Computer security system

US 9,781,114 B2
Filed: 12/08/2014
Issued: 10/03/2017
Est. Priority Date: 04/25/2002
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a device intermediary to a first network including a client device and a second protected network including a server, the device configured to restrict access to a resource of the server using packet management information included in packets associated with an authenticated user of the client device, the packet management information in each packet including at least an obfuscated client identifier (ID) and a predefined code used to generate the obfuscated client ID from a client ID of the authenticated user;

a storage unit of the device configured to store one or more rules for determining access to the resource using the packet management information identified from a first packet associated with the authenticated user of the client device;

a packet processor of the device configured to determine the client ID using the predefined code and the obfuscated client ID in the packet management information inserted by the client device in the first packet; and

a packet manager of the device configured to control the packet processor to deny the first packet from reaching the server responsive to the one or more rules indicating that access to the resource is restricted based on at least the determined client ID.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.

Citations

20 Claims

1. A system comprising:
- a device intermediary to a first network including a client device and a second protected network including a server, the device configured to restrict access to a resource of the server using packet management information included in packets associated with an authenticated user of the client device, the packet management information in each packet including at least an obfuscated client identifier (ID) and a predefined code used to generate the obfuscated client ID from a client ID of the authenticated user;
  
  a storage unit of the device configured to store one or more rules for determining access to the resource using the packet management information identified from a first packet associated with the authenticated user of the client device;
  
  a packet processor of the device configured to determine the client ID using the predefined code and the obfuscated client ID in the packet management information inserted by the client device in the first packet; and
  
  a packet manager of the device configured to control the packet processor to deny the first packet from reaching the server responsive to the one or more rules indicating that access to the resource is restricted based on at least the determined client ID.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the packet manager is further configured to negotiate a session key between the client device and the server and generate a session ID based on at least the negotiated session key, the device further configured to provide the session ID to the client device for insertion into packets sent from the client device to the server.
  - 3. The system of claim 2, wherein the packet manager is further configured to control the packet processor to deny the first packet from reaching the server responsive to the one or more rules indicating that access to the resource is restricted based on at least the packet management information and the session ID.
  - 4. The system of claim 1, wherein the storage unit comprises a rule library including the one or more rules configured to cause one or more of:
    - (1) the client device to be logged out;
      
      (2) the client device to be logged out and not allowed to be re-authenticated or re-authorized for a pre-determined period; and
      
      (3) the client device to be logged out and not allowed to be one of re-authenticated or re-authorized.
  - 5. The system of claim 1, wherein the device is further configured with a scheduler, the scheduler configured to manage scheduling of network traffic through the device using information in the packet management information and at least one rule.
  - 6. The system of claim 5, wherein the scheduler is further configured to modify priority of packets sent through the device using the packet management information.
  - 7. The system of claim 1, wherein the packet management information includes health state information of the client device and wherein the compliance monitor is further configured to compare a health state indicated in the packet management information with one or more rules to determine whether the client device health is in compliance with the one or more rules.
  - 8. The system of claim 1, further comprising a compliance monitor of the device configured to detect, according to the packet management information and the one or more rules, a security breach at the client device, and to block subsequent packets from the client device at the device responsive to the detection of the security breach.
  - 9. The system of claim 8, wherein the compliance monitor is further configured to determine whether a valid request for the resource is received from an authorized user.
  - 10. The system of claim 1, wherein the device further configured to transmit a list of applications to the client device, the list including an application identifier (ID) for each of the applications, wherein the client device is configured to identify a first application ID associated with the first packet and to include the first application ID in the packet management information inserted in the first packet;
    - andthe packet manager of the device is configured to control the packet processor to deny the first packet from reaching the server according to at least one rule and the first application ID.

11. A method comprising:
- receiving, by a device intermediary to first network including a client device and a second protected network including a server, a first packet from the client device directed to the server, the device configured to restrict access to a resource of the server using packet management information included in packets associated with an authenticated user of the client device, the packet management information in each packet including at least an obfuscated client identifier (ID) and a predefined code used to generate the obfuscated client ID from a client ID of the authenticated user;
  
  identifying, by the device in a storage unit, one or more rules for determining access to the resource using the packet management information identified from the first packet associated with the authenticated user of the client device;
  
  determining, by a packet processor of the device, the client ID using the predefined code and the obfuscated client ID in the packet management information inserted by the client device in the first packet; and
  
  controlling, by a packet manager of the device, the packet processor to deny the first packet from reaching the server responsive to the one or more rules indicating that access to the resource is restricted based on at least the determined client ID.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, further comprising negotiating, by the device, a session key between the client device and the server and generating a session ID based on at least the negotiated session key, the device configured to provide the session ID to the client device for insertion into packets sent from the client device to the server.
  - 13. The method of claim 12, further comprising controlling, by the packet manager, the packet processor to deny the first packet from reaching the server responsive to the one or more rules indicating that access to the resource is restricted based on at least the packet management information and the session ID.
  - 14. The method of claim 11, wherein the device is configured with a rule library including the one or more rules configured to cause one or more of:
    - (1) the client device to be logged out;
      
      (2) the client device to be logged out and not allowed to be re-authenticated or re-authorized for a pre-determined period; and
      
      (3) the client device to be logged out and not allowed to be one of re-authenticated or re-authorized.
  - 15. The method of claim 11, further comprising scheduling, by a scheduler configured on the device, network traffic through the device using information in the packet management information and at least one rule.
  - 16. The method of claim 15, further comprising modifying, by the scheduler, priority of packets sent through the device using the packet management information.
  - 17. The method of claim 11, further comprising determining, by the compliance monitor, that a health of the client device is not in compliance with one or more rules, by comparing a health state indicated in the packet management information with the one or more rules.
  - 18. The method of claim 11 further comprising:
    - detecting, by a compliance monitor of the device, according to the packet management information and the one or more rules, a security breach at the client device; and
      
      blocking, by the compliance monitor, subsequent packets from the client device at the device responsive to the detection of the security breach.
  - 19. The method of claim 18, further comprising determining, by the compliance monitor of the device, whether a valid request for the resource is received from an authorized user.
  - 20. The method of claim 11 further comprising:
    - transmitting, by the device to the client, a list of applications including an application identifier (ID) for each of the applications, wherein the client device identifies a first application ID associated with the first packet and includes the first application ID in the packet management information inserted in the first packet; and
      
      controlling, by the packet manager of the device, the packet processor to deny the first packet from reaching the server according to at least one rule and the first application ID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Pollutro, Dennis Vance, Tran, Kiet Tuan, Kumar, Srinivas
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/563,904
Publication Number

US 20150096010A1
Time in Patent Office

1,030 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2117   User registration

G06F 2221/2119   Authenticating web pages, e...

H04L 63/0227   Filtering policies mail mes...

H04L 63/067   using one-time keys cryptog...

H04L 63/0838   using one-time-passwords

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/164   at the network layer

Computer security system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer security system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links