Secure enterprise network

US 8,925,036 B2
Filed: 03/30/2012
Issued: 12/30/2014
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A method of implementing a security system that enables transparent authentication and transparent policy enforcement in a fabric of a network, the method comprising:

receiving, after an authentication process, a packet stream sent from a network host prior to the packet stream reaching a network resource comprising access to one or more applications;

identifying an authentication exchange packet in the packet stream, the authentication exchange packet being associated with the authentication process, wherein the authentication exchange packet includes authenticated information;

determining, using the authentication exchange packet and a directory service, a user associated with the packet stream and whether the user has authorization to access the network resource and the one or more applications; and

creating a network policy based on the identifying and the determining, the network policy defining whether the user has access to the network resource and the one or more applications.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system enables transparent authentication and transparent policy enforcement in a fabric of a network. In an exemplary embodiment thereof, a packet stream sent from a network host to a network resource is received at a security system. The security system identifies an authentication exchange packet in the packet stream and determines, using the authentication exchange packet and a directory service, a user identity associated with the packet stream and whether the identified user has authorization to access the network resource. A network policy is created that defines whether the user has access to the network resource.

Citations

19 Claims

1. A method of implementing a security system that enables transparent authentication and transparent policy enforcement in a fabric of a network, the method comprising:
- receiving, after an authentication process, a packet stream sent from a network host prior to the packet stream reaching a network resource comprising access to one or more applications;
  
  identifying an authentication exchange packet in the packet stream, the authentication exchange packet being associated with the authentication process, wherein the authentication exchange packet includes authenticated information;
  
  determining, using the authentication exchange packet and a directory service, a user associated with the packet stream and whether the user has authorization to access the network resource and the one or more applications; and
  
  creating a network policy based on the identifying and the determining, the network policy defining whether the user has access to the network resource and the one or more applications.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising associating the user with a group of users in the directory service that have the same network policy.
  - 3. The method of claim 1, further comprising enforcing the network policy by stopping the packet stream from reaching the network resource when it is determined that the user does not have access to the network resource.
  - 4. The method of claim 1, further comprising:
    - monitoring a usage, a resource, and content of information sent by or received by each member of a group;
      
      updating the network policy for each member of the group based on the monitoring, the updated network policy including usage thresholds, approved resources, and approved content of information; and
      
      enforcing the updated network policy by preventing certain information from being sent by or received by a member of the group when the certain information exceeds the usage thresholds, is not from an approved resource, or does not include approved content.
  - 5. The method of claim 1, further comprising:
    - monitoring a rate at which information is sent by or received by a group of users;
      
      generating a network policy for the group based on the monitoring, the network policy for the group including information rate thresholds; and
      
      enforcing the network policy of the group by reducing a rate at which information can be sent by or received by the group when the rate at which information is sent by or received by the group exceeds one or more of the information rate thresholds.
  - 6. The method of claim 1, wherein determining a user associated with the packet stream comprises:
    - extracting a username from the packet stream; and
      
      using the directory service to determine a user associated with the username.

7. A system comprising:
- a directory server comprising user information, user authorization information, and network policy information; and
  
  at least one processor programmed to;
  
  receive, after an authentication process, a packet stream sent from a network host prior to the packet stream reaching a network resource comprising access to one or more applications;
  
  identify an authentication exchange packet in the packet stream, the authentication exchange packet being associated with the authentication process, wherein the authentication exchange packet includes authenticated information;
  
  determine, using the authentication exchange packet and the directory server, a user associated with the packet stream and whether the user has authorization to access the network resource and the one or more applications; and
  
  create a network policy based on the identifying and the determining, the network policy defining whether the user has access to the network resource and the one or more applications.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the at least one processor is further programmed to associate the user with a group of users in the directory server that have the same network policy.
  - 9. The system of claim 7, wherein the at least one processor is further programmed to enforce the network policy by stopping the packet stream from reaching the network resource when it is determined that the user does not have access to the network resource.
  - 10. The system of claim 7, wherein the at least one processor is further programmed to:
    - monitor a usage, a resource, and content of information sent by or received by each member of a group; and
      
      update the network policy for each member of the group based on the monitoring, the updated network policy including usage thresholds, approved resources, and approved content of information.
  - 11. The system of claim 10, wherein the at least one processor is further programmed to enforce the updated network policy by preventing certain information from being sent by or received by a member of the group when the certain information exceeds the usage thresholds, is not from an approved resource, or does not include approved content.
  - 12. The system of claim 10, wherein the at least one processor is further programmed to:
    - extract a username from the packet stream; and
      
      determine a user associated with the username using in the directory server.

13. A non-transitory computer readable medium comprising computer-readable instructions thereon that instruct one or more processors to:
- receive, after an authentication exchange process, a packet stream sent from a network host prior to the packet stream reaching a network resource comprising access to one or more applications;
  
  identify an authentication exchange packet in the packet stream, the authentication exchange packet being associated with the authentication process, wherein the authentication exchange packet includes authenticated information;
  
  determine, using the authentication exchange packet and a directory service, a user associated with the packet stream and whether the user has authorization to access the network resource and the one or more applications; and
  
  create a network policy based on the identifying and the determining, the network policy defining whether the user has access to the network resource and the one or more applications.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The non-transitory computer readable media of claim 13, further comprising computer-readable instructions thereon that instruct the one or more processors to associate the user with a group of users in the directory service that have the same network policy.
  - 15. The non-transitory computer readable media of claim 13, further comprising computer-readable instructions thereon that instruct the one or more processors to enforce the network policy by stopping the packet stream from reaching the network resource when it is determined that the user does not have access to the network resource.
  - 16. The non-transitory computer readable media of claim 13, further comprising computer-readable instructions thereon that instruct the one or more processors to:
    - monitor a usage, a resource, and content of information sent by or received by each member of a group; and
      
      update the network policy for each member of the group based on the monitoring, the updated network policy including usage thresholds, approved resources, and approved content of information.
  - 17. The non-transitory computer readable media of claim 16, further comprising computer-readable instructions thereon that instruct the one or more processors to enforce the updated network policy by preventing certain information from being sent by or received by a member of the group when the certain information exceeds the usage thresholds, is not from an approved resource, or does not include approved content.
  - 18. The non-transitory computer readable media of claim 13, further comprising computer-readable instructions thereon that instruct the one or more processors to:
    - monitor a rate at which information is sent by or received by a group of users; and
      
      generate a network policy for the group based on the monitoring, the network policy for the group including information rate thresholds.
  - 19. The non-transitory computer readable media of claim 18, further comprising computer-readable instructions thereon that instruct the one or more processors to enforce the network policy of the group by reducing a rate at which information can be sent by or received by the group when the rate at which information is sent by or received by the group exceeds one or more of the information rate thresholds.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Pramod, John
Primary Examiner(s)
Gee, Jason K

Application Number

US13/436,332
Publication Number

US 20120185915A1
Time in Patent Office

1,005 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/105 Multiple levels of security

Secure enterprise network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure enterprise network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links