Real-time automated virtual private network (VPN) access management

US 9,571,352 B2
Filed: 01/21/2014
Issued: 02/14/2017
Est. Priority Date: 03/12/2010
Status: Active Grant

First Claim

Patent Images

1. A method of managing virtual private network (VPN) access to a plurality of subnets containing respective hardware devices, the method comprising the steps of:

receiving, by a processor, registration of a first user as authorized to access a first hardware device, the first hardware device currently residing on a first subnet and not a second subnet, and in response, granting the first user VPN access to the first subnet but not the second subnet;

receiving, by the processor, registration of a second user as authorized to access a second hardware device, the second hardware device currently residing on the second subnet and not the first subnet, and in response, granting the second user VPN access to the second subnet but not the first subnet; and

subsequently,detecting, by the processor, that the first hardware device resides on the second subnet and not the first subnet, and in response, the processor automatically granting the first user VPN access to the second subnet,wherein the first user is registered as authorized to access the first hardware device based on a first IP address or a first host name of the first hardware device, andwherein the second user is registered as authorized to access the second hardware device based on a second IP address or a second host name of the second hardware device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method for managing virtual private network (VPN) access to a network that is partitioned into a plurality of subnetworks (subnets). The method includes providing first information associated with hardware hosted on one or more subnets of the network; providing second information associated with users for VPN access, where the VPN access for each user is determined by a list of hardware each user has permission to access; detecting a hardware triggering event corresponding to a modification of the first information; and responsive to the detection of the hardware triggering event, automatically updating the second information based on the modification of the first information.

Citations

12 Claims

1. A method of managing virtual private network (VPN) access to a plurality of subnets containing respective hardware devices, the method comprising the steps of:
- receiving, by a processor, registration of a first user as authorized to access a first hardware device, the first hardware device currently residing on a first subnet and not a second subnet, and in response, granting the first user VPN access to the first subnet but not the second subnet;
  
  receiving, by the processor, registration of a second user as authorized to access a second hardware device, the second hardware device currently residing on the second subnet and not the first subnet, and in response, granting the second user VPN access to the second subnet but not the first subnet; and
  
  subsequently,detecting, by the processor, that the first hardware device resides on the second subnet and not the first subnet, and in response, the processor automatically granting the first user VPN access to the second subnet,wherein the first user is registered as authorized to access the first hardware device based on a first IP address or a first host name of the first hardware device, andwherein the second user is registered as authorized to access the second hardware device based on a second IP address or a second host name of the second hardware device.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein in response to (a) the processor subsequently detecting that the first hardware device resides on the second subnet and does not reside on the first subnet and (b) the processor determining that the first user is not currently registered to access any hardware devices on the first subnet, the processor automatically revoking VPN access by the user to the first subnet.
  - 3. The method of claim 1 wherein:
    - in response to the receipt of the registration of the first user as authorized to access the first hardware device, the processor automatically determines that the first hardware device currently resides on the first subnet and not the second subnet, and the processor automatically grants the first user VPN access to the first subnet but not the second subnet; and
      
      in response to the receipt of the registration of the second user as authorized to access the second hardware device, the processor automatically determines that the second hardware device currently resides on the second subnet and not the first subnet, and the processor automatically grants the second user VPN access to the second subnet but not the first subnet.
  - 4. The method of claim 1, said method further comprising:
    - partitioning a private network into the plurality of subnets, wherein the plurality of subnets includes the first subnet and the second subnet.

5. A computer program product for managing virtual private network (VPN) access to a plurality of subnets containing respective hardware devices, the computer program product comprising:
- one or more computer-readable storage devices, and program instructions stored on the one or more storage devices, the program instructions comprising;
  
  program instructions to receive registration of a first user as authorized to access a first hardware device, the first hardware device currently residing on a first subnet and not a second subnet, and in response, grant the first user VPN access to the first subnet but not the second subnet;
  
  program instructions to receive registration of a second user as authorized to access a second hardware device, the second hardware device currently residing on the second subnet and not the first subnet, and in response, grant the second user VPN access to the second subnet but not the first subnet; and
  
  program instructions to detect that the first hardware device subsequently resides on the second subnet and not the first subnet, and in response, automatically grant the first user VPN access to the second subnet,wherein the first user is registered as authorized to access the first hardware device based on a first IP address or a first host name of the first hardware device, andwherein the second user is registered as authorized to access the second hardware device based on a second IP address or a second host name of the second hardware device.
- View Dependent Claims (6, 7, 8)
- - 6. The computer program product of claim 5 further comprising:
    - program instructions, stored on the one or more storage devices, responsive to the subsequent detection that the first hardware device resides on the second subnet and does not reside on the first subnet, to determine that the first user is not currently registered to access any hardware devices on the first subnet, and in response, automatically revoke VPN access by the user to the first subnet.
  - 7. The computer program product of claim 5 further comprising:
    - program instructions, stored on the one or more storage devices, responsive to the receipt of the registration of the first user as authorized to access the first hardware device, to automatically determine that the first hardware device currently resides on the first subnet and not the second subnet, and in response, automatically grant the first user VPN access to the first subnet but not the second subnet; and
      
      program instructions, stored on the one or more storage devices, responsive to the receipt of the registration of the second user as authorized to access the second hardware device, to automatically determine that the second hardware device currently resides on the second subnet and not the first subnet, and automatically grant the second user VPN access to the second subnet but not the first subnet.
  - 8. The computer program product of claim 5, further comprising:
    - program instructions, stored on the one or more storage devices, to partition a private network into the plurality of subnets, wherein the plurality of subnets includes the first subnet and the second subnet.

9. A computer system product for managing virtual private network (VPN) access to a plurality of subnets containing respective hardware devices, the computer system comprising:
- one or more processors, one or more computer-readable memories and one or more computer-readable storage devices, and program instructions stored on the one or more storage devices for execution by the one or more processors via the one or more memories, the program instructions comprising;
  
  program instructions to receive registration of a first user as authorized to access a first hardware device, the first hardware device currently residing on a first subnet of a private network and not a second subnet of the private network, and in response, grant the first user VPN access to the first subnet but not the second subnet;
  
  program instructions to receive registration of a second user as authorized to access a second hardware device, the second hardware device currently residing on the second subnet and not the first subnet, and in response, grant the second user VPN access to the second subnet but not the first subnet; and
  
  program instructions to detect that the first hardware device subsequently resides on the second subnet and not the first subnet, and in response, automatically grant the first user VPN access to the second subnet,wherein the first user is registered as authorized to access the first hardware device based on a first IP address or a first host name of the first hardware device, andwherein the second user is registered as authorized to access the second hardware device based on a second IP address or a second host name of the second hardware device.
- View Dependent Claims (10, 11, 12)
- - 10. The computer system of claim 9 further comprising:
    - program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, responsive to the subsequent detection that the first hardware device resides on the second subnet and does not reside on the first subnet, to determine that the first user is not currently registered to access any hardware devices on the first subnet, and in response, automatically revoke VPN access by the user to the first subnet.
  - 11. The computer system of claim 9 further comprising:
    - program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, responsive to the receipt of the registration of the first user as authorized to access the first hardware device, to automatically determine that the first hardware device currently resides on the first subnet and not the second subnet, and in response, automatically grant the first user VPN access to the first subnet but not the second subnet; and
      
      program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, responsive to the receipt of the registration of the second user as authorized to access the second hardware device, to automatically determine that the second hardware device currently resides on the second subnet and not the first subnet, and automatically grant the second user VPN access to the second subnet but not the first subnet.
  - 12. The computer system of claim 9, further comprising:
    - program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to partition a private network into the plurality of subnets, wherein the plurality of subnets includes the first subnet and the second subnet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
Softlayer Technologies Incorporated (International Business Machines Corporation)
Inventors
Francis, William J., McAloon, Daniel
Primary Examiner(s)
Thieu, Benjamin M

Application Number

US14/160,104
Publication Number

US 20140136703A1
Time in Patent Office

1,120 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/50   Network service management,...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

Real-time automated virtual private network (VPN) access management

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time automated virtual private network (VPN) access management

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links