Secure server architecture for Web based data management
First Claim
1. A system for securing an enterprise communications network, said system having client access through the public Internet, said system comprising:
- (a) a first Internet firewall for accepting service requests from an enterprise client and routing said requests to one or more preselected addresses behind said firewall, said firewall permitting access in compliance with a first set of filtering rules;
(b) at least one secure web server for receiving said service requests and managing a secure client session over the public Internet, said secure server providing session management for said service request, said session management including client identification, validation and a session identifier to link said session with said client, wherein said session identifier is a web cookie generated by a separate server during an entitlements communications, after identification and validation of the client;
(c) a second Internet/Internet firewall for accepting service requests from a secure web server and routing said requests to one or more preselected addresses behind said firewall corresponding to dispatcher servers, said firewall permitting access in compliance with a second set of filtering rules;
(d) at least one dispatcher server for communicating with said secure web server through a second firewall, said second firewall accepting services requests from said secure web server and routing said requests to said dispatcher server in compliance with a second set of filtering rules, said dispatcher server providing system access to said enterprise communications network after client entitlements have been verified; and
(e) a plurality of proxy services linking said dispatcher server to a plurality of system resources over said communications network, said plurality of system resources providing communications network management capabilities for said enterprise client, said system resources responsive to service requests from said enterprise client to generate client data or instructions relating to said communications network.
7 Assignments
0 Petitions
Accused Products
Abstract
A double firewalled system is disclosed for protecting remote enterprise servers that provide communication services to telecommunication network customers from unauthorized third parties. A first router directs all connection requests to one or more secure web servers, which may utilize a load balancer to efficiently distribute the session connection load among a high number of authorized client users. On the network side of the web servers, a second router directs all connection requests to a dispatcher server, which routes application server calls to a proxy server for the application requested. A plurality of data security protocols are also employed. The protocols provide for an identification of the user, and an authentication of the user to ensure the user is who he/she claims to be and a determination of entitlements that the user may avail themselves of within the enterprise system. Session security is described, particularly as to the differences between a remote user'"'"'s copper wire connection to a legacy system and a user'"'"'s remote connection to the enterprise system over a “stateless”public Internet, where each session is a single transmission, rather than an interval of time between logon and logoff, as is customary in legacy systems.
649 Citations
26 Claims
-
1. A system for securing an enterprise communications network, said system having client access through the public Internet, said system comprising:
-
(a) a first Internet firewall for accepting service requests from an enterprise client and routing said requests to one or more preselected addresses behind said firewall, said firewall permitting access in compliance with a first set of filtering rules;
(b) at least one secure web server for receiving said service requests and managing a secure client session over the public Internet, said secure server providing session management for said service request, said session management including client identification, validation and a session identifier to link said session with said client, wherein said session identifier is a web cookie generated by a separate server during an entitlements communications, after identification and validation of the client;
(c) a second Internet/Internet firewall for accepting service requests from a secure web server and routing said requests to one or more preselected addresses behind said firewall corresponding to dispatcher servers, said firewall permitting access in compliance with a second set of filtering rules;
(d) at least one dispatcher server for communicating with said secure web server through a second firewall, said second firewall accepting services requests from said secure web server and routing said requests to said dispatcher server in compliance with a second set of filtering rules, said dispatcher server providing system access to said enterprise communications network after client entitlements have been verified; and
(e) a plurality of proxy services linking said dispatcher server to a plurality of system resources over said communications network, said plurality of system resources providing communications network management capabilities for said enterprise client, said system resources responsive to service requests from said enterprise client to generate client data or instructions relating to said communications network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for securing an enterprise communications network, said system having client access through the public Internet, said system comprising:
-
(a) a first Internet firewall for accepting service requests from an enterprise client and routing said requests to one or more preselected addresses behind said firewall, said firewall permitting access in compliance with a first set of filtering rules;
(b) a plurality of web servers having said preselected addresses for receiving said service requests and managing a plurality of client sessions over the public Internet, a load of said client sessions per each of said web servers is balanced by web balancers, each of said web servers providing session management for said service request, said session management including client identification, validation and a session identifier to link a session with a client, wherein said session identifier is a web cookie generated by a separate server during an entitlements communications, after identification and validation of the client;
(c) at least one dispatcher server for communicating with said web servers through a second firewall, said second firewall accepting services requests from said web servers and routing said requests to said dispatcher server in compliance with a second set of filtering rules, said dispatcher server providing system access to said enterprise communications network after client entitlements have been verified; and
(d) a plurality of proxy servers linking said dispatcher server to a plurality of application servers within said communications network, said application servers communicating with a plurality of system resources to provide communications network management capabilities for said enterprise clients. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method of securing an enterprise communications network having public access via the public Internet, said method enabling access by a plurality of enterprise clients, said method comprising:
-
(a) routing all public access requests to one or more first preselected addresses for response via a first set of routing rules;
(b) authenticating a secure web server in response to said request for access and initiating a secure session with a client browser over the Internet;
(c) encrypting communications between said client browser and said secure server with a first security protocol;
(d) routing a request for client authentication and a set of client entitlements from said secure server to a second preselected address at log-on via a second set of routing rules, wherein said client authentication and client and entitlements are provided by an authentication server;
(e) encrypting communications within said network with a second security protocol; and
(f) creating a session management object at each log-on to authenticate the client'"'"'s browser to the enterprise network at each communication from the browser during the communications session, said session management object including client identification, validation and a session identifier to link a session with a client, wherein said session identifier is a unique web cookie generated by a separate server during an entitlements communications, after identification and validation of the client. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification