Generalized policy server

US 8,935,311 B2
Filed: 02/01/2012
Issued: 01/13/2015
Est. Priority Date: 03/10/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A method for controlling access to network information, the method comprising:

storing a local copy of one or more policies in memory, the one or more policies limiting access to the network information, wherein at least one policy of the one or more policies includes at least a predefined temporal condition and a class of service associated with the pre-defined temporal condition, wherein the pre-defined temporal condition defines a time period, and wherein the at least one policy including the pre-defined temporal condition is applicable only during the defined time period;

receiving a request from a user concerning access to information in a network;

executing instructions stored in memory, wherein execution of the instructions by a processor;

determines that the user is authorized to access the requested network information based on at least the local copy of the one or more policies, wherein the predefined temporal condition is satisfied,applies the class of service associated with the pre-defined temporal condition, identifies a path through a plurality of devices in the network, the plurality of devices including a server hosting the requested network information, a plurality of access filters, and a user device associated with the user, andencrypts a message containing the requested network information for transmission between the server and a first access filter from the plurality of access filters, wherein a plurality of transmissions of the message between device pairs in the path is encrypted separately.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter use a local copy of an access control database to determine whether an access request made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to of access policies which define access in terms of the user groups and information sets.

163 Citations

15 Claims

1. A method for controlling access to network information, the method comprising:
- storing a local copy of one or more policies in memory, the one or more policies limiting access to the network information, wherein at least one policy of the one or more policies includes at least a predefined temporal condition and a class of service associated with the pre-defined temporal condition, wherein the pre-defined temporal condition defines a time period, and wherein the at least one policy including the pre-defined temporal condition is applicable only during the defined time period;
  
  receiving a request from a user concerning access to information in a network;
  
  executing instructions stored in memory, wherein execution of the instructions by a processor;
  
  determines that the user is authorized to access the requested network information based on at least the local copy of the one or more policies, wherein the predefined temporal condition is satisfied,applies the class of service associated with the pre-defined temporal condition, identifies a path through a plurality of devices in the network, the plurality of devices including a server hosting the requested network information, a plurality of access filters, and a user device associated with the user, andencrypts a message containing the requested network information for transmission between the server and a first access filter from the plurality of access filters, wherein a plurality of transmissions of the message between device pairs in the path is encrypted separately.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising storing in memory information regarding identification and certification for the server, the plurality of access filters, and the user device.
  - 3. The method of claim 1, wherein the encrypted message is decrypted at the first access filter for access checking before transmitting to a second access filter.
  - 4. The method of claim 1, wherein encryption between a device pair forms a tunnel between a device pair, and wherein the tunnel is extended to a next device based on the encryption between the device pair.
  - 5. The method of claim 4, wherein identifying the path is based on current network routing conditions.
  - 6. The method of claim 1, wherein variable levels of encryption are used in the path.
  - 7. The method of claim 6, further comprising selecting a level of encryption based on a trust level between a device pair.

8. An apparatus for controlling access to network information, the apparatus comprising:
- memory for storing a local copy of one or more policies, the one or more policies limiting access to the network information, wherein at least one policy of the one or more policies includes at least a pre-defined temporal condition and a class of service associated with the pre-defined temporal condition, wherein the pre-defined temporal condition defines a time period, and wherein the at least one policy including the pre-defined temporal condition is applicable only during the defined time period;
  
  a network interface for receiving a request from a user concerning access to information in a network;
  
  a processor for executing instructions stored in memory, wherein execution of the instructions by the processor;
  
  determines that the user is authorized to access the requested network information based on at least the local copy of the one or more policies, wherein the predefined temporal condition is satisfied,applies the class of service associated with the pre-defined temporal condition,identifies a path through a plurality of devices in the network, the plurality of devices including a server hosting the requested network information, a plurality of access filters, and a user device associated with the user, andencrypts a message containing the requested network information for transmission between the server and a first access filter from the plurality of access filters, wherein a plurality of transmissions of the message between device pairs in the path is encrypted separately.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, further comprising storing in memory information regarding identification and certification for the server, the plurality of access filters, and the user device.
  - 10. The apparatus of claim 8, wherein the encrypted message is decrypted at the first access filter for access checking before transmitting to a second access filter.
  - 11. The apparatus of claim 8, wherein encryption between a device pair forms a tunnel between a device pair, and wherein the tunnel is extended to a next device based on the encryption between the device pair.
  - 12. The apparatus of claim 8, wherein identifying the path is based on current network routing conditions.
  - 13. The apparatus of claim 8, wherein variable levels of encryption are used in the path.
  - 14. The apparatus of claim 13, further comprising selecting a level of encryption based on a trust level between a device pair.

15. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for controlling access to network information, the method comprising:
- storing a local copy of one or more policies, the one or more policies limiting access to the network information, wherein at least one policy of the one or more policies includes at least a pre-defined temporal condition and a class of service associated with the pre-defined temporal condition, wherein the pre-defined temporal condition defines a time period, and wherein the at least one policy including the pre-defined temporal condition is applicable only during the defined time period;
  
  receiving a request from a user concerning access to information in a network;
  
  determining that the user is authorized to access the requested network information based on at least the local copy of the one or more policies, wherein the pre-defined temporal condition is satisfied;
  
  applying the class of service associated with the pre-defined temporal condition;
  
  identifying a path through a plurality of devices in the network, the plurality of devices including a server hosting the requested network information, a plurality of access filters, and a user device associated with the user; and
  
  encrypting a message containing the requested network information for transmission between the server and a first access filter from the plurality of access filters, wherein a plurality of transmissions of the message between device pairs in the path is encrypted separately.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Hannel, Clifford L., Lipstone, Laurence R., Schneider, David S.
Primary Examiner(s)
NGUYEN, STEVEN H D

Application Number

US13/364,214
Publication Number

US 20120198232A1
Time in Patent Office

1,077 Days
Field of Search

None
US Class Current

709/200
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Generalized policy server

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Generalized policy server

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links