Secure server architecture for Web based data management

US 6,606,708 B1
Filed: 09/24/1998
Issued: 08/12/2003
Est. Priority Date: 09/26/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A system for securing an enterprise communications network, said system having client access through the public Internet, said system comprising:

(a) a first Internet firewall for accepting service requests from an enterprise client and routing said requests to one or more preselected addresses behind said firewall, said firewall permitting access in compliance with a first set of filtering rules;

(b) at least one secure web server for receiving said service requests and managing a secure client session over the public Internet, said secure server providing session management for said service request, said session management including client identification, validation and a session identifier to link said session with said client, wherein said session identifier is a web cookie generated by a separate server during an entitlements communications, after identification and validation of the client;

(c) a second Internet/Internet firewall for accepting service requests from a secure web server and routing said requests to one or more preselected addresses behind said firewall corresponding to dispatcher servers, said firewall permitting access in compliance with a second set of filtering rules;

(d) at least one dispatcher server for communicating with said secure web server through a second firewall, said second firewall accepting services requests from said secure web server and routing said requests to said dispatcher server in compliance with a second set of filtering rules, said dispatcher server providing system access to said enterprise communications network after client entitlements have been verified; and

(e) a plurality of proxy services linking said dispatcher server to a plurality of system resources over said communications network, said plurality of system resources providing communications network management capabilities for said enterprise client, said system resources responsive to service requests from said enterprise client to generate client data or instructions relating to said communications network.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A double firewalled system is disclosed for protecting remote enterprise servers that provide communication services to telecommunication network customers from unauthorized third parties. A first router directs all connection requests to one or more secure web servers, which may utilize a load balancer to efficiently distribute the session connection load among a high number of authorized client users. On the network side of the web servers, a second router directs all connection requests to a dispatcher server, which routes application server calls to a proxy server for the application requested. A plurality of data security protocols are also employed. The protocols provide for an identification of the user, and an authentication of the user to ensure the user is who he/she claims to be and a determination of entitlements that the user may avail themselves of within the enterprise system. Session security is described, particularly as to the differences between a remote user'"'"'s copper wire connection to a legacy system and a user'"'"'s remote connection to the enterprise system over a “stateless”public Internet, where each session is a single transmission, rather than an interval of time between logon and logoff, as is customary in legacy systems.

649 Citations

26 Claims

1. A system for securing an enterprise communications network, said system having client access through the public Internet, said system comprising:
- (a) a first Internet firewall for accepting service requests from an enterprise client and routing said requests to one or more preselected addresses behind said firewall, said firewall permitting access in compliance with a first set of filtering rules;
  
  (b) at least one secure web server for receiving said service requests and managing a secure client session over the public Internet, said secure server providing session management for said service request, said session management including client identification, validation and a session identifier to link said session with said client, wherein said session identifier is a web cookie generated by a separate server during an entitlements communications, after identification and validation of the client;
  
  (c) a second Internet/Internet firewall for accepting service requests from a secure web server and routing said requests to one or more preselected addresses behind said firewall corresponding to dispatcher servers, said firewall permitting access in compliance with a second set of filtering rules;
  
  (d) at least one dispatcher server for communicating with said secure web server through a second firewall, said second firewall accepting services requests from said secure web server and routing said requests to said dispatcher server in compliance with a second set of filtering rules, said dispatcher server providing system access to said enterprise communications network after client entitlements have been verified; and
  
  (e) a plurality of proxy services linking said dispatcher server to a plurality of system resources over said communications network, said plurality of system resources providing communications network management capabilities for said enterprise client, said system resources responsive to service requests from said enterprise client to generate client data or instructions relating to said communications network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system for securing an enterprise communications network as claimed in claim 1 wherein said secure web server communicates with said dispatcher server over an encrypted socket connection.
  - 3. The system for securing an enterprise communications network as claimed in claim 2 wherein said system includes encryption between said secure web server and said dispatcher server.
  - 4. The system for securing an enterprise communications network as claimed in claim 3 wherein said system includes a first encryption algorithm for transmission of all customer data between said secure web server and said dispatcher server, and a second encryption algorithm for transmission of all data between said secure web server and said enterprise client.
  - 5. The system for securing an enterprise communications network as claimed in claim 1, wherein said system further comprises a plurality of secure web servers and a load balancing device for managing and distributing a plurality of client sessions across said plurality of secure web servers.
  - 6. The system for securing an enterprise communications network as claimed in claim 1 wherein said web cookie is wrapped and unwrapped by said secure web server at each service request to link a session with said client through a plurality of discrete client service requests in said session to verify said client to said dispatcher server at each transmission of a service request in said session.
  - 7. The system for securing an enterprise communications network as claimed in claim 6 which further includes a web browser for said client which provides secure socket layer encryption of client identification, authentication and said web cookie at each service request.
  - 8. The system for securing an enterprise communications network as claimed in claim 7 wherein said web cookies provide simultaneous session management for a plurality of system resources.

9. A system for securing an enterprise communications network, said system having client access through the public Internet, said system comprising:
- (a) a first Internet firewall for accepting service requests from an enterprise client and routing said requests to one or more preselected addresses behind said firewall, said firewall permitting access in compliance with a first set of filtering rules;
  
  (b) a plurality of web servers having said preselected addresses for receiving said service requests and managing a plurality of client sessions over the public Internet, a load of said client sessions per each of said web servers is balanced by web balancers, each of said web servers providing session management for said service request, said session management including client identification, validation and a session identifier to link a session with a client, wherein said session identifier is a web cookie generated by a separate server during an entitlements communications, after identification and validation of the client;
  
  (c) at least one dispatcher server for communicating with said web servers through a second firewall, said second firewall accepting services requests from said web servers and routing said requests to said dispatcher server in compliance with a second set of filtering rules, said dispatcher server providing system access to said enterprise communications network after client entitlements have been verified; and
  
  (d) a plurality of proxy servers linking said dispatcher server to a plurality of application servers within said communications network, said application servers communicating with a plurality of system resources to provide communications network management capabilities for said enterprise clients.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system for securing an enterprise communications network as claimed in claim 9 wherein said web servers are secure servers which encrypt each of said service requests with a first algorithm before transmission to said dispatcher server and a selected one of said proxy and said application servers.
  - 11. The system for securing an enterprise communications network as claimed in claim 9, said communications network further including an authentication server which determines application server entitlements for said client following authentication.
  - 12. The system for securing an enterprise communications network as claimed in claim 9, wherein said system further comprises a load balancing device for managing and distributing a plurality of client sessions across said plurality of web servers.
  - 13. The system for securing an enterprise communications network as claimed in claim 9 wherein said unique web cookie is wrapped and unwrapped by said secure web server at each service request to link a session with said client through a plurality of discrete client service requests in said session to verify said client to said dispatcher server at each transmission of a service request in said session.
  - 14. The system for securing an enterprise communications network as claimed in claim 10 which further includes a web browser for said client which provides secure socket layer (SSL) encryption of client identification, authentication and said web cookie at each service request.
  - 15. The system for securing an enterprise communications network as claimed in claim 14 wherein said system includes RSA encryption for transmission of all customer data between said plurality of secure web servers and said dispatcher server, and SSL encryption for transmission of all data between said secure web servers and said plurality of enterprise clients.

16. A method of securing an enterprise communications network having public access via the public Internet, said method enabling access by a plurality of enterprise clients, said method comprising:
- (a) routing all public access requests to one or more first preselected addresses for response via a first set of routing rules;
  
  (b) authenticating a secure web server in response to said request for access and initiating a secure session with a client browser over the Internet;
  
  (c) encrypting communications between said client browser and said secure server with a first security protocol;
  
  (d) routing a request for client authentication and a set of client entitlements from said secure server to a second preselected address at log-on via a second set of routing rules, wherein said client authentication and client and entitlements are provided by an authentication server;
  
  (e) encrypting communications within said network with a second security protocol; and
  
  (f) creating a session management object at each log-on to authenticate the client'"'"'s browser to the enterprise network at each communication from the browser during the communications session, said session management object including client identification, validation and a session identifier to link a session with a client, wherein said session identifier is a unique web cookie generated by a separate server during an entitlements communications, after identification and validation of the client.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The method of securing an enterprise communications network as claimed in claim 16, said method further comprising the step of providing a plurality of application resources to one of said plurality of enterprise clients within said network in accordance with entitlements determined for said one of said plurality of clients at authentication.
  - 18. The method of securing an enterprise communications network as claimed in claim 16 which further includes the step of balancing a plurality of client requests across a plurality of secure web servers to improve response time for each client session.
  - 19. The method of securing an enterprise communications network as claimed in claim, 17, said method further comprising the steps of packet filtering communications between said client browser and said secure web server.
  - 20. The method of securing an enterprise communications network as claimed in claim 19, said method further comprising the step of creating a proxy to filter communications between said secure web server and an application resource within said network.
  - 21. The method of securing an enterprise communications network as claimed in claim 18, wherein said method further includes public key encryption for encrypting communications between the client browser and the network.
  - 22. The method of securing an enterprise communications network as claimed in claim 18 which uses a negotiated SSL protocol to authenticate the secure web server and encrypt communications between the client browser and the secure web server.
  - 23. The method of securing an enterprise communications network as claimed in claim 18, wherein public key encryption is used for said second security protocol within said network.
  - 24. The method of securing an enterprise communications network as claimed in claim 16, wherein said method further includes the step of embedding calls to Java applets in a logon page presented to a one of said plurality of clients at log on, one of said applets creating said session management object in said one client browser.
  - 25. The method of securing an enterprise communications network as claimed in claim 17, wherein said method further includes the step of downloading a collection of Java objects to said client browser for session management following a successful log on, said collection of objects enabling communications with said application resources during said session.
  - 26. The method of securing an enterprise communications network as claimed in claim 24, further comprising the step of examining said unique cookie at each session transmission to maintain session security.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
WorldCom, Inc. (Verizon Communications Inc.)
Inventors
Shoulberg, Richard W., Shifrin, Gerald A., Devine, Carol Y.
Primary Examiner(s)
Hayes, Gail
Assistant Examiner(s)
Arani, Taghi T.

Application Number

US09/159,406
Time in Patent Office

1,783 Days
Field of Search

709/200-203, 709/217-219, 709/227, 705/26, 705/27, 707/1-10, 707/103, 707/517, 707/522, 707/523, 713/201
US Class Current

726/8
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0757   by exceeding a time limit, ...

G06F 11/0769   Readable error formats, e.g...

G06F 11/0775   Content or structure detail...

G06F 11/0781   Error filtering or prioriti...

G06F 11/0784   Routing of error reports, e...

G06F 11/202   where processing functional...

G06F 11/32   with visual or acoustical i...

G06F 11/324   Display of status information

G06F 11/327   Alarm or error message display

G06F 11/328   Computer systems status dis...

G06F 11/3495   for systems

G06F 16/972   Access to data in other rep...

G06F 21/00   Security arrangements for p...

G06F 21/41   where a single sign-on prov...

G06F 21/552   involving long-term monitor...

G06F 2201/81   Threshold

G06F 2201/86   Event-based monitoring

G06F 2201/875   Monitoring of systems inclu...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2149 : Restricted operating enviro...

G06Q 10/10 : Office automation; Time man...

G06Q 10/107 : Computer-aided management o...

G06Q 20/102 : Bill distribution or payments

G06Q 20/382 : insuring higher security of...

G06Q 30/02 : Marketing; Price estimation...

G06Q 30/06 : Buying, selling or leasing ...

G06Q 30/0601 : Electronic shopping [e-shop...

G06Q 30/0609 : Buyer or seller confidence ...

G06Q 30/0635 : Processing of requisition o...

G06Q 99/00 : Subject matter not provided...

H04L 12/14 : Charging , metering or bill...

H04L 12/1428 : Invoice generation, e.g. cu...

H04L 41/0213 : Standardised network manage...

H04L 41/0233 : Object-oriented techniques,...

H04L 41/024 : using relational databases ...

H04L 41/0253 : using browsers or web-pages...

H04L 41/06 : Management of faults, event...

H04L 41/0681 : Configuration of triggering...

H04L 41/08 : Configuration management of...

H04L 41/0803 : Configuration setting

H04L 41/0879 : Manual configuration throug...

H04L 41/0895 : Configuration of virtualise...

H04L 41/122 : of virtualised topologies, ...

H04L 41/142 : using statistical or mathem...

H04L 41/18 : Delegation of network manag...

H04L 41/22 : comprising specially adapte...

H04L 41/28 : Restricting access to netwo...

H04L 41/5009 : Determining service level p...

H04L 41/5022 : by giving priorities, e.g. ...

H04L 41/5029 : Service quality level-based...

H04L 41/5032 : Generating service level re...

H04L 41/5061 : characterised by the intera...

H04L 41/5064 : Customer relationship manag...

H04L 41/5067 : Customer-centric QoS measur...

H04L 41/5074 : Handling of user complaints...

H04L 41/5083 : wherein the managed service...

H04L 41/5096 : wherein the managed service...

H04L 43/00 : Arrangements for monitoring...

H04L 43/024 : by adaptive sampling

H04L 43/045 : for graphical visualisation...

H04L 43/06 : Generation of reports

H04L 43/062 : related to network traffic

H04L 43/065 : related to network devices

H04L 43/067 : using time frame reporting

H04L 43/0805 : by checking availability

H04L 43/0811 : by checking connectivity

H04L 43/0817 : by checking functioning

H04L 43/0829 : Packet loss

H04L 43/0847 : Transmission error

H04L 43/0852 : Delays

H04L 43/0876 : Network utilisation, e.g. v...

H04L 43/0888 : Throughput

H04L 43/0894 : Packet rate

H04L 43/091 : Measuring contribution of i...

H04L 43/10 : Active monitoring, e.g. hea...

H04L 43/106 : using time related informat...

H04L 43/16 : Threshold monitoring

H04L 51/00 : User-to-user messaging in p...

H04L 51/04 : Real-time or near real-time...

H04L 51/222 : using geographical location...

H04L 63/02 : for separating internal fro...

H04L 63/0209 : Architectural arrangements,...

H04L 63/0218 : Distributed architectures, ...

H04L 63/0236 : Filtering by address, proto...

H04L 63/0272 : Virtual private networks

H04L 63/0281 : Proxies

H04L 63/0428 : wherein the data content is...

H04L 63/0442 : wherein the sending and rec...

H04L 63/0464 : using hop-by-hop encryption...

H04L 63/08 : for authentication of entit...

H04L 63/0807 : using tickets, e.g. Kerbero...

H04L 63/0815 : providing single-sign-on or...

H04L 63/0823 : using certificates cryptogr...

H04L 63/083 : using passwords cryptograph...

H04L 63/162 : at the data link layer

H04L 63/166 : at the transport layer

H04L 63/168 : above the transport layer

H04L 63/18 : using different networks or...

H04L 65/1101 : Session protocols

H04L 65/401 : wherein the services involv...

H04L 65/80 : Responding to QoS

H04M 15/00 : Arrangements for metering, ...

H04M 15/41 : Billing record details, i.e...

H04M 15/43 : Billing software details

H04M 15/44 : Augmented, consolidated or ...

H04M 15/49 : Connection to several servi...

H04M 15/51 : for resellers, retailers or...

H04M 15/58 : based on statistics of usag...

H04M 15/705 : Account settings, e.g. limi...

H04M 15/721 : using the Internet

H04M 15/745 : Customizing according to wi...

H04M 15/80 : Rating or billing plans; Ta...

H04M 15/8044 : Least cost routing

H04M 15/83 : Notification aspects

H04M 15/8351 : before establishing a commu...

H04M 15/84 : Types of notifications

H04M 2215/0104 : Augmented, consolidated or ...

H04M 2215/0108 : Customization according to ...

H04M 2215/0152 : General billing plans, rate...

H04M 2215/0164 : Billing record, e.g. Call D...

H04M 2215/0168 : On line or real-time flexib...

H04M 2215/0176 : Billing arrangements using ...

H04M 2215/018 : On-line real-time billing, ...

H04M 2215/0188 : Network monitoring; statist...

H04M 2215/42 : Least cost routing, i.e. pr...

H04M 2215/46 : Connection to several servi...

H04M 2215/54 : Resellers-retail or service...

H04M 2215/7009 : Account settings, e.g. user...

H04M 2215/7045 : Using Internet or WAP

H04M 2215/745 : Least cost routing, e.g. Au...

H04M 2215/81 : Notifying aspects, e.g. not...

H04M 2215/8108 : before establishing a commu...

H04M 2215/8129 : Type of notification

H04M 2215/82 : Advice-of-Charge [AOC], i.e...

H04M 3/5175 : Call or contact centers sup...

H04M 3/5191 : interacting with the Internet

Y10S 379/90 : Internet, e.g. Internet pho...

Y10S 707/99931 : Database or file accessing

Y10S 707/99937 : Sorting

Y10S 707/99938 : Concurrency, e.g. lock mana...

Y10S 707/99939 : Privileged access

Y10S 707/99944 : Object-oriented database st...

Y10S 715/969 : Network layout and operatio...

View All

Secure server architecture for Web based data management

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

649 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Secure server architecture for Web based data management

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

649 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links