Multilayer access control security system
First Claim
1. A method of providing secure access via a network device, the method comprising:
- (a) receiving, by a processor of the device intermediary to a client and one or more servers, a request of a user to access a server, the device controlling access via a plurality of security layers, each of the plurality of security layers operating at a different layer of network communications;
(b) generating, by a policy engine executing on the processor of the device, an access rule for the user for each of the plurality of security layers based on a set of access policies corresponding to the user;
(c) converting, by the policy engine executing on the processor of the device, each access rule for each of the plurality of security layers to a user specific filter for a corresponding security layer;
(d) installing, by the processor of the device, each user specific filter to the corresponding security layer of the device;
(e) determining, by a first user specific filter of the device for a first security layer corresponding to one layer of network communication, the user is permitted to access a resource; and
(f) determining, by a second user specific filter of the device for a second security layer corresponding to a second layer of network communication, the user is not permitted to access a resource.
9 Assignments
0 Petitions
Accused Products
Abstract
A computer-based system provides secure, configurable access to computer network resources. A human-readable language is provided for defining access policy rules. Rules in this language are converted in an automated fashion into filters applied within the various subsystems and components in a multi-layer security system. Network users are authenticated by an access control security system that obtains basic information about that user. Based on the user ID, a set of abstract policies can be retrieved. The retrieved policies are associated with the user and the groups associated with that user. Based on the retrieved rules, a set of rules for multiple layers of the network are generated and applied to those subsystems. Two or more of the subsystems may be placed in series with different types of processing occurring in each of the subsystems, reducing the workload of subsequent subsystems.
189 Citations
17 Claims
-
1. A method of providing secure access via a network device, the method comprising:
-
(a) receiving, by a processor of the device intermediary to a client and one or more servers, a request of a user to access a server, the device controlling access via a plurality of security layers, each of the plurality of security layers operating at a different layer of network communications; (b) generating, by a policy engine executing on the processor of the device, an access rule for the user for each of the plurality of security layers based on a set of access policies corresponding to the user; (c) converting, by the policy engine executing on the processor of the device, each access rule for each of the plurality of security layers to a user specific filter for a corresponding security layer; (d) installing, by the processor of the device, each user specific filter to the corresponding security layer of the device; (e) determining, by a first user specific filter of the device for a first security layer corresponding to one layer of network communication, the user is permitted to access a resource; and (f) determining, by a second user specific filter of the device for a second security layer corresponding to a second layer of network communication, the user is not permitted to access a resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system of providing secure access via a network device, the system comprising:
-
a device intermediary to a client and one or more servers, receiving a request of a user to access a server, the device controlling access via a plurality of security layers, each of the plurality of security layers operating at a different layer of network communications; a hardware processor of the device; and a policy engine executing on the hardware processor of the device generating an access rule for the user for each of the plurality of security layers based on a set of access policies corresponding to the user and converts each access rule for each of the plurality of security layers to a user specific filter for a corresponding security layer; and wherein the hardware processor of the device installs each user specific filter to the corresponding security layer of the device; and
whereina first user specific filter of the device for a first security layer corresponding to one layer of network communication determines that the user is permitted to access a resource; and a second user specific filter of the device for a second security layer corresponding to a second layer of network communication determines that the user is not permitted to access a resource. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system of providing secure access via a network device, the system comprising:
-
a device configured to be deployed as an intermediary to a plurality of clients and one or more servers and for receiving a request of a user to access a server, the device controlling access via a plurality of security layers, each of the plurality of security layers operating at a different layer of network communications; a hardware processor of the device; and a policy engine configured to execute on the hardware processor of the device for generating an access rule for the user for each of the plurality of security layers based on a set of access policies corresponding to the user and for converting each access rule for each of the plurality of security layers to a user specific filter for a corresponding security layer; and wherein the hardware processor of the device is configured to install each user specific filter to the corresponding security layer of the device; and wherein a first user specific filter of the device for a first security layer corresponding to one layer of network communication determines whether the user is permitted to access a resource and a second user specific filter of the device for a second security layer corresponding to a second layer of network communication determines the user is permitted to access a resource.
-
Specification