accessing the respective network service, or for accessing a device hosting the respective network service, and the service mapping document describing how to map one or more user-level permissions to one or more corresponding system-level actions; and means for causing instruction of a firewall to allow the captured traffic unit to pass to the respective one or more applications or to reject the captured traffic unit based on the determination.
-
Specification