Computer security system
First Claim
1. A system comprising:
- a device intermediary to a first network including a client device and a second protected network including a server, the device configured to restrict access to a resource of the server using packet management information included in packets associated with an authenticated user of the client device, the packet management information in each packet including at least an obfuscated client identifier (ID) and a predefined code used to generate the obfuscated client ID from a client ID of the authenticated user;
a storage unit of the device configured to store one or more rules for determining access to the resource using the packet management information identified from a first packet associated with the authenticated user of the client device;
a packet processor of the device configured to determine the client ID using the predefined code and the obfuscated client ID in the packet management information inserted by the client device in the first packet; and
a packet manager of the device configured to control the packet processor to deny the first packet from reaching the server responsive to the one or more rules indicating that access to the resource is restricted based on at least the determined client ID.
8 Assignments
0 Petitions
Accused Products
Abstract
A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.
-
Citations
20 Claims
-
1. A system comprising:
-
a device intermediary to a first network including a client device and a second protected network including a server, the device configured to restrict access to a resource of the server using packet management information included in packets associated with an authenticated user of the client device, the packet management information in each packet including at least an obfuscated client identifier (ID) and a predefined code used to generate the obfuscated client ID from a client ID of the authenticated user; a storage unit of the device configured to store one or more rules for determining access to the resource using the packet management information identified from a first packet associated with the authenticated user of the client device; a packet processor of the device configured to determine the client ID using the predefined code and the obfuscated client ID in the packet management information inserted by the client device in the first packet; and a packet manager of the device configured to control the packet processor to deny the first packet from reaching the server responsive to the one or more rules indicating that access to the resource is restricted based on at least the determined client ID. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving, by a device intermediary to first network including a client device and a second protected network including a server, a first packet from the client device directed to the server, the device configured to restrict access to a resource of the server using packet management information included in packets associated with an authenticated user of the client device, the packet management information in each packet including at least an obfuscated client identifier (ID) and a predefined code used to generate the obfuscated client ID from a client ID of the authenticated user; identifying, by the device in a storage unit, one or more rules for determining access to the resource using the packet management information identified from the first packet associated with the authenticated user of the client device; determining, by a packet processor of the device, the client ID using the predefined code and the obfuscated client ID in the packet management information inserted by the client device in the first packet; and controlling, by a packet manager of the device, the packet processor to deny the first packet from reaching the server responsive to the one or more rules indicating that access to the resource is restricted based on at least the determined client ID. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification