Query interface to policy server

US 8,914,410 B2
Filed: 03/21/2011
Issued: 12/16/2014
Est. Priority Date: 02/16/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method for managing resource access, the method comprising:

storing information in memory regarding a plurality of resources, each resource associated with one or more requirements regarding access;

receiving a request sent over a communication network, the request concerning access by a user to a requested resource;

receiving an indication over the communication network that an identity of the user is valid; and

executing instructions stored in memory, wherein execution of the instructions by a processor;

identifies a path taken by the request through the communication network out of a plurality of possible paths, wherein each path is associated with a trust level,identifies an identification technique used to identify the user requesting access out of a plurality of possible identification techniques, wherein each identification technique is associated with a trust level,calculates an overall trust level of the request based on;

the trust level of the identification technique used to identify the user,the trust level of the path taken by the access request through the network, anda trust level of an encryption technique used to encrypt the request out of a plurality of possible encryption techniques,recognizes that the encryption technique has a higher trust level than a trust level of a portion of the path,increases the overall trust level to the trust level of the encryption technique, andprovides or refuses access to the requested resource based on whether the overall trust level of the request corresponds to requirements for accessing the resource.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to access policies which define access in terms of the user groups and information sets. The first access filter in the path performs the access check, encrypts and authenticates the request; the other access filters in the path do not repeat the access check. The interface used by applications to determine whether a user has access to an entity is now an SQL entity. The policy server assembles the information needed for the response to the query from various information sources, including source external to the policy server.

166 Citations

15 Claims

1. A method for managing resource access, the method comprising:
- storing information in memory regarding a plurality of resources, each resource associated with one or more requirements regarding access;
  
  receiving a request sent over a communication network, the request concerning access by a user to a requested resource;
  
  receiving an indication over the communication network that an identity of the user is valid; and
  
  executing instructions stored in memory, wherein execution of the instructions by a processor;
  
  identifies a path taken by the request through the communication network out of a plurality of possible paths, wherein each path is associated with a trust level,identifies an identification technique used to identify the user requesting access out of a plurality of possible identification techniques, wherein each identification technique is associated with a trust level,calculates an overall trust level of the request based on;
  
  the trust level of the identification technique used to identify the user,the trust level of the path taken by the access request through the network, anda trust level of an encryption technique used to encrypt the request out of a plurality of possible encryption techniques,recognizes that the encryption technique has a higher trust level than a trust level of a portion of the path,increases the overall trust level to the trust level of the encryption technique, andprovides or refuses access to the requested resource based on whether the overall trust level of the request corresponds to requirements for accessing the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the communication network is divided into a plurality of components, each component having an associated trust level, and wherein identifying the path includes identifying one or more components in the path.
  - 3. The method of claim 1, wherein the one or more requirements includes the identity of the user.
  - 4. The method of claim 1, wherein the one or more requirements includes membership of the user in a group, and wherein the group is associated with a set of identification techniques.
  - 5. The method of claim 1, further comprising initially determining that the unadjusted overall trust level of the request does not meet the requirements for accessing the resource, and, wherein the adjusted overall trust level meets the requirements for accessing the resource.
  - 6. The method of claim 5, further comprising selecting the encryption technique from a database concerning the plurality of possible encryption techniques, each associated with a trust level adjustment.
  - 7. The method of claim 6, wherein selection of the encryption technique is based on a minimum trust level adjustment necessary to meet the requirements for accessing the resource.

8. A system for managing resource access, the system comprising:
- memory for storing information regarding a plurality of resources, each resource associated with one or more requirements regarding access;
  
  a communications interface for receiving a request sent over a communication network, the request concerning access by a user to a requested resource and for receiving an indication over the communication network that an identity of the user is valid; and
  
  a processor for executing instructions stored in memory, wherein execution of the instructions by the processor;
  
  identifies a path taken by the request through the communication network out of a plurality of possible paths, wherein each path is associated with a trust level,identifies an identification technique used to identify the user requesting access out of a plurality of possible identification techniques, wherein each identification technique is associated with a trust level,calculates an overall trust level of the request based on;
  
  the trust level of the identification technique used to identify the user,the trust level of the path taken by the access request through the network, anda trust level of an encryption technique used to encrypt the request out of a plurality of possible encryption techniques,recognizes that the encryption technique has a higher trust level than a trust level of a portion of the path,increases the overall trust level to the trust level of the encryption technique, andprovides or refuses access to the requested resource based on whether the overall trust level of the request corresponds to requirements for accessing the resource.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the communication network is divided into a plurality of components, each component having an associated trust level, and wherein identifying the path includes identifying one or more components in the path.
  - 10. The system of claim 8, wherein the one or more requirements includes the identity of the user.
  - 11. The system of claim 8, wherein the one or more requirements includes membership of the user in a group, and wherein the group is associated with a set of identification techniques.
  - 12. The system of claim 8, further comprising executing instructions by the processor to initially determine that the unadjusted overall trust level of the request does not meet the requirements for accessing the resource, wherein the adjusted overall trust level meets the requirements for accessing the resource.
  - 13. The system of claim 12, further comprising selecting the encryption technique from a database concerning the plurality of possible encryption techniques, each associated with a trust level adjustment.
  - 14. The system of claim 13, wherein selection of the encryption technique is based on a minimum trust level adjustment necessary to meet the requirements for accessing the resource.

15. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for managing resource access, the method comprising:
- storing information in memory regarding a plurality of resources, each resource associated with one or more requirements regarding access;
  
  receiving a request sent over a communication network, the request concerning access by a user to a requested resource;
  
  receiving an indication over the communication network that an identity of the user is valid;
  
  identifying a path taken by the request through the communication network out of a plurality of possible paths, wherein each path is associated with a trust level;
  
  identifying identification technique used to identify the user requesting access out of a plurality of possible identification techniques, wherein each identification technique is associated with a trust level;
  
  calculating an overall trust level of the request based on;
  
  the trust level of the identification technique used to identify the user,the trust level of the path taken by the access request through the network, anda trust level of an encryption technique used to encrypt the request out of a plurality of possible encryption techniques,recognizing that the encryption technique has a higher trust level than a trust level of a portion of the path;
  
  increasing the overall trust level to the trust level of the encryption technique; and
  
  providing or refusing access to the requested resource based on whether the overall trust level of the request corresponds to requirements for accessing the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Hannel, Clifford Lee, May, Anthony
Primary Examiner(s)
Hwa, Shyue Jiunn

Application Number

US13/053,196
Publication Number

US 20110231443A1
Time in Patent Office

1,366 Days
Field of Search

707/776
US Class Current

707/776
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Query interface to policy server

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Query interface to policy server

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links