Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute

US 8,397,287 B2
Filed: 08/21/2006
Issued: 03/12/2013
Est. Priority Date: 08/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for authorizing a level of access of a client to a virtual private network connection, based on an attribute of a client-side computing environment, the method comprising the steps of:

(a) establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network;

(b) transmitting, by the appliance via the control connection to the client, a request for an evaluation component executing on the client to evaluate a security string transmitted in the request, the security string comprising one or more expressions including (i) an identifier of an attribute of a client-side computing environment, and (ii) a logical operation on a value of the attribute, a result of which comprises a value that determines what level of access to grant to the client;

(c) transmitting, by the client via the control connection, a response to the appliance comprising the result of evaluating the one or more expressions of the security string by the evaluation component; and

(d) assigning, by the appliance, a level of access to the client responsive to an application of a policy by a policy engine to the result of the evaluation; and

(e) establishing, by the appliance, the virtual private network connection with the client in accordance with the assigned level of access.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

Citations

42 Claims

1. A method for authorizing a level of access of a client to a virtual private network connection, based on an attribute of a client-side computing environment, the method comprising the steps of:
- (a) establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network;
  
  (b) transmitting, by the appliance via the control connection to the client, a request for an evaluation component executing on the client to evaluate a security string transmitted in the request, the security string comprising one or more expressions including (i) an identifier of an attribute of a client-side computing environment, and (ii) a logical operation on a value of the attribute, a result of which comprises a value that determines what level of access to grant to the client;
  
  (c) transmitting, by the client via the control connection, a response to the appliance comprising the result of evaluating the one or more expressions of the security string by the evaluation component; and
  
  (d) assigning, by the appliance, a level of access to the client responsive to an application of a policy by a policy engine to the result of the evaluation; and
  
  (e) establishing, by the appliance, the virtual private network connection with the client in accordance with the assigned level of access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein step (b) further comprises transmitting the request to a collection agent on the client, the collection agent gathering information associated with the identified attribute and evaluating the at least one clause.
  - 3. The method of claim 1, wherein step (c) further comprises executing, by the client, a script to evaluate the security string.
  - 4. The method of claim 1, wherein step (c) further comprises gathering, by the client, information associated with the identified attribute.
  - 5. The method of claim 4, wherein step (c) further comprises evaluating the one or more expressions responsive to the gathered information.
  - 6. The method of claim 1, wherein step (c) further comprises identifying, by the client responsive to evaluating the at least one clause, a presence on the client of one of the following:
    - a version of an operating system, a service pack of the operating system, a running service, a running process, and a file.
  - 7. The method of claim 1, wherein step (c) further comprises identifying, by the client, responsive to evaluating the at least one clause, a presence on the client of one of the following:
    - antivirus software, personal firewall software, anti-spam software, and internet security software.
  - 8. The method of claim 1, wherein step (c) further comprises identifying, by the client, responsive to evaluating the one or more expressions, a version of one of the following:
    - antivirus software, personal firewall software, anti-spam software, and internet security software.
  - 9. The method of claim 1, wherein step (c) further comprises evaluating, by the appliance, an expression of the one or more expression responsive to identifying that the attribute is present in the client.
  - 10. The method of claim 1, wherein step (c) further comprises receiving, by the appliance, gathered information associated with the client.
  - 11. The method of claim 10, wherein step (c) further comprises receiving, by the appliance, the gathered information from a collection agent.
  - 12. The method of claim 10, wherein step (c) further comprises evaluating the one or more expressions of the security string responsive to the gathered information.
  - 13. The method of claim 12, wherein step (c) further comprises evaluating, by the appliance, the security string comprising one or more logical operations.
  - 14. The method of claim 1, wherein step (d) further comprises determining, by the appliance, responsive to the value of the result, that the client lacks the identified attribute.
  - 15. The method of claim 14, wherein step (d) further comprises assigning, by the appliance, the client to the level of access, the level of access providing quarantined access to the network via the appliance.
  - 16. The method of claim 1, wherein step (d) further comprises configuring, via the appliance, an authorization policy comprising the security string.
  - 17. The method of claim 16, wherein step (d) further comprises assigning via the appliance the authorization policy to a level of access or an authorization group.
  - 18. The method of claim 1, wherein step (d) further comprises denying, by the appliance, a login request from a client if the security string is not associated with a level of access or an authorization group.
  - 19. The method of claim 1, wherein step (d) further comprises transmitting, by the appliance, to the policy engine, the response comprising the result of the evaluation.

20. A system for authorizing a level of access of a client to a virtual private network connection, based on an attribute of a client-side computing environment, the system comprising:
- a means for transmitting, by a client, a request to an appliance for a virtual private network connection to a network;
  
  a request received by the client, via a control connection between the client and the appliance, for evaluation of a security string transmitted in the request, the security string comprising one or more expressions including (i) an identifier of an attribute of a client-side computing environment, and (ii) a logical operation on a value of the attribute, a result of which comprises a value that determines what level of access to grant to the client;
  
  an evaluation component, executing on the client, for evaluating the one or more expressions;
  
  a means for transmitting, by the client via the control connection, a response comprising the result of the evaluation by the evaluation component; and
  
  a means for receiving, from the appliance, an assignment of a level of access to the client responsive to an application of a policy by a policy engine to the result of the evaluation, the appliance establishing the virtual private network connection with the client in accordance with the assigned level of access.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 21. The system of claim 20, wherein the security string identifies the client as an object for evaluation.
  - 22. The system of claim 20, wherein the one or more expressions identifies a presence of an application program as an attribute.
  - 23. The system of claim 20, wherein the one or more expressions identifies an absence of an application program as an attribute.
  - 24. The system of claim 20, wherein the one or more expressions identifies a presence of a version of an application program as an attribute.
  - 25. The system of claim 20, wherein the one or more expressions identifies an absence of a version of an application program as an attribute.
  - 26. The system of claim 20, wherein the one or more expressions identifies a presence of a required version of an application program as an attribute.
  - 27. The system of claim 20, wherein the one or more expressions identifies a presence of at least a minimum version of an application program as an attribute.
  - 28. The system of claim 20, wherein the one or more expressions identifies an absence of at least a minimum version of an application program as an attribute.
  - 29. The system of claim 20, wherein the evaluation component further comprises a script for evaluating the one or more expressions.
  - 30. The system of claim 20, wherein the evaluation component is transmitted to the client from the appliance.
  - 31. The system of claim 20, wherein the evaluation component further comprises a collection agent gathering information associated with the identified attribute.
  - 32. The system of claim 31, wherein the evaluation component evaluates the one or more expressions responsive to the gathered information.
  - 33. The system of claim 20, wherein the evaluation component identifies an attribute indicating a presence on the client of one of the following:
    - a version of an operating system, a service pack of the operating system, a running service, a running process, and a file.
  - 34. The system of claim 20, wherein the evaluation component identifies an attribute indicating a presence on the client of one of the following:
    - antivirus software, personal firewall software, anti-spam software, and internet security software.
  - 35. The system of claim 20, wherein the evaluation component identifies an attribute indicating a presence on the client of a version of one of the following:
    - antivirus software, personal firewall software, anti-spam software, and internet security software.
  - 36. The system of claim 20, wherein the evaluation component determines that the identified attribute satisfies a pre-requisite included in the security string.
  - 37. The system of claim 20, wherein the means for receiving further comprises a means for receiving an assignment made responsive to the result of evaluation of a second clause by the appliance.
  - 38. The system of claim 20, wherein the means for receiving further comprises a means for receiving an assignment made responsive to a determination by the appliance that the client lacks a desired attribute.
  - 39. The system of claim 38, wherein the means for receiving further comprises a means for receiving an assignment to the level of access, the level of access providing quarantined access to the network via the appliance.
  - 40. The system of claim 20, wherein the means for receiving further comprises a means for receiving a denial, by the appliance, of the client request if the security string is not associated with an authorization group or a level of access.
  - 41. The system of claim 20, wherein the means for receiving further comprises a means for receiving a denial, by the appliance, of the client request if a pre-requisite in the security string is not satisfied.
  - 42. The system of claim 20, wherein the means for receiving further comprises a means for receiving an assignment made responsive to an evaluation, by the appliance, of another expression of the security string comprising one or more logical operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Mullick, Amarnath, Nanjundaswamy, Shashi, Soni, Ajay, Venkatraman, Charu, He, Max
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US11/465,915
Publication Number

US 20080046993A1
Time in Patent Office

2,395 Days
Field of Search

726 3- 15, 726/27, 713/153
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links