Rule based extensible authentication

US 8,418,233 B1
Filed: 10/24/2005
Issued: 04/09/2013
Est. Priority Date: 07/29/2005
Status: Active Grant

First Claim

Patent Images

1. A traffic management device for managing a communication between a client and a server, comprising:

a transceiver that receives packets from the client; and

a processor programmed to perform actions including;

receiving from the client a request for a resource;

extracting information from at least one packet associated with the request using a deep packet inspection;

generating a credential from the extracted information;

determining if access to the resource is allowable based, at least in part, on the credential, and if access is allowable, selecting at least one server based, in part, on a rule associated with the allowed access, and directing the request towards the selected server; and

determining that the extracted information is insufficient to determine if the access to the resource is allowable, and based on the determination that the extracted information is insufficient, sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the access to the resource is allowable; and

if so, then enabling access to the requested resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, and method are directed to managing access to a resource using rule-based deep packet extractions of a credential. A network device, such as a traffic management device, is situated between a client device and a server device. When the client device sends a request for a resource, the request is intercepted by the network device. The network device may employ a multi-layer deep packet extraction of the credential from the request. The network device may then use the credential to determine whether the request enabled to access the resource. Based, in part, on a variety of rules, the network device may deny access, enable access, route the request to a different server, or the like. In one embodiment, the network device may receive a rule from another device that directs the network device to request a different credential.

201 Citations

27 Claims

1. A traffic management device for managing a communication between a client and a server, comprising:
- a transceiver that receives packets from the client; and
  
  a processor programmed to perform actions including;
  
  receiving from the client a request for a resource;
  
  extracting information from at least one packet associated with the request using a deep packet inspection;
  
  generating a credential from the extracted information;
  
  determining if access to the resource is allowable based, at least in part, on the credential, and if access is allowable, selecting at least one server based, in part, on a rule associated with the allowed access, and directing the request towards the selected server; and
  
  determining that the extracted information is insufficient to determine if the access to the resource is allowable, and based on the determination that the extracted information is insufficient, sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the access to the resource is allowable; and
  
  if so, then enabling access to the requested resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The traffic management device of claim 1, wherein the credential comprises at least one of a username, a password, or a certificate.
  - 3. The traffic management device of claim 1, wherein the extracted information comprises information exchanged during an Secure Sockets Layer (SSL) handshake.
  - 4. The traffic management device of claim 1, wherein the extracted information comprises information extracted from a Session Initiation Protocol (SIP) request, an HyperText Markup Language (HTML) page, an application, a Uniform Resource Locator (URL), eXtensible Markup Language (XML) content, or a cookie.
  - 5. The traffic management device of claim 1, wherein performing the deep packet inspection further comprises extracting information from at least two layers of the Open Systems Interconnection (OSI) protocol.
  - 6. The traffic management device of claim 1, wherein requesting additional information from the client further comprises employing a query mechanism to determine at least one of a number of times the client requested access to the request over a period of time, or to request a security configuration of the client.
  - 7. The traffic management device of claim 1, the actions further comprising:
    - if access to the resource is unallowable, identifying the request for additional processing.
  - 8. The traffic management device of claim 7, wherein additional processing includes at least one of verbose logging, or intrusion detection analysis.
  - 9. The traffic management device of claim 1, the actions further comprising determining the information to extract based, in part, on a level of security.
  - 10. The traffic management device of claim 9, wherein determining the information further comprises receiving direction to change the information to extract based, in part, on a change in a level of security.
  - 11. The traffic management device of claim 1, wherein selecting the at least one server further comprises selecting the at least one server based on a load-balancing mechanism.

12. A method operating within a network device for managing a communication between a client and at least one server over a network, comprising:
- receiving from the client a request for a resource;
  
  extracting a credential from at least one packet associated with the request, the credential being from the at least one packet at an Open Systems Interconnection (OSI) application;
  
  determining if access to the resource is allowed based, at least in part, on the credential, and if access is allowed, selecting at least one server based, in part, on a rule associated with the allowed access, and directing the request towards the selected server; and
  
  determining that the extracted information is insufficient to determine if the access to the resource is allowable, and based on the determination that the extracted information is insufficient, sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the access to the resource is allowable; and
  
  if so, then enabling access to the requested resource.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein extracting the credential further comprises performing a deep packet inspection of the at least one packet.
  - 14. The method of claim 12, wherein extracting the credential further comprises extracting information from at least one of Secure Sockets Layer (SSL) protocol data, Hypertext Transfer Protocol (HTTP) data, Session Initiation Protocol (SIP) data, a Uniform Resource Locator (URL), eXtensible Markup Language (XML) data, or a cookie.
  - 15. The method of claim:
    - 12, wherein selecting at least one server based, in part, on the rule, further comprises selecting the server based on at least one of a type of client, a type of the request, a number of times the client has requested the resource, a number of times the resource has been requested over a period of time, or a total number of aggregate requests for the resource.
  - 16. The method of claim 12, wherein the credential further comprises at least one of a password, an eXtensible Markup Language (XML) stream authenticator, a database authenticator, a form-based authenticator, or a certificate.
  - 17. The method of claim 12, wherein requesting additional information further comprises employing a query mechanism to determine at least one of a software installed on the client or to request a security configuration of the client.
  - 18. The method of claim 12, further comprising if access to the resource is not allowed, redirecting the request to another resource.
  - 19. The method of claim 12, wherein extracting the credential further comprises using a programmable syntax for enabling a creation of event criteria usable in extracting the credential from at least one packet.
  - 20. The method of claim 12, further comprising:
    - modifying a selection criteria to extract different information from the at least one packet usable to determine the credential.
  - 21. The method of claim 12, wherein the selecting the at least one server based, in part, on the rule further comprises dynamically selecting the rule.
  - 22. The method of claim 12, further comprising:
    - determining whether the credential is extracted from a first packet associated with the request;
      
      if the credential is not extracted completely from the first packet, buffering additional packets associated with the request until the credential is completely extracted.

23. An apparatus for managing a communication between a client and a server over a network, comprising:
- a transceiver to receive a request from the client for a resource over the network;
  
  means for extracting a credential from at least one packet associated with the request;
  
  means for determining if access to the resource is allowed based, at least in part, on the credential, and if access is allowed, selecting at least one server based, in part, on a rule associated with the allowed access;
  
  means for determining that the extracted information is insufficient to determine if the access to the resource is allowable, and based on the determination that the extracted information is insufficient, means for sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the access to the resource is allowable; and
  
  program instructions that perform actions comprising directing the request towards the selected server.
- View Dependent Claims (24)
- - 24. The apparatus of claim 23, further comprising:
    - means for selecting different information to extract as the credential from the at least one packet, based, at least in part, on input from another device.

25. A traffic management device for managing a communication between a client and a plurality of servers, comprising:
- a transceiver that receives packets from the client; and
  
  a processor programmed to perform actions including;
  
  receiving from the client a request for a resource;
  
  extracting credential information from the request;
  
  determining a level of authentication based on the credential information;
  
  determining that the extracted information is insufficient to determine a level of authentication, and based on the determination that the extracted information is insufficient, sending a request to the client for additional information to be extracted from a subsequent packet received from the client in response to the request for a further determination if the extracted information is sufficient to determine a level of authentication; and
  
  selecting a server based on the determined level of authentication.
- View Dependent Claims (26, 27)
- - 26. The traffic management device of claim 25, wherein selecting the server comprises selecting the server to establish an increased level of security with the client.
  - 27. The traffic management device of claim 25, wherein selecting the server comprises selecting the server to establish an Secure Sockets Layer (SSL) connection with the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Hughes, John Robert
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US11/258,551
Time in Patent Office

2,724 Days
Field of Search

726/5, 726/11, 726/13, 713/155, 713/154, 713/153
US Class Current

726/5
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/205   involving negotiation or de...

Rule based extensible authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

201 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Rule based extensible authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

201 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links