Rule based extensible authentication
First Claim
1. A traffic management device for managing a communication between a client and a server, comprising:
- a transceiver that receives packets from the client; and
a processor programmed to perform actions including;
receiving from the client a request for a resource;
extracting information from at least one packet associated with the request using a deep packet inspection;
generating a credential from the extracted information;
determining if access to the resource is allowable based, at least in part, on the credential, and if access is allowable, selecting at least one server based, in part, on a rule associated with the allowed access, and directing the request towards the selected server; and
determining that the extracted information is insufficient to determine if the access to the resource is allowable, and based on the determination that the extracted information is insufficient, sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the access to the resource is allowable; and
if so, then enabling access to the requested resource.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, apparatus, and method are directed to managing access to a resource using rule-based deep packet extractions of a credential. A network device, such as a traffic management device, is situated between a client device and a server device. When the client device sends a request for a resource, the request is intercepted by the network device. The network device may employ a multi-layer deep packet extraction of the credential from the request. The network device may then use the credential to determine whether the request enabled to access the resource. Based, in part, on a variety of rules, the network device may deny access, enable access, route the request to a different server, or the like. In one embodiment, the network device may receive a rule from another device that directs the network device to request a different credential.
201 Citations
27 Claims
-
1. A traffic management device for managing a communication between a client and a server, comprising:
-
a transceiver that receives packets from the client; and a processor programmed to perform actions including; receiving from the client a request for a resource; extracting information from at least one packet associated with the request using a deep packet inspection; generating a credential from the extracted information; determining if access to the resource is allowable based, at least in part, on the credential, and if access is allowable, selecting at least one server based, in part, on a rule associated with the allowed access, and directing the request towards the selected server; and determining that the extracted information is insufficient to determine if the access to the resource is allowable, and based on the determination that the extracted information is insufficient, sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the access to the resource is allowable; and
if so, then enabling access to the requested resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method operating within a network device for managing a communication between a client and at least one server over a network, comprising:
-
receiving from the client a request for a resource; extracting a credential from at least one packet associated with the request, the credential being from the at least one packet at an Open Systems Interconnection (OSI) application; determining if access to the resource is allowed based, at least in part, on the credential, and if access is allowed, selecting at least one server based, in part, on a rule associated with the allowed access, and directing the request towards the selected server; and determining that the extracted information is insufficient to determine if the access to the resource is allowable, and based on the determination that the extracted information is insufficient, sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the access to the resource is allowable; and
if so, then enabling access to the requested resource. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus for managing a communication between a client and a server over a network, comprising:
-
a transceiver to receive a request from the client for a resource over the network; means for extracting a credential from at least one packet associated with the request; means for determining if access to the resource is allowed based, at least in part, on the credential, and if access is allowed, selecting at least one server based, in part, on a rule associated with the allowed access; means for determining that the extracted information is insufficient to determine if the access to the resource is allowable, and based on the determination that the extracted information is insufficient, means for sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the access to the resource is allowable; and program instructions that perform actions comprising directing the request towards the selected server. - View Dependent Claims (24)
-
-
25. A traffic management device for managing a communication between a client and a plurality of servers, comprising:
-
a transceiver that receives packets from the client; and a processor programmed to perform actions including; receiving from the client a request for a resource; extracting credential information from the request; determining a level of authentication based on the credential information; determining that the extracted information is insufficient to determine a level of authentication, and based on the determination that the extracted information is insufficient, sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the extracted information is sufficient to determine a level of authentication; and selecting a server based on the determined level of authentication. - View Dependent Claims (26, 27)
-
Specification