Rule based extensible authentication

US 9,210,177 B1
Filed: 06/30/2011
Issued: 12/08/2015
Est. Priority Date: 07/29/2005
Status: Active Grant

First Claim

Patent Images

1. A network device for managing a communication between a client and a server, comprising:

a transceiver that receives packets from the client; and

a processor programmed to perform actions including;

receiving from the client a request for a resource;

dynamically changing criteria that indicates what credential information is to be extracted from a packet flow using deep packet inspection rules and what credential information is to be evaluated to determine whether the request is authorized;

extracting the credential information based on the dynamically changed criteria from at least one packet in the packet flow associated with the request;

determining that the extracted credential information is insufficient to determine whether the request is authorized and based on the determination, automatically sending a query to the client for additional information to be received in one or more subsequent packets from the client in response to the query;

when the additional information and the extracted credential information are affirmatively authenticated, requesting different credential information based on the dynamically changing criteria; and

selectively allowing access to the requested resource based on authorization of the different credential information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, and method are directed to managing access to a resource using rule-based deep packet extractions of a credential. A network device, such as a traffic management device, is situated between a client device and a server device. When the client device sends a request for a resource, the request is intercepted by the network device. The network device may employ a multi-layer deep packet extraction of the credential from the request. The network device may then use the credential to determine whether the request enabled to access the resource. Based, in part, on a variety of rules, the network device may deny access, enable access, route the request to a different server, or the like. In one embodiment, the network device may receive a rule from another device that directs the network device to request a different credential.

217 Citations

20 Claims

1. A network device for managing a communication between a client and a server, comprising:
- a transceiver that receives packets from the client; and
  
  a processor programmed to perform actions including;
  
  receiving from the client a request for a resource;
  
  dynamically changing criteria that indicates what credential information is to be extracted from a packet flow using deep packet inspection rules and what credential information is to be evaluated to determine whether the request is authorized;
  
  extracting the credential information based on the dynamically changed criteria from at least one packet in the packet flow associated with the request;
  
  determining that the extracted credential information is insufficient to determine whether the request is authorized and based on the determination, automatically sending a query to the client for additional information to be received in one or more subsequent packets from the client in response to the query;
  
  when the additional information and the extracted credential information are affirmatively authenticated, requesting different credential information based on the dynamically changing criteria; and
  
  selectively allowing access to the requested resource based on authorization of the different credential information.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network device of claim 1, wherein the processor programmed to perform actions, further including:
    - determining whether the access to the resource is authorized based additionally on at least one of a type of client device associated with the request, a security software on the client device and security parameters set for the software, a time of day of the request, a type of request, or a number of time the requested resource has been accessed within a tune period.
  - 3. The network device of claim 1, wherein selectively allowing access further comprises at least one of flagging the request tor additional processing, performing verbose logging, or performing intrusion detection analysis on the request.
  - 4. The network device of claim 1. wherein dynamically changing criteria indicating what credential information is to be evaluated further comprises receiving at least one conditional command and event control instruction.
  - 5. The network device of claim 1, wherein dynamically changing criteria further comprises dynamically receiving the changed criteria from a controller based on the controller detecting suspicious activity and sending the criteria to vary a level of credential checks to be performed by the network device.
  - 6. The network device of claim 1, wherein dynamically changing criteria further comprises receiving a request from a controller requesting that the credential information be provided to the controller.
  - 7. The network device of claim 1, wherein the processor programmed to perform actions, further including:
    - based on a determination that the request is allowable, selecting at least one server based on a rule associated with the allowed access, and directing the request to the selected server.

8. A system, comprising;
- a memory storage device having stored thereon protected content; and
  
  one or more processors programmed to perform actions, including;
  
  receiving a request from a client for at least some of the protected content;
  
  dynamically changing criteria that indicates what credential information is to be extracted from a packet flow using deep packet inspection rules and what credential information is to be evaluated to determine whether the request is authorized;
  
  extracting the credential information based on the dynamically changed criteria from at least one packet in the packet flow associated with the request;
  
  determining that the extracted credential information is insufficient to determine whether the request is authorized and based on the determination, automatically querying the client for additional information to be sent by the client in one or more subsequent packets in response to the query; and
  
  when the additional information and the extracted credential information are affirmatively authenticated, requesting different credential information based on the dynamically changing criteria; and
  
  selectively allowing access to the requested protected content based on authorization of the different credential information.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the one or more processors is programmed to perform actions further including:
    - determining whether the access to the protected content is authorized based additionally on at least one of a type of client device associated with the request, a security software on the client device and security parameters set for the software, a time of day of the request, a type of request, or a number of time the requested protected content has been accessed within a time period.
  - 10. The system of claim 8, wherein selectively allowing access further comprises at least one of flagging the request tor additional processing, performing verbose logging, or performing intrusion detection analysis on the request.
  - 11. The system of claim 8. wherein dynamically changing criteria indicating what credential information is to be evaluated further comprises receiving at least one conditional command and event control instruction.
  - 12. The system of claim 8. wherein dynamically changing criteria further comprises receiving the criteria from a controller based on the controller detecting suspicious activity and sending the criteria to vary a level of credential checks to be performed by the network device.
  - 13. The system of claim 8, wherein the processor programmed to perform actions including:
    - based on a determination that the request is allowable, selecting at least one server based on a rule associated with the allowed access, and directing the request to the selected server, wherein the protected content is accessed through the selected server.

14. A method, composing:
- employing one or more servers for providing access to content; and
  
  employing one or more processors to perform actions, including;
  
  receiving a request for at least some of the content;
  
  dynamically changing criteria that indicates what credential information is to be extracted from a packet How using deep packet inspection rules and what credential information is to be evaluated to determine whether the request is authorized;
  
  extracting the credential information based on the dynamically changed criteria from at least one packet in the packet flow associated with the request;
  
  determining that the extracted credential information is insufficient to determine whether the request is authorized and based on the determination, automatically sending a query to the client for additional information to be received in one or more subsequent packets from the client in response to the query; and
  
  when the additional information and the extracted credential information are affirmatively authenticated, requesting different credential information based on the dynamically changing criteria; and
  
  selectively allowing access to the requested content based on authorization of the different credential information.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the one or more processors are programmed to perform actions, further including:
    - determining whether the access to the content is authorized based additionally on at least one of a type of client device associated with the request, a security software on the client device and security parameters set for the software, a time of day of the request, a type of request, or a number of time the requested content has been accessed within a time period.
  - 16. The method of claim 14, wherein selectively allowing access further comprises at least one of flagging the request for additional processing, performing verbose logging, or performing intrusion detection analysis on the request.
  - 17. The method of claim 14, wherein dynamically changing criteria indicating what credential information is to be evaluated further comprises receiving at least one conditional command and event control instruction.
  - 18. The method of claim 14, wherein dynamically changing criteria further comprises receiving the criteria from a controller based on the controller detecting suspicious activity and sending the criteria to vary a level of credential checks to be performed by the network device.
  - 19. The method of claim 14, wherein selectively allowing access further comprises causing a communication between a client requesting the content and a server providing the content to he encrypted al a different grade of encryption than currently employed with the client.
  - 20. The method of claim 14, wherein the one or more processors are programmed to perform actions, further including:
    - based on a determination that the request is allowable, selecting at least one server in the one or more servers based on a rule associated with the allowed access, and directing the request to the selected server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Hughes, John R.
Primary Examiner(s)
Cervetti, David Garca

Application Number

US13/174,237
Time in Patent Office

1,622 Days
Field of Search

726/4, 726/5, 726/11, 726/13, 726/6, 726/7, 726/8, 713/154, 713/155, 713/153
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/205   involving negotiation or de...

Rule based extensible authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

217 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Rule based extensible authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

217 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others