Generalized policy server

US 20080028436A1
Filed: 08/31/2007
Published: 01/31/2008
Est. Priority Date: 03/10/1997
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to network information comprising:

receiving a request from a user concerning access to information in a network;

consulting a local copy of one or more policies, the one or more policies limiting access to the network information; and

determining whether the user is authorized to access the information based on at least the local copy of the one or more policies.

View all claims

28 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter use a local copy of an access control database to determine whether an access request made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to of access policies which define access in terms of the user groups and information sets. The rights of administrators are similarly determined by administrative policies. Access is further permitted only if the trust levels of a mode of identification of the user and of the path in the network by which the access is made are sufficient for the sensitivity level of the information resource. If necessary, the access filter automatically encrypts the request with an encryption method whose trust level is sufficient. The first access filter in the path performs the access check and encrypts and authenticates the request; the other access filters in the path do not repeat the access check. A policy server component of the access filter has been separated from the access filter and the policies have been generalized to permit administrators of the policy server to define new types of actions and new types of entities for which policies can be made. Policies may now further have specifications for time intervals during which the policies are in force and the entities may be associated with attributes that specify how the entity is to be used when the policy applies.

218 Citations

28 Claims

1. A method for controlling access to network information comprising:
- receiving a request from a user concerning access to information in a network;
  
  consulting a local copy of one or more policies, the one or more policies limiting access to the network information; and
  
  determining whether the user is authorized to access the information based on at least the local copy of the one or more policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the one or more policies comprise information concerning a user group.
  - 3. The method of claim 2, wherein the one or more policies further comprise an information set associated with the user group.
  - 4. The method of claim 1, wherein the one or more policies comprises information concerning a trust level.
  - 5. The method of claim 3, wherein the one or more policies further comprise a sensitivity level associated with the trust level.
  - 6. The method of claim 1, wherein the one or more policies comprise information concerning identity certificates.
  - 7. The method of claim 1, wherein the one or more policies comprise information concerning Internet Protocol (IP) addresses.
  - 8. The method of claim 1, further comprising authenticating the user.
  - 9. The method of claim 8, wherein authenticating the user comprises determining whether the user belongs to one or more user groups.
  - 10. The method of claim 8, wherein authenticating the user comprises determining a trust level of the user access request.
  - 11. The method of claim 8, wherein authenticating the user comprises evaluating an identity certificate associated with the user.
  - 12. The method of claim 8, wherein authenticating the user comprises determining an Internet Protocol (IP) address of the user.
  - 13. The method of claim 1, further comprising receiving an update concerning the one or more policies.
  - 14. The method of claim 13, further comprising transmitting the update to one or more other local copies in the network.
  - 15. The method of claim 13, wherein receiving the update comprises determining that the update is from a network administrator.
  - 16. The method of claim 15, wherein receiving the update further comprises determining update privileges of the network administrator based on at least administrative policies

17. A system for controlling access to network information comprising:
- a policy database configured to store one or more policies limiting access to network information;
  
  a local server configured to provide network information to authorized users; and
  
  an access filter associated with the one or more policies and configured to determine whether a user is authorized to receive access to information from the local server based on at least the one or more policies.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The system of claim 17, wherein the policy database is further configured to store information concerning the authorized users.
  - 19. The system of claim 17, wherein the policy database is further configured to store information concerning members of one or more user groups.
  - 20. The system of claim 17, wherein the policy database is further configured to store information concerning one or more information sets.
  - 21. The system of claim 17, wherein the policy database is further configured to store information concerning associations between a user group and an information set.
  - 22. The system of claim 17, wherein the policy database is further configured to store information concerning associations between a trust level and a sensitivity level.
  - 23. The system of claim 17, wherein the policy database is further configured to store one or more policies limiting who submit updates concerning policies.
  - 24. The system of claim 17, wherein the policy database is further configured to store information concerning identity certificates.
  - 25. The system of claim 17, wherein the policy database is further configured to store information concerning Internet Protocol (IP) addresses.

26. A computer-readable storage medium having stored thereupon a program, the program being executable by a processor to perform a method for controlling access to network information, the method comprising:
- receiving a request from a user concerning access to information in a network;
  
  consulting a local copy of one or more policies, the one or more policies limiting access to the network information; and
  
  determining whether the user is authorized to access the information based on at least the local copy of the one or more policies.
- View Dependent Claims (27, 28)
- - 27. The computer-readable storage medium of claim 26, further comprising computing instructions for updating the local copy of the one or more policies.
  - 28. The computer-readable storage medium of claim 27, further comprising computing instructions for transmitting updates to one or more local copies in the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Hannel, Clifford, Schneider, David, Lipstone, Laurence

Granted Patent

US 7,821,926 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Generalized policy server

First Claim

28 Assignments

0 Petitions

Accused Products

Abstract

218 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Generalized policy server

First Claim

28 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

218 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others