Multilayer access control security system

US 8,528,047 B2
Filed: 08/31/2010
Issued: 09/03/2013
Est. Priority Date: 05/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method of providing secure access via a network device, the method comprising:

(a) receiving, by a processor of the device intermediary to a client and one or more servers, a request of a user to access a server, the device controlling access via a plurality of security layers, each of the plurality of security layers operating at a different layer of network communications;

(b) generating, by a policy engine executing on the processor of the device, an access rule for the user for each of the plurality of security layers based on a set of access policies corresponding to the user;

(c) converting, by the policy engine executing on the processor of the device, each access rule for each of the plurality of security layers to a user specific filter for a corresponding security layer;

(d) installing, by the processor of the device, each user specific filter to the corresponding security layer of the device;

(e) determining, by a first user specific filter of the device for a first security layer corresponding to one layer of network communication, the user is permitted to access a resource; and

(f) determining, by a second user specific filter of the device for a second security layer corresponding to a second layer of network communication, the user is not permitted to access a resource.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-based system provides secure, configurable access to computer network resources. A human-readable language is provided for defining access policy rules. Rules in this language are converted in an automated fashion into filters applied within the various subsystems and components in a multi-layer security system. Network users are authenticated by an access control security system that obtains basic information about that user. Based on the user ID, a set of abstract policies can be retrieved. The retrieved policies are associated with the user and the groups associated with that user. Based on the retrieved rules, a set of rules for multiple layers of the network are generated and applied to those subsystems. Two or more of the subsystems may be placed in series with different types of processing occurring in each of the subsystems, reducing the workload of subsequent subsystems.

189 Citations

17 Claims

1. A method of providing secure access via a network device, the method comprising:
- (a) receiving, by a processor of the device intermediary to a client and one or more servers, a request of a user to access a server, the device controlling access via a plurality of security layers, each of the plurality of security layers operating at a different layer of network communications;
  
  (b) generating, by a policy engine executing on the processor of the device, an access rule for the user for each of the plurality of security layers based on a set of access policies corresponding to the user;
  
  (c) converting, by the policy engine executing on the processor of the device, each access rule for each of the plurality of security layers to a user specific filter for a corresponding security layer;
  
  (d) installing, by the processor of the device, each user specific filter to the corresponding security layer of the device;
  
  (e) determining, by a first user specific filter of the device for a first security layer corresponding to one layer of network communication, the user is permitted to access a resource; and
  
  (f) determining, by a second user specific filter of the device for a second security layer corresponding to a second layer of network communication, the user is not permitted to access a resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the first security layer of the plurality of security layers operates at a transport layer of network communication and the second security layer of plurality of security layers operates at an application layer of network communications.
  - 3. The method of claim 1, wherein the first security layer of the plurality of security layers operates at a network layer of network communication and the second security layer of plurality of security layers operates at an application layer of network communications.
  - 4. The method of claim 1, wherein the first security layer of the plurality of security layers operates at one of a data link layer, a network layer or a transport layer of network communications.
  - 5. The method of claim 1, wherein step (b) further comprises retrieving, by the processor of the device, the set of access rules corresponding to the user responsive to authenticating the user.
  - 6. The method of claim 1, wherein step (c) further comprises automatically converting, by the processor of the device, a human readable policy language of each access rule to each user specific filter.
  - 7. The method of claim 1, further comprising determining, by the first user specific filter of the device of the first security layer corresponding to one layer of network communication, the user is not permitted to access a resource.
  - 8. The method of claim 1, further comprising determining, by the second user specific filter of the device of the second security layer corresponding to the second layer of network communication, the user is permitted to access a resource.

9. A system of providing secure access via a network device, the system comprising:
- a device intermediary to a client and one or more servers, receiving a request of a user to access a server, the device controlling access via a plurality of security layers, each of the plurality of security layers operating at a different layer of network communications;
  
  a hardware processor of the device; and
  
  a policy engine executing on the hardware processor of the device generating an access rule for the user for each of the plurality of security layers based on a set of access policies corresponding to the user and converts each access rule for each of the plurality of security layers to a user specific filter for a corresponding security layer; and
  
  wherein the hardware processor of the device installs each user specific filter to the corresponding security layer of the device; and
  
  whereina first user specific filter of the device for a first security layer corresponding to one layer of network communication determines that the user is permitted to access a resource; and
  
  a second user specific filter of the device for a second security layer corresponding to a second layer of network communication determines that the user is not permitted to access a resource.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the first security layer of the plurality of security layers operates at a transport layer of network communication and the second security layer of plurality of security layers operates at an application layer of network communications.
  - 11. The system of claim 9, wherein the first security layer of the plurality of security layers operates at a network layer of network communication and the second security layer of plurality of security layers operates at an application layer of network communications.
  - 12. The system of claim 9, wherein the first security layer of the plurality of security layers operates at one of a data link layer, a network layer or a transport layer of network communications.
  - 13. The system of claim 9, wherein the policy engine retrieves the set of access rules corresponding to the user responsive to authenticating the user.
  - 14. The system of claim 9, wherein the policy engine automatically converts a human readable policy language of each access rule to each user specific filter.
  - 15. The system of claim 9, wherein the first user specific filter of the device for the first security layer corresponding to one layer of network communication determines the user is not permitted to access a resource.
  - 16. The system of claim 9, further comprising wherein the second user specific filter of the device for the second security layer corresponding to the second layer of network communication determines the user is permitted to access a resource.

17. A system of providing secure access via a network device, the system comprising:
- a device configured to be deployed as an intermediary to a plurality of clients and one or more servers and for receiving a request of a user to access a server, the device controlling access via a plurality of security layers, each of the plurality of security layers operating at a different layer of network communications;
  
  a hardware processor of the device; and
  
  a policy engine configured to execute on the hardware processor of the device for generating an access rule for the user for each of the plurality of security layers based on a set of access policies corresponding to the user and for converting each access rule for each of the plurality of security layers to a user specific filter for a corresponding security layer; and
  
  wherein the hardware processor of the device is configured to install each user specific filter to the corresponding security layer of the device; and
  
  wherein a first user specific filter of the device for a first security layer corresponding to one layer of network communication determines whether the user is permitted to access a resource and a second user specific filter of the device for a second security layer corresponding to a second layer of network communication determines the user is permitted to access a resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Terzis, Andreas, Murgia, Marco A., Baskaran, Ashwin
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US12/873,042
Publication Number

US 20100325697A1
Time in Patent Office

1,099 Days
Field of Search

726 1- 4, 726 11- 12, 726/21, 709/225, 709/227, 709/229, 370/392, 370/401
US Class Current

726/2
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Multilayer access control security system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

189 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Multilayer access control security system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

189 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others