Computer security system

US 8,910,241 B2
Filed: 06/27/2008
Issued: 12/09/2014
Est. Priority Date: 04/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method of packet management for restricting access to a resource of a computer system using client parameters and network parameters, as packet management information, said method comprising:

inserting, at a first device, the packet management information and a session ID into at least a portion of information packets sent from the first device to a second device;

monitoring, at the second device, the packet management information of the portion of the information packets sent from the first device;

filtering out respective information packets sent to the second device from the first device when the monitored packet management information indicates that access to the resource is restricted;

extracting a client ID unique to the first device from the monitored information packets;

re-generating a digital signature in the second device using a session key associated with the extracted client ID; and

comparing the digital signature regenerated in the second device with the digital signature embedded in the monitored information packets.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.

212 Citations

25 Claims

1. A method of packet management for restricting access to a resource of a computer system using client parameters and network parameters, as packet management information, said method comprising:
- inserting, at a first device, the packet management information and a session ID into at least a portion of information packets sent from the first device to a second device;
  
  monitoring, at the second device, the packet management information of the portion of the information packets sent from the first device;
  
  filtering out respective information packets sent to the second device from the first device when the monitored packet management information indicates that access to the resource is restricted;
  
  extracting a client ID unique to the first device from the monitored information packets;
  
  re-generating a digital signature in the second device using a session key associated with the extracted client ID; and
  
  comparing the digital signature regenerated in the second device with the digital signature embedded in the monitored information packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein an unmonitored portion of the information packets sent from the first device includes information packets sent during session establishment or for a predetermined period of time from a beginning of the session establishment.
  - 3. The method of claim 1, wherein the monitoring further includes:
    - reading and validating, by a packet manager of the second device, a control field at an end of the packet management information in each monitored information packet;
      
      computing a length of the packet management information to determine a starting position thereof;
      
      extracting and validating a unique ID that is embedded in the control field of the monitored information packets,responsive to the regenerated digital signature matching the digital signature of the respective packet management information, removing the respective packet management information from a corresponding information packet and recomputing the header of the corresponding information packet.
  - 4. The method of claim 3, wherein the digital signature is based on at least two of:
    - negotiated secret key, a random number, an obfuscated client, the control field, an application type a sequence number corresponding to a sequence of the information packet in a communication to the second device, or a payload of the corresponding information packet.
  - 5. The method of claim 1, further comprising:
    - sending, by the second device, a resource list indicating resource that are protected; and
      
      selectively embedding packet management information in information packets based on information from the resource list.
  - 6. The method of claim 1, further comprising:
    - a) identifying client parameters and network parameters, as the packet management information, used to determine access to the resource;
      
      b) negotiating a session key between client and server devices;
      
      c) generating a session based on at least the negotiated session key;
      
      d) inserting the packet management information and the session into each information packet sent from the client device to the server device;
      
      e) monitoring the packet management information in each information packet from the client device, the packet management information comprising client health state information indicating a health stat of the client; and
      
      f) filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted by comparing the health state indicated by the client health state information in each respective information packet with pre-established policies at the server device to determine whether the client health is in compliance with the pre-establish policies.
  - 7. The method of claim 6, further comprising authenticating, by the server device, a user of the client device, wherein the step of negotiating the session key includes:
    - sending, by the client device to the server device, client device capability information;
      
      determining, by the server device, a network access type used by the client device;
      
      establishing, by the server device, session parameters based on at least the client device capability information;
      
      sending, by the server device to the client device, the session parameters and information used to form the packet management information; and
      
      establishing a client ID and the session key between the client and server devices.
  - 8. The method of claim 6, further comprising:
    - sending, by the server device, a list of predetermined applications used by the computer system and at least a corresponding application ID for each predetermined application wherein the packet management information received from the client device includes one of the corresponding application IDs and is used at least in part by the server device to determine whether access to the resource is restricted to the client device.
  - 9. The method of claim 6, further comprising:
    - sending, by the server device to the client device, a user ID unique to a user of the client device;
      
      embedding the unique user ID, by the client device, in each information packet destined for the resource; and
      
      verifying the unique user ID for each information packet.
  - 10. The method of claim 6, wherein the monitored packet management information used to determine access to the resource includes at least one of:
    - (1) a user ID of the user of the client device, (2) application type information corresponding to an application used by the user for access to the resource, (3) user domain information indicating a user domain of the resource being accessed, (4) client device health state information indicating a state of health of the client device, or (5) client device security compliance information indicating security compliance of the client device.
  - 11. The method of claim 10, wherein:
    - for each respective information packet which is not in compliance with the pre-established rules, dropping, by the server device, the respective information packet.
  - 12. The method of claim 6, wherein the step of filtering out respective information packets includes comparing the packet management information in each respective information packet with pre-established policies at the server device to determine whether the packet management information is in compliance with the pre-established policies, and for each respective information packet which is not in compliance with the pre-established rules, dropping, by the server device, the respective information packet.
  - 13. The method of claim 6, wherein the step of filtering out respective information packets includes the step of restricting access to the resource by respective information packets based on at least one of:
    - (1) user information of the client device, (2) client health information of the client device, (3) network access type information indicating a type of access of the client device or (4) application type information which is embedded in the respective information packets.

14. A system for restricting access to a resource of a computer system using packet management information that includes network and device parameters, comprising:
- a first device for inserting the packet management information into information packets destined for the resource of the computer system; and
  
  a second device including;
  
  a packet processor for removing at least the packet management information inserted by the first device into information packets received from the first device, anda packet manager for monitoring the removed packet management information in the information packets from the client device and for controlling the packet processor to filter out respective information packets when the network and client parameters indicate that access to the resource is restricted.wherein the packet management information in each of the information packets is a variable length security tag and a login message to establish a session between the client and server devices includes device parameters including control flags indicating (1) a set length of the security tag and (2) whether none, a part or an entire payload is used for encryption of the security tag.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The system of claim 14, wherein the first device is in a logout state and sends a login request including the device parameters to initiate a communication channel with the second device using a first session key such that an operational state of the first device changes to a login state, and responsive to a predetermined period expiring and the first device not establishing a new session key with the second device, the operational state of the first device is changed to a re-key state in which the first device is limited to operations for establishing the new session key.
  - 16. The system of claim 14, further comprising:
    - a storage unit for storing identified client parameters and network parameters, as the packet management information, used for comparison with rules for determining access to the resource.
  - 17. The system of claim 14, wherein the packet manager negotiates a session key between the client device and the server device and generates a session ID based on at least the negotiated session key such that information packets received by the server device include the packet management information and the session ID.
  - 18. The system of claim 14, wherein the packet manager controls the packet processor to filter out respective information packets sent to the server device based on the monitored packet management information and session IDs therein using the rules for determining access to the resource.
  - 19. The system of claim 14, wherein the client device is on a first network and the resource is on a second protected network, the system further comprising:
    - a transaction manager for translating first communications of protocols and standards of the first network to second communication s of protocols and standards of the second protected network.
  - 20. The system of claim 14, wherein a storage unit includesa rule library including predetermined quarantine rules for causing one of:
    - (1) the client device to be logged out of the computer system;
      
      (2) the client device to be logged out and not allowed to be re-authenticated re-authorized for a pre determined period; and
      
      (3) the client device to be logged out and not allowed to be re-authenticated/re-authorized, the server device further comprising;
      
      a compliance monitor for determining whether communication from the client device indicates a security breach therewith by comparing the packet management information with the predetermined quarantine rules.
  - 21. The system of claim 14, wherein the compliance monitor determines whether a valid request for the resource is being processed form an authorized user or the client device based on information in the packet management information of each information packet which reflects a current statement of health of the client device.
  - 22. The system of claim 14, wherein a storage unit includes a rule library including established scheduling rules, the system further comprising:
    - a scheduler for managing scheduling of network traffic through the server device based on information in the packet management information and the established scheduling rules.
  - 23. The system of claim 22, wherein the scheduler modifies priority of network traffic sent through the server device based on the packet management information in respective information packets.
  - 24. The system of claim 14, wherein:
    - the packet management information includes client device health state information; and
      
      the packet manager compares a health state indicated by the client device health state information in each respective information packet with preestablished policies to determine whether the client health is in compliance with the pre-established policies such that for each respective information packet which is not in compliance with the pre-established rules, the packet processor drops the respective information packet sent by the client device.
  - 25. The system of claim 14, wherein the packet processor, controlled by the packet manager, filters out respective information packet based on at least one of:
    - (1) user information of the client device, (2) client health information of the client device, (3) network access type information indicating a type of access of the client device or (4) application type information which is embedded in the respective information packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Pollutro, Dennis Vance, Tran, Kiet Tuan, Kumar, Srinivas
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US12/163,292
Publication Number

US 20090328186A1
Time in Patent Office

2,356 Days
Field of Search

None
US Class Current

726/2
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2117   User registration

G06F 2221/2119   Authenticating web pages, e...

H04L 63/0227   Filtering policies mail mes...

H04L 63/067   using one-time keys cryptog...

H04L 63/0838   using one-time-passwords

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/164   at the network layer

Computer security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

212 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Computer security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

212 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links