WO1998026552A1 - Method and apparatus for access control in a distributed multiserver network environment - Google Patents

Method and apparatus for access control in a distributed multiserver network environment Download PDF

Info

Publication number
WO1998026552A1
WO1998026552A1 PCT/US1997/022116 US9722116W WO9826552A1 WO 1998026552 A1 WO1998026552 A1 WO 1998026552A1 US 9722116 W US9722116 W US 9722116W WO 9826552 A1 WO9826552 A1 WO 9826552A1
Authority
WO
WIPO (PCT)
Prior art keywords
filtering
network
computer
profiles
recited
Prior art date
Application number
PCT/US1997/022116
Other languages
French (fr)
Other versions
WO1998026552B1 (en
Inventor
Thomas Wong
Sanjay R. Radia
Swee B. Lim
Panagiotis Tsirigotis
Robert Goedman
Original Assignee
Sun Microsystems, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Microsystems, Inc. filed Critical Sun Microsystems, Inc.
Priority to EP97951533A priority Critical patent/EP0943199B1/en
Priority to JP52679498A priority patent/JP2001510603A/en
Priority to DE69735311T priority patent/DE69735311D1/en
Publication of WO1998026552A1 publication Critical patent/WO1998026552A1/en
Publication of WO1998026552B1 publication Critical patent/WO1998026552B1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • the present invention relates generally to security in computer networks. More specifically, the present invention is a method and apparatus that provides access control for applications in a multiserver network environment. BACKGROUND OF THE INVENTION
  • a first approach to access control has been to build access control systems into the applications for which controlled access is required. With this approach, the applications authenticate each user prior to responding to the user's requests. In practice, this method has been found to be somewhat difficult to implement, due largely to the fact that modifications must be made to each application requiring access control.
  • Proxy servers are programs that act as middlemen between network users and applications requiring access control.
  • the proxy server authenticates the user's request and either forwards the request to the application or discards the request.
  • Access control using proxy servers is an effective method that reduces the changes that must be made to the applications requiring access control.
  • the use of proxy servers is often preferred over the use of access control systems built-in to applications.
  • experience has shown that, as network grow in scale, the use of proxy servers tends to be somewhat of a bottleneck since each user request must pass through the proxy server.
  • a preferred embodiment of the present invention includes a method and apparatus for controlling access to services within a computer network. More specifically, a preferred environment for the present invention is a computer network that includes a series of server systems, a series of client systems and one or more routers.
  • An access network control server (ANCS) controls configuration of the network components and a services management system (SMS), dynamically reconfigures the ANCS.
  • the network also includes a DHCP server that implements the Dynamic Host Configuration Protocol (DHCP) defined in Internet RFC 1541.
  • DHCP Dynamic Host Configuration Protocol
  • the client systems which are typically personal computers using cable modems, connect to the router. As part of the connection process, each client system receives a dynamically allocated IP address from the DHCP server.
  • Each application within a service is available from one or more server systems.
  • Network users who wish to access one of these applications subscribe to the service that includes the application.
  • the SMS maintains a filtering profile for each service.
  • Each filtering profile includes one or more filtering rules.
  • Each filtering rule is designed to forward IP packets that are directed at the applications within the services.
  • Network users are assigned sequences of filtering profiles. Each filtering profile included in a user's filtering profile sequence corresponds to one of the services to which the user subscribes.
  • Network users login to the network using one of the client systems as a host.
  • the SMS authenticates the user using a password or other authentication method.
  • the SMS locates the user's filtering profile sequence.
  • the user's filtering profile sequence is then downloaded by the SMS to the ANCS.
  • the ANCS uses the rules included in the downloaded filtering profile sequence to establish a packet filter for IP packets originating from the user's host system.
  • the new packet filter is preferably established by reconfiguring the components of the network that forward IP packets originating at the user's host system.
  • the packet filter may. be established by reconfiguring the router that connects the user's host system to the network.
  • the packet filter may be established by reconfiguring the cable modem that connects the user's host - system to the router.
  • the new packet filter uses the rules of the user's filtering profile sequence to selectively forward or discard IP packets originating from the user's host system. Specifically, the packet filter forwards packets that are directed to the services to which the user subscribes. Packets that are directed at services that the user is not authorized to use are discarded.
  • the present invention is a method for providing access control to services in a computer network including one or more server systems and one or more client systems, the method comprising the steps of: providing a filtering profile for each service, each filtering profile including one or more filtering rules, establishing the identity of a network user that is using a host client system, selecting one of more filtering profiles in accordance with the identity of the network user, and establishing a packet filter in the computer network, the packet filter using the filtering rules included in the selected profiles to selectively forward packets originating at the host client system and directed at one or more of the services included in the network.
  • the present invention is a computer program product comprising: a computer usable medium having computer readable code embodied therein for providing access control to services in a computer network including one or more server systems and one or more client systems, the computer program product comprising: first computer readable program code devices configured to cause a computer system to maintain a filtering profile for each service, each filtering profile including one or more filtering rules, second computer readable program code devices configured to cause a computer system to establishing the identity of a network user that is using a host client system, third computer readable program code devices configured to cause a computer system to select one of more filtering profiles in accordance with the identity of the network user, and fourth computer readable program code devices configured to cause a computer system to establish a packet filter in the computer network, the packet filter using the filtering rules included in the selected profiles to selectively forward packets originating at the host " client system and directed at one or more of the services included in the network.
  • Figure 1 is a block diagram of a computer network shown as a representative environment for a preferred embodiment of the present invention.
  • FIG. 2 is a block diagram of an access network control server (ANCS) as used by a preferred embodiment of the present invention.
  • ANCS access network control server
  • FIG. 3 is a block diagram of a services management system (SMS) as used by a preferred embodiment of the present invention.
  • SMS services management system
  • Figure 4 is a block diagram of a filtering profile used in a preferred embodiment of the present invention.
  • Figure 5 is a block diagram of a filtering rule as used in a preferred embodiment of the present invention.
  • Figure 6 is a block diagram showing an exemplary filtering profile associated with a service as provided by the present invention.
  • Figure 7 is a block diagram showing the correspondence between a network user and a sequence of filtering profiles as provided by the present invention.
  • Figure 8 is a flowchart showing the steps associated with a preferred embodiment of a method for providing access control in a computer network.
  • a computer network 100 is shown as a representative environment for the present invention.
  • computer network 100 includes a series of client systems 102, of which client systems 102a through 102f are representative.
  • Each client system 102 may be selected from a range of differing devices including, but not limited to the personal computers shown in Figure 1.
  • Preferably, each client system 102 is limited to use by a single user at any given time.
  • a cable modem 104 is connected to each client system 102.
  • Each cable modem 104 is connected, in turn, to a cable router 106.
  • the use of cable router 106 and cable modems 104 is also intended to be exemplary and it should be appreciated that other networking technologies and topologies are equally practical.
  • cable modem 104 can be a CyberSUFR cable modem and cable router 106 can be a CableMASTR cable router, both supplied by Motorola, Inc.
  • Network 100 also includes a series of server systems 108, of which server systems 108a through 108c are representative. Each server system 108 is connected to cable router 106. Generally, server systems 108 are intended to represent the broad range of server systems that may be found within computer networks.
  • a DHCP server system 110 is also included in computer network 100 and connected to cable router 106.
  • DHCP server system 110 is a computer or other system that implements Dynamic Host Configuration Protocol (DHCP. Functionally, DHCP server system 110 provides for allocation of IP addresses within network 100.
  • client systems 102 initially connect to cable router 106, each client system 102 requests and receives an IP address from DHCP server system 110.
  • Figure 1 shows only a single DHCP server system 110, it is to be understood that additional DHCP server systems 110 may be used without departing from the spirit of the present invention.
  • Computer network 100 also includes an access network control server (ANCS) 112 and a services management system (SMS) 114. Both ANCS 112 and SMS 114 are connected to cable router 106.
  • ANCS 112 is shown in more detail in " Figure 2 to include a computer system 202 that, in turn, includes a processor or processors 204 and a memory 206.
  • An input device 208 and an output device 210 are connected to the computer system 202 and represent a wide range of varying I/O devices such as disk drives, keyboards, modems, network adapters, printers and displays.
  • a disk drive 212 of any suitable disk drive type, is shown connected to computer system 202.
  • An ANCS process 214 is shown to be resident in memory 206 of computer system 202.
  • SMS 114 is shown in more detail in Figure 3 to include a computer system 302 that, in turn, includes a processor or processors 304 and a memory 306.
  • An input device 308 and an output device 310 are connected to the computer system 302 and represent a wide range of varying I/O devices such as disk drives, keyboards, modems, network adapters, printers and displays.
  • a disk drive 312, of any suitable disk drive type, is shown connected to computer system 302.
  • An SMS process 314 and a filtering profile database 316 are shown to be resident in memory 306 of computer system 302.
  • ANCS 112 and SMS 114 are shown as separate entities. It should be appreciated, however, that the present invention specifically anticipates that ANCS 112 and SMS 114 may be implemented using a single computer system that includes ANCS process 214, SMS process 314 and filtering profile database 316.
  • network 100 certain software applications are included in logical groups known as services.
  • network 100 could include an application that provides continuous updates of sporting events.
  • This applications could be included in a sports news service.
  • Network users who wish to use a specific application subscribe to the service that includes the application.
  • users desiring to have continuous updates of sporting events would subscribe to the sports news service.
  • the applications included in a service may be available from one or more of the server systems 108 included in network 100.
  • Popular services would typically be available from multiple server systems 108 while less popular services might be available from only a single server system 108.
  • each service has a filtering profile of the type shown in Figure 4 and generally designated 400.
  • Filtering profile 400 includes a profile id 402 and a series of filtering rules, of which filtering rules 404a through 404c are " representative.
  • the filtering rules 404 included in a filtering profile 400 are better understood by reference to Figure 5.
  • each filtering rule 404 includes an action 500.
  • Action 500 specifies the disposition of IP packets are match by a particular filtering rule 404.
  • action 500 may indicate that a matched IP packet will be forwarded, or that a matched IP packet will be discarded.
  • Filtering rule 404 also includes a destination IP address 502 and a destination IP mask 504.
  • Destination IP address 502 corresponds to the destination address included in the header of an IP packet.
  • Destination IP mask 504 is similar to destination IP address 502 but corresponds to a range of destination IP addresses.
  • an IP packet must either have a destination address that matches the destination address 502 included in the filtering rule 404 or have a destination address that is included in the range of destination address mask 504 of the filtering rule 404.
  • Filtering rule 404 also includes a protocol type 506. Protocol type 506 corresponds to the protocol type of an IP packet.
  • the protocol type 506 of each filtering rule 404 has a value that corresponds to an IP packet type, such as TCP, UDP, ICMP, etc.
  • an IP packet must have a protocol type that matches the protocol type 506 included in the filtering rule 404
  • filtering rule 404 includes a starting port number 508 and an ending port number 510.
  • Starting port number 508 and ending port number 510 define a range of port numbers of the type used by certain protocols, such as UDP and TCP. To match a particular filtering rule 404, an IP packet of one of these types must have a port number that falls within the range defined by starting port number 508 and ending port number 510.
  • filtering profile 400 for the exemplary sports news service is shown in Figure 6. More specifically, in Figure 6, filtering profile 400 includes two filtering rules, 404a and 404b respectively.
  • Filtering rule 404a includes an action 500 indicating that IP packets that match the filtering rule 404a should be forwarded.
  • filtering rule 404a includes a destination address 502 that corresponds to the IP address of server system 108a.
  • the destination address mask 504 of filtering rule 404a is set to 255.255.255.255 and the protocol type 506 of filtering rule " 404a is set to UDP.
  • the starting port number 508 and ending port number 510 of filtering rule 404a are both set to 66.
  • filtering rule 404b For filtering rule 404b, an action 500 is included that indicates that IP packets that match the filtering rule 404b should be forwarded. Additionally, filtering rule 404b includes a destination address 502 that corresponds to the IP address of server system 108c. The destination address mask 504 of filtering rule 404b is set to 255.255.255.255 and the protocol type 506 of filtering rule 404b is set to UDP. Finally, the starting port number 508 and ending port number 510 of filtering rule 404b are both set to 99.
  • the sports news service is available from server systems 108a and 108c.
  • the application that provides continuous updates of sporting events is accessed using the UDP protocol.
  • the application is accessed using port 66.
  • a port address of 99 is used.
  • each network user has a filtering profile sequence.
  • These filtering profiles 400 are maintained in filtering profile database 316 and are retrievable by SMS 114 using the user's identity within network 100.
  • the filtering profiles 400 that are included in a user's filtering profile sequence correspond to the services to which the user subscribes. Thus, if a user were to subscribe to the sports news services, his filtering profile sequence would include the filtering profile 400 shown in Figure 6.
  • the user's filtering profile sequence would also include filtering profiles for any other services to which the user subscribes.
  • index 700 is shown for filtering profile database.
  • Index 700 has one entry 702 for each network user.
  • Each entry 702 references the filtering profiles 400 that correspond to the services to which the network user subscribes.
  • entry 702a references filtering profiles 400a and 400b. This allows the sequence of filtering profiles associated with network users to be retrieved.
  • Method 800 includes step performed by SMS 114 and ANCS 112. For convenience, these steps are grouped into an SMS context 802 and an ANCS ⁇ context 804.
  • Method 800 begins with step 806 where SMS 114 authenticates a network user. More specifically, for a preferred embodiment of the present invention, users access the network 100 by using a host client system 102. To prevent misuse of the network 100, SMS 114 authenticates each user using a password or other authentication scheme. The authentication process also informs the SMS 114 of the identity of the user.
  • Step 806 corresponds, in a general sense, to the methods and procedures that are executed by SMS 114 to authenticate and identify a network user.
  • SMS 114 locates the user's filtering profile sequence within the filtering profile database 316.
  • this step is performed by searching the index 700 of filtering profile database 316 using the user's identity as a search key.
  • the user's identity may be, for example, a user name or identification number.
  • a default filtering profile sequence may be generated using a standardized template.
  • Step 808 is followed by step 810, where the user's filtering profile sequence is downloaded by SMS 114 to ANCS 112.
  • the SMS 114 passes the IP address of the user's host system 102 to the ANCS 112.
  • the ANCS 112 uses each of the filtering rules 404 included in the user's filtering profile sequence to establish a packet filter for IP packets originating from the user's host system 102.
  • the packet filter is established by reconfiguring one or more of the components of the network 100 that forward packets originating at the user's host system 102.
  • the packet filter may be established by reconfiguring the modem 104 connected to the user's host system 102.
  • the packet filter may be established by reconfiguring router 106.
  • ANCS 112 reconfigures the network components using a standardized protocol that may be used in combination with the components of network 100.
  • the packet filter established by the ANCS 112 is used to filter IP packets that originate from the user's host system 102, allowing those packets that are directed to the services to which the user subscribes. More specifically, the packet filter established by the SMS 114 examines each IP packet that originates at the user's host system 102. As part of this evaluation, the packet filter starts with the first filtering rule 404 included in the user's filtering profile sequence. This first filtering rule 404 is compared to the IP header of the IP packet. If the destination IP address 502, destination IP mask 504, protocol type 506 and the range defined by the starting port number 508 and ending port number 510 all match the header of the IP packet, the filtering rule 404 matches the IP packet.
  • the packet filter then applies the action 500 included in the filtering rule 404. If the first filtering rule 404 included in the user's filtering profile sequence does not match, the remaining filtering rules 404 are tried in order. If no filtering rule matches, the IP packet is discard. Subsequently, the user may change the services to which he or she subscribes. In this event, SMS 114 may re-download the user's filtering profile to the ANCS 112 allowing the ANCS 112 to reconfigure the network 100 to reflect the user's new subscriptions. The user's filtering profile may be also be re-downloaded if a server system 108 is added or becomes unavailable or in response to any other relevant event within network 100.

Abstract

The present invention includes a method and apparatus for providing access control to services within a computer network. More specifically, the present invention includes a services management system, or SMS. The SMS manages network connections between a series of client systems and a router. An access network control server (ANCS) manages the configuration of the router. For each network user, the SMS maintains a profile of filtering rules. When the user accesses the network, the SMS downloads the user's filtering profiles to the ANCS. The ANCS then uses the downloaded filtering profiles to reconfigure the router. The router then uses the filtering rules to selectively forward IP packets originating from the user's host system and directed at the network services.

Description

Method and Apparatus for Access Control in a Distributed Multiserver -
Network Environment
FIELD OF THE INVENTION
The present invention relates generally to security in computer networks. More specifically, the present invention is a method and apparatus that provides access control for applications in a multiserver network environment. BACKGROUND OF THE INVENTION
For many computer networks, the ability to provide controlled access to objects, such as applications and data, is an important requirement. The need for effective access control increases, in most cases, with increasing network size and with increasing numbers and types of network users. A first approach to access control has been to build access control systems into the applications for which controlled access is required. With this approach, the applications authenticate each user prior to responding to the user's requests. In practice, this method has been found to be somewhat difficult to implement, due largely to the fact that modifications must be made to each application requiring access control.
A second approach to access control has been the use of proxy servers. Proxy servers are programs that act as middlemen between network users and applications requiring access control. When a user sends a request to an application, the request goes first to the proxy server. The proxy server then authenticates the user's request and either forwards the request to the application or discards the request. Access control using proxy servers is an effective method that reduces the changes that must be made to the applications requiring access control. As a result, the use of proxy servers is often preferred over the use of access control systems built-in to applications. Unfortunately, experience has shown that, as network grow in scale, the use of proxy servers tends to be somewhat of a bottleneck since each user request must pass through the proxy server.
As a result, there is a need for access control systems that provide high- throughput and may be implemented without modifications to the applications requiring controlled access. SUMMARY OF THE INVENTION
A preferred embodiment of the present invention includes a method and apparatus for controlling access to services within a computer network. More specifically, a preferred environment for the present invention is a computer network that includes a series of server systems, a series of client systems and one or more routers. An access network control server (ANCS) controls configuration of the network components and a services management system (SMS), dynamically reconfigures the ANCS. The network also includes a DHCP server that implements the Dynamic Host Configuration Protocol (DHCP) defined in Internet RFC 1541. The client systems, which are typically personal computers using cable modems, connect to the router. As part of the connection process, each client system receives a dynamically allocated IP address from the DHCP server.
Within the network, certain software applications are included within logical groups known as "services." Each application within a service is available from one or more server systems. Network users who wish to access one of these applications subscribe to the service that includes the application. The SMS maintains a filtering profile for each service. Each filtering profile includes one or more filtering rules. Each filtering rule is designed to forward IP packets that are directed at the applications within the services. Network users are assigned sequences of filtering profiles. Each filtering profile included in a user's filtering profile sequence corresponds to one of the services to which the user subscribes.
Network users login to the network using one of the client systems as a host. As part of the login process, the SMS authenticates the user using a password or other authentication method. Subsequently, the SMS locates the user's filtering profile sequence. The user's filtering profile sequence is then downloaded by the SMS to the ANCS. The ANCS uses the rules included in the downloaded filtering profile sequence to establish a packet filter for IP packets originating from the user's host system. The new packet filter is preferably established by reconfiguring the components of the network that forward IP packets originating at the user's host system. For example, the packet filter may. be established by reconfiguring the router that connects the user's host system to the network. Alternatively, the packet filter may be established by reconfiguring the cable modem that connects the user's host - system to the router.
Subsequently, the new packet filter uses the rules of the user's filtering profile sequence to selectively forward or discard IP packets originating from the user's host system. Specifically, the packet filter forwards packets that are directed to the services to which the user subscribes. Packets that are directed at services that the user is not authorized to use are discarded.
In accordance with the purpose of the invention, as embodied and broadly described herein, the present invention is a method for providing access control to services in a computer network including one or more server systems and one or more client systems, the method comprising the steps of: providing a filtering profile for each service, each filtering profile including one or more filtering rules, establishing the identity of a network user that is using a host client system, selecting one of more filtering profiles in accordance with the identity of the network user, and establishing a packet filter in the computer network, the packet filter using the filtering rules included in the selected profiles to selectively forward packets originating at the host client system and directed at one or more of the services included in the network.
In further accordance with the purpose of the invention, as embodied and broadly described herein, the present invention is a computer program product comprising: a computer usable medium having computer readable code embodied therein for providing access control to services in a computer network including one or more server systems and one or more client systems, the computer program product comprising: first computer readable program code devices configured to cause a computer system to maintain a filtering profile for each service, each filtering profile including one or more filtering rules, second computer readable program code devices configured to cause a computer system to establishing the identity of a network user that is using a host client system, third computer readable program code devices configured to cause a computer system to select one of more filtering profiles in accordance with the identity of the network user, and fourth computer readable program code devices configured to cause a computer system to establish a packet filter in the computer network, the packet filter using the filtering rules included in the selected profiles to selectively forward packets originating at the host" client system and directed at one or more of the services included in the network.
Advantages of the invention will be set forth, in part, in the description that follows and, in part, will be understood by those skilled in the art from the description or may be learned by practice of the invention. The advantages of the invention will be realized and attained by means of the elements and combinations particularly pointed out in the appended claims and equivalents. BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate several embodiments of the invention and, together with the description, serve to explain the principles of the invention.
Figure 1 is a block diagram of a computer network shown as a representative environment for a preferred embodiment of the present invention.
Figure 2 is a block diagram of an access network control server (ANCS) as used by a preferred embodiment of the present invention.
Figure 3 is a block diagram of a services management system (SMS) as used by a preferred embodiment of the present invention.
Figure 4 is a block diagram of a filtering profile used in a preferred embodiment of the present invention. Figure 5 is a block diagram of a filtering rule as used in a preferred embodiment of the present invention.
Figure 6 is a block diagram showing an exemplary filtering profile associated with a service as provided by the present invention.
Figure 7 is a block diagram showing the correspondence between a network user and a sequence of filtering profiles as provided by the present invention.
Figure 8 is a flowchart showing the steps associated with a preferred embodiment of a method for providing access control in a computer network. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
Reference will now be made in detail to the preferred embodiments of the invention, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference 'numbers will be used throughout the 7 drawings to refer to the same or like parts.
In Figure 1 , a computer network 100 is shown as a representative environment for the present invention. Structurally, computer network 100 includes a series of client systems 102, of which client systems 102a through 102f are representative. Each client system 102 may be selected from a range of differing devices including, but not limited to the personal computers shown in Figure 1. Preferably, each client system 102 is limited to use by a single user at any given time. A cable modem 104 is connected to each client system 102. Each cable modem 104 is connected, in turn, to a cable router 106. The use of cable router 106 and cable modems 104 is also intended to be exemplary and it should be appreciated that other networking technologies and topologies are equally practical. It should also be appreciated that a number of different cable modems and cable routers are available from various manufactures. In particular, cable modem 104 can be a CyberSUFR cable modem and cable router 106 can be a CableMASTR cable router, both supplied by Motorola, Inc.
Network 100 also includes a series of server systems 108, of which server systems 108a through 108c are representative. Each server system 108 is connected to cable router 106. Generally, server systems 108 are intended to represent the broad range of server systems that may be found within computer networks.
A DHCP server system 110 is also included in computer network 100 and connected to cable router 106. DHCP server system 110 is a computer or other system that implements Dynamic Host Configuration Protocol (DHCP. Functionally, DHCP server system 110 provides for allocation of IP addresses within network 100. When client systems 102 initially connect to cable router 106, each client system 102 requests and receives an IP address from DHCP server system 110. Although Figure 1 shows only a single DHCP server system 110, it is to be understood that additional DHCP server systems 110 may be used without departing from the spirit of the present invention.
Computer network 100 also includes an access network control server (ANCS) 112 and a services management system (SMS) 114. Both ANCS 112 and SMS 114 are connected to cable router 106. ANCS 112 is shown in more detail in" Figure 2 to include a computer system 202 that, in turn, includes a processor or processors 204 and a memory 206. An input device 208 and an output device 210 are connected to the computer system 202 and represent a wide range of varying I/O devices such as disk drives, keyboards, modems, network adapters, printers and displays. A disk drive 212, of any suitable disk drive type, is shown connected to computer system 202. An ANCS process 214 is shown to be resident in memory 206 of computer system 202.
SMS 114 is shown in more detail in Figure 3 to include a computer system 302 that, in turn, includes a processor or processors 304 and a memory 306. An input device 308 and an output device 310 are connected to the computer system 302 and represent a wide range of varying I/O devices such as disk drives, keyboards, modems, network adapters, printers and displays. A disk drive 312, of any suitable disk drive type, is shown connected to computer system 302. An SMS process 314 and a filtering profile database 316 are shown to be resident in memory 306 of computer system 302. In Figure 1 , ANCS 112 and SMS 114 are shown as separate entities. It should be appreciated, however, that the present invention specifically anticipates that ANCS 112 and SMS 114 may be implemented using a single computer system that includes ANCS process 214, SMS process 314 and filtering profile database 316.
Within network 100, certain software applications are included in logical groups known as services. As an example, network 100 could include an application that provides continuous updates of sporting events. This applications could be included in a sports news service. Network users who wish to use a specific application subscribe to the service that includes the application. Thus, users desiring to have continuous updates of sporting events would subscribe to the sports news service. In general, the applications included in a service may be available from one or more of the server systems 108 included in network 100. Popular services would typically be available from multiple server systems 108 while less popular services might be available from only a single server system 108.
Within SMS 114, each service has a filtering profile of the type shown in Figure 4 and generally designated 400. Filtering profile 400 includes a profile id 402 and a series of filtering rules, of which filtering rules 404a through 404c are" representative. The filtering rules 404 included in a filtering profile 400 are better understood by reference to Figure 5. In Figure 5, it may be seen that each filtering rule 404 includes an action 500. Action 500 specifies the disposition of IP packets are match by a particular filtering rule 404. In particular, action 500 may indicate that a matched IP packet will be forwarded, or that a matched IP packet will be discarded. Filtering rule 404 also includes a destination IP address 502 and a destination IP mask 504. Destination IP address 502 corresponds to the destination address included in the header of an IP packet. Destination IP mask 504 is similar to destination IP address 502 but corresponds to a range of destination IP addresses. To match a particular filtering rule 404, an IP packet must either have a destination address that matches the destination address 502 included in the filtering rule 404 or have a destination address that is included in the range of destination address mask 504 of the filtering rule 404. Filtering rule 404 also includes a protocol type 506. Protocol type 506 corresponds to the protocol type of an IP packet. Thus, the protocol type 506 of each filtering rule 404 has a value that corresponds to an IP packet type, such as TCP, UDP, ICMP, etc. To match a particular filtering rule 404, an IP packet must have a protocol type that matches the protocol type 506 included in the filtering rule 404
Finally, for the embodiment shown, filtering rule 404 includes a starting port number 508 and an ending port number 510. Starting port number 508 and ending port number 510 define a range of port numbers of the type used by certain protocols, such as UDP and TCP. To match a particular filtering rule 404, an IP packet of one of these types must have a port number that falls within the range defined by starting port number 508 and ending port number 510.
An example of a filtering profile 400 for the exemplary sports news service is shown in Figure 6. More specifically, in Figure 6, filtering profile 400 includes two filtering rules, 404a and 404b respectively. Filtering rule 404a includes an action 500 indicating that IP packets that match the filtering rule 404a should be forwarded. Additionally, filtering rule 404a includes a destination address 502 that corresponds to the IP address of server system 108a. The destination address mask 504 of filtering rule 404a is set to 255.255.255.255 and the protocol type 506 of filtering rule" 404a is set to UDP. Finally, the starting port number 508 and ending port number 510 of filtering rule 404a are both set to 66.
For filtering rule 404b, an action 500 is included that indicates that IP packets that match the filtering rule 404b should be forwarded. Additionally, filtering rule 404b includes a destination address 502 that corresponds to the IP address of server system 108c. The destination address mask 504 of filtering rule 404b is set to 255.255.255.255 and the protocol type 506 of filtering rule 404b is set to UDP. Finally, the starting port number 508 and ending port number 510 of filtering rule 404b are both set to 99.
Based on the foregoing, it may be concluded that the sports news service is available from server systems 108a and 108c. The application that provides continuous updates of sporting events is accessed using the UDP protocol. In the case of server system 108a, the application is accessed using port 66. In the case of server system 108c, a port address of 99 is used.
Within SMS 114, each network user has a filtering profile sequence. These filtering profiles 400 are maintained in filtering profile database 316 and are retrievable by SMS 114 using the user's identity within network 100. The filtering profiles 400 that are included in a user's filtering profile sequence correspond to the services to which the user subscribes. Thus, if a user were to subscribe to the sports news services, his filtering profile sequence would include the filtering profile 400 shown in Figure 6. The user's filtering profile sequence would also include filtering profiles for any other services to which the user subscribes.
The association between network users and filtering profiles 400 may be better understood by reference to Figure 7. In Figure 7 an index 700 is shown for filtering profile database. Index 700 has one entry 702 for each network user. Each entry 702 references the filtering profiles 400 that correspond to the services to which the network user subscribes. Thus entry 702a references filtering profiles 400a and 400b. This allows the sequence of filtering profiles associated with network users to be retrieved.
A preferred embodiment for access control is shown as method 800 of Figure 8. Method 800 includes step performed by SMS 114 and ANCS 112. For convenience, these steps are grouped into an SMS context 802 and an ANCS ^ context 804. Method 800 begins with step 806 where SMS 114 authenticates a network user. More specifically, for a preferred embodiment of the present invention, users access the network 100 by using a host client system 102. To prevent misuse of the network 100, SMS 114 authenticates each user using a password or other authentication scheme. The authentication process also informs the SMS 114 of the identity of the user. Step 806 corresponds, in a general sense, to the methods and procedures that are executed by SMS 114 to authenticate and identify a network user. In step 808, which follows, SMS 114 locates the user's filtering profile sequence within the filtering profile database 316. In general, this step is performed by searching the index 700 of filtering profile database 316 using the user's identity as a search key. The user's identity may be, for example, a user name or identification number. In some cases, such as in the case of a new user, a default filtering profile sequence may be generated using a standardized template.
Step 808 is followed by step 810, where the user's filtering profile sequence is downloaded by SMS 114 to ANCS 112. At the same time, the SMS 114 passes the IP address of the user's host system 102 to the ANCS 112. In the following step, the ANCS 112 uses each of the filtering rules 404 included in the user's filtering profile sequence to establish a packet filter for IP packets originating from the user's host system 102. The packet filter is established by reconfiguring one or more of the components of the network 100 that forward packets originating at the user's host system 102. For example, in some cases, the packet filter may be established by reconfiguring the modem 104 connected to the user's host system 102. Alternatively, the packet filter may be established by reconfiguring router 106. Preferably, ANCS 112 reconfigures the network components using a standardized protocol that may be used in combination with the components of network 100.
Subsequently, the packet filter established by the ANCS 112 is used to filter IP packets that originate from the user's host system 102, allowing those packets that are directed to the services to which the user subscribes. More specifically, the packet filter established by the SMS 114 examines each IP packet that originates at the user's host system 102. As part of this evaluation, the packet filter starts with the first filtering rule 404 included in the user's filtering profile sequence. This first filtering rule 404 is compared to the IP header of the IP packet. If the destination IP address 502, destination IP mask 504, protocol type 506 and the range defined by the starting port number 508 and ending port number 510 all match the header of the IP packet, the filtering rule 404 matches the IP packet. The packet filter then applies the action 500 included in the filtering rule 404. If the first filtering rule 404 included in the user's filtering profile sequence does not match, the remaining filtering rules 404 are tried in order. If no filtering rule matches, the IP packet is discard. Subsequently, the user may change the services to which he or she subscribes. In this event, SMS 114 may re-download the user's filtering profile to the ANCS 112 allowing the ANCS 112 to reconfigure the network 100 to reflect the user's new subscriptions. The user's filtering profile may be also be re-downloaded if a server system 108 is added or becomes unavailable or in response to any other relevant event within network 100.
Other embodiments will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. It is intended that the specification and examples be considered as exemplary only, with a true scope of the invention being indicated by the following claims and equivalents.

Claims

WHAT IS CLAIMED IS:
1. A method for providing access control to services in a computer network including one or more server systems and one or more client systems, the method comprising the steps of: providing a filtering profile for each service, each filtering profile including one or more filtering rules, establishing the identity of a network user that is using a host client system, selecting one of more filtering profiles in accordance with the identity of the network user, and establishing a packet filter in the computer network, the packet filter using the filtering rules included in the selected profiles to selectively forward packets originating at the host client system and directed at one or more of the services included in the network.
2. A method as recited in claim 1 wherein the computer network includes a router and wherein the step of establishing a packet filter includes the step of reconfiguring the router to selectively forward packets originating at the host client system in accordance with the filtering rules included in the selected profiles.
3. A method as recited in claim 1 wherein the host client system is connected to the network using a cable modem and wherein the step of establishing a packet filter includes the step of reconfiguring the cable modem to selectively forward packets originating at the host client system in accordance with the filtering rules included in the selected profiles.
4. A method as recited in claim 1 wherein the step of providing one or more filtering profiles further comprises the step of selecting the filtering profiles from a database.
5. A method as recited in claim 1 wherein each service includes one or more applications, each application being located on one or more servers systems and wherein the filtering profile for each service includes one or more filtering rules for selectively forwarding packets directed to servers on which the applications of the service are located.
6. A method as recited in claim 1 wherein each filtering rule includes a protocol type, the protocol type corresponding to the protocol used to send messages to one of the services.
7. A method as recited in claim 1 wherein each filtering rule includes a destination address where the destination address corresponds to the IP address of one of the server systems.
8. A method as recited in claim 5 wherein each filtering rule includes a destination mask.
9. A method as recited in claim 5 wherein each filtering rule includes a range of destination port numbers.
10. A method as recited in claim 5 wherein the step of selecting one of more filtering profiles in accordance with the identity of the network user selects filtering profiles corresponding to services to which the user is a subscriber.
11. A computer program product comprising: a computer usable medium having computer readable code embodied therein for providing access control to services in a computer network including one or more server systems and one or more client systems, the computer program product comprising: first computer readable program code devices configured to cause a computer system to maintain a filtering profile for each service, each filtering profile including one or more filtering rules, second computer readable program code devices configured to cause a computer system to establishing the identity of a network user that is using a host client system, third computer readable program code devices configured to" cause a computer system to select one of more filtering profiles in accordance with the identity of the network user, and fourth computer readable program code devices configured to cause a computer system to establish a packet filter in the computer network, the packet filter using the filtering rules included in the selected profiles to selectively forward packets originating at the host client system and directed at one or more of the services included in the network.
12. A computer program product as recited in claim 11 wherein the computer network includes a router and wherein the fourth computer readable program code devices includes computer readable program code devices configured to cause a computer system to reconfigure the router to selectively forward packets originating at the host client system in accordance with the filtering rules included in the selected profiles.
13. A computer program product as recited in claim 11 wherein the host client system is connected to the network using a cable modem and wherein the fourth computer readable program code devices includes computer readable program code devices configured to cause a computer system to reconfigure the cable modem to selectively forward packets originating at the host client system in accordance with the filtering rules included in the selected profiles.
14. A computer program product as recited in claim 8 wherein the third computer readable program code devices includes computer readable program code devices configured to cause a computer system to select the filtering profiles from a database.
15. An apparatus for providing access control to services in a computer network including one or more server systems and one or more client systems, the apparatus comprising: a filtering profile for each service, each filtering profile including one or more filtering rules, a first portion configured to cause a computer system to establish the identity of a network user that is using a host client system, a second portion configured to cause a computer system to select one of more filtering profiles in accordance with the identity of the network user, and a third portion configured to cause a computer system to establish a packet filter in the computer network, the packet filter using the filtering rules included in the selected profiles to selectively forward packets originating at the host client system and directed at one or more of the services included in the network.
16. An apparatus as recited in claim 15 wherein the computer network includes a router and wherein the third portion includes a fourth portion configured to cause a computer system to reconfigure the router to selectively forward packets originating at the host client system in accordance with the filtering rules included in the selected profiles.
17. An apparatus as recited in claim 15 wherein the host client system is connected to the network using a cable modem and wherein the third portion includes a fourth portion configured to cause a computer system to reconfigure the cable modem to selectively forward packets originating at the host client system in accordance with the filtering rules included in the selected profiles.
18. An apparatus as recited in claim 15 wherein the second portion includes a fourth portion configured to cause a computer system to select the filtering profiles from a database.
PCT/US1997/022116 1996-12-09 1997-12-06 Method and apparatus for access control in a distributed multiserver network environment WO1998026552A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP97951533A EP0943199B1 (en) 1996-12-09 1997-12-06 Method and apparatus for access control in a distributed multiserver network environment
JP52679498A JP2001510603A (en) 1996-12-09 1997-12-06 Access control method and apparatus in distributed multi-server network environment
DE69735311T DE69735311D1 (en) 1996-12-09 1997-12-06 METHOD AND DEVICE FOR ACCESS CONTROL IN A DISTRIBUTED NETWORK ENVIRONMENT

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US08/762,393 US5835727A (en) 1996-12-09 1996-12-09 Method and apparatus for controlling access to services within a computer network
US08/762,393 1996-12-09

Publications (2)

Publication Number Publication Date
WO1998026552A1 true WO1998026552A1 (en) 1998-06-18
WO1998026552B1 WO1998026552B1 (en) 1998-07-30

Family

ID=25064911

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1997/022116 WO1998026552A1 (en) 1996-12-09 1997-12-06 Method and apparatus for access control in a distributed multiserver network environment

Country Status (5)

Country Link
US (1) US5835727A (en)
EP (1) EP0943199B1 (en)
JP (1) JP2001510603A (en)
DE (1) DE69735311D1 (en)
WO (1) WO1998026552A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001022642A2 (en) * 1999-09-24 2001-03-29 Comverse Network Systems Ltd. System and method for presorting rules for filtering packets on a network
WO2001065343A1 (en) * 2000-03-02 2001-09-07 Check Point Software Technologies Ltd. System, device and method for rapid packet filtering and processing
US7409458B2 (en) 2004-03-12 2008-08-05 Fujitsu Limited Network system with shared filtering information
WO2009008003A2 (en) * 2007-07-10 2009-01-15 Bhavin Turakhia Method and system for restricting access of one or more users to a service

Families Citing this family (214)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE9603801L (en) * 1996-10-16 1998-04-17 Ericsson Telefon Ab L M System of communicating devices and a procedure in the system
EP0968596B1 (en) 1997-03-12 2007-07-18 Nomadix, Inc. Nomadic translator or router
US6272631B1 (en) * 1997-06-30 2001-08-07 Microsoft Corporation Protected storage of core data secrets
US6286039B1 (en) 1997-08-28 2001-09-04 Cisco Technology, Inc. Automatic static to dynamic IP address and DNS address management for remote communications network access
US6460084B1 (en) 1997-08-28 2002-10-01 Cisco Technology, Inc. Forced network portal
US7043537B1 (en) * 1997-09-05 2006-05-09 Cisco Technology, Inc System and method for remote device management
JPH1196099A (en) * 1997-09-19 1999-04-09 Hitachi Ltd Service providing system
US6938089B1 (en) * 1997-10-16 2005-08-30 Virtual Access Technology Limited Apparatus and method for controlling access to a service over a communications system
US6065061A (en) * 1997-12-16 2000-05-16 Lucent Technologies Inc. Internet protocol based network architecture for cable television access with switched fallback
US6170061B1 (en) 1998-02-04 2001-01-02 3Com Corporation Method and system for secure cable modem registration
US6185624B1 (en) 1998-02-04 2001-02-06 3Com Corporation Method and system for cable modem management of a data-over-cable system
US6240464B1 (en) 1998-02-04 2001-05-29 3Com Corporation Method and system for managing addresses for network host interfaces in a data-over-cable system
US6289013B1 (en) * 1998-02-09 2001-09-11 Lucent Technologies, Inc. Packet filter method and apparatus employing reduced memory
US7411916B2 (en) * 1998-02-26 2008-08-12 Nortel Networks Limited Data forwarding method and apparatus
WO1999046906A1 (en) * 1998-03-13 1999-09-16 Omnes Providing secure access to network services
US6529932B1 (en) 1998-04-01 2003-03-04 Microsoft Corporation Method and system for distributed transaction processing with asynchronous message delivery
US6205498B1 (en) 1998-04-01 2001-03-20 Microsoft Corporation Method and system for message transfer session management
US6446206B1 (en) 1998-04-01 2002-09-03 Microsoft Corporation Method and system for access control of a message queue
US6678726B1 (en) * 1998-04-02 2004-01-13 Microsoft Corporation Method and apparatus for automatically determining topology information for a computer within a message queuing network
US6370147B1 (en) 1998-04-23 2002-04-09 3Com Corporation Method for addressing of passive network hosts in a data-over-cable system
US6370141B1 (en) 1998-04-29 2002-04-09 Cisco Technology, Inc. Method and apparatus for configuring an internet appliance
US6779118B1 (en) * 1998-05-04 2004-08-17 Auriq Systems, Inc. User specific automatic data redirection system
US6105063A (en) * 1998-05-05 2000-08-15 International Business Machines Corp. Client-server system for maintaining application preferences in a hierarchical data structure according to user and user group or terminal and terminal group contexts
US6141687A (en) * 1998-05-08 2000-10-31 Cisco Technology, Inc. Using an authentication server to obtain dial-out information on a network
US6636485B1 (en) 1998-05-14 2003-10-21 3Com Corporation Method and system for providing quality-of-service in a data-over-cable system
US6223222B1 (en) 1998-05-14 2001-04-24 3Com Corporation Method and system for providing quality-of-service in a data-over-cable system using configuration protocol messaging
US6560203B1 (en) 1998-05-27 2003-05-06 3Com Corporation Method for changing type-of-service in a data-over-cable system
US6775276B1 (en) 1998-05-27 2004-08-10 3Com Corporation Method and system for seamless address allocation in a data-over-cable system
US6510162B1 (en) * 1998-05-27 2003-01-21 3Com Corporation System and method for managing channel usage in a data over cable system
US6275853B1 (en) 1998-05-27 2001-08-14 3Com Corporation System and method for extending communications features using generic management information base objects
US6295554B1 (en) 1998-05-27 2001-09-25 3Com Corporation System and method for communicating with a telco-return cable modem as a single communications device
US6189102B1 (en) 1998-05-27 2001-02-13 3Com Corporation Method for authentication of network devices in a data-over cable system
US6442158B1 (en) 1998-05-27 2002-08-27 3Com Corporation Method and system for quality-of-service based data forwarding in a data-over-cable system
US6331987B1 (en) 1998-05-27 2001-12-18 3Com Corporation Method and system for bundling data in a data-over-cable system
US6407985B1 (en) * 1998-06-29 2002-06-18 Cisco Technology, Inc. Load sharing over blocked links
US6275912B1 (en) 1998-06-30 2001-08-14 Microsoft Corporation Method and system for storing data items to a storage device
US6202089B1 (en) 1998-06-30 2001-03-13 Microsoft Corporation Method for configuring at runtime, identifying and using a plurality of remote procedure call endpoints on a single server process
US6848108B1 (en) * 1998-06-30 2005-01-25 Microsoft Corporation Method and apparatus for creating, sending, and using self-descriptive objects as messages over a message queuing network
US6256634B1 (en) 1998-06-30 2001-07-03 Microsoft Corporation Method and system for purging tombstones for deleted data items in a replicated database
US6966004B1 (en) 1998-08-03 2005-11-15 Cisco Technology, Inc. Method for providing single step log-on access to a differentiated computer network
US6311275B1 (en) 1998-08-03 2001-10-30 Cisco Technology, Inc. Method for providing single step log-on access to a differentiated computer network
US7073196B1 (en) 1998-08-07 2006-07-04 The United States Of America As Represented By The National Security Agency Firewall for processing a connectionless network packet
US6615358B1 (en) 1998-08-07 2003-09-02 Patrick W. Dowd Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network
US6502192B1 (en) 1998-09-03 2002-12-31 Cisco Technology, Inc. Security between client and server in a computer network
US6892229B1 (en) 1998-09-30 2005-05-10 3Com Corporation System and method for assigning dynamic host configuration protocol parameters in devices using resident network interfaces
US6212563B1 (en) 1998-10-01 2001-04-03 3Com Corporation Method and system for setting and managing externally provided internet protocol addresses using the dynamic host configuration protocol
US6243749B1 (en) 1998-10-08 2001-06-05 Cisco Technology, Inc. Dynamic network address updating
US6212561B1 (en) 1998-10-08 2001-04-03 Cisco Technology, Inc. Forced sequential access to specified domains in a computer network
US6263369B1 (en) 1998-10-30 2001-07-17 Cisco Technology, Inc. Distributed architecture allowing local user authentication and authorization
US6385653B1 (en) 1998-11-02 2002-05-07 Cisco Technology, Inc. Responding to network access requests using a transparent media access and uniform delivery of service
US6490289B1 (en) 1998-11-03 2002-12-03 Cisco Technology, Inc. Multiple network connections from a single PPP link with network address translation
US7165122B1 (en) 1998-11-12 2007-01-16 Cisco Technology, Inc. Dynamic IP addressing and quality of service assurance
US6539431B1 (en) 1998-11-12 2003-03-25 Cisco Technology, Inc. Support IP pool-based configuration
US7165117B1 (en) 1998-11-12 2007-01-16 Cisco Technology, Inc. Dynamic IP addressing and quality of service assurance
US6427174B1 (en) 1998-11-12 2002-07-30 Cisco Technology, Inc. Dynamic IP addressing and quality of service assurance
US6442165B1 (en) 1998-12-02 2002-08-27 Cisco Technology, Inc. Load balancing between service component instances
US6396833B1 (en) 1998-12-02 2002-05-28 Cisco Technology, Inc. Per user and network routing tables
US7616640B1 (en) 1998-12-02 2009-11-10 Cisco Technology, Inc. Load balancing between service component instances
US6253327B1 (en) 1998-12-02 2001-06-26 Cisco Technology, Inc. Single step network logon based on point to point protocol
US8713641B1 (en) 1998-12-08 2014-04-29 Nomadix, Inc. Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device
US7194554B1 (en) 1998-12-08 2007-03-20 Nomadix, Inc. Systems and methods for providing dynamic network authorization authentication and accounting
US8266266B2 (en) 1998-12-08 2012-09-11 Nomadix, Inc. Systems and methods for providing dynamic network authorization, authentication and accounting
US6662135B1 (en) 1998-12-09 2003-12-09 3Com Corporation Method and apparatus for reflective mixer testing of a cable modem
US7370102B1 (en) 1998-12-15 2008-05-06 Cisco Technology, Inc. Managing recovery of service components and notification of service errors and failures
US6718376B1 (en) 1998-12-15 2004-04-06 Cisco Technology, Inc. Managing recovery of service components and notification of service errors and failures
US6917617B2 (en) * 1998-12-16 2005-07-12 Cisco Technology, Inc. Use of precedence bits for quality of service
US6643260B1 (en) 1998-12-18 2003-11-04 Cisco Technology, Inc. Method and apparatus for implementing a quality of service policy in a data communications network
US6351773B1 (en) 1998-12-21 2002-02-26 3Com Corporation Methods for restricting access of network devices to subscription services in a data-over-cable system
US6986157B1 (en) 1998-12-21 2006-01-10 3Com Corporation Method and system for dynamic service registration in a data-over-cable system
US6657991B1 (en) 1998-12-21 2003-12-02 3Com Corporation Method and system for provisioning network addresses in a data-over-cable system
US6490290B1 (en) 1998-12-30 2002-12-03 Cisco Technology, Inc. Default internet traffic and transparent passthrough
US6654801B2 (en) 1999-01-04 2003-11-25 Cisco Technology, Inc. Remote system administration and seamless service integration of a data communication network management system
US6298383B1 (en) 1999-01-04 2001-10-02 Cisco Technology, Inc. Integration of authentication authorization and accounting service and proxy service
US6871224B1 (en) 1999-01-04 2005-03-22 Cisco Technology, Inc. Facility to transmit network management data to an umbrella management system
US6577642B1 (en) 1999-01-15 2003-06-10 3Com Corporation Method and system for virtual network administration with a data-over cable system
US6738377B1 (en) 1999-01-29 2004-05-18 International Business Machines Corporation System and method for dynamic micro placement of IP connection filters
US6587468B1 (en) 1999-02-10 2003-07-01 Cisco Technology, Inc. Reply to sender DHCP option
US7099338B1 (en) 1999-02-27 2006-08-29 3Com Corporation System and method for insuring dynamic host configuration protocol operation by a host connected to a data network
EP1171830A4 (en) * 1999-03-29 2004-10-20 Quark Media House Sarl Dynamic application systems and processes for distributed computer environment
FR2793048A1 (en) * 1999-04-29 2000-11-03 Schlumberger Systems & Service METHOD OF MANAGING CONTROLS IN SEVERAL APPLICATION FILES AND CHIP CARD FOR IMPLEMENTING THE METHOD
US7644439B2 (en) * 1999-05-03 2010-01-05 Cisco Technology, Inc. Timing attacks against user logon and network I/O
US6466977B1 (en) * 1999-05-06 2002-10-15 Cisco Technology, Inc. Proxy on demand
US6430619B1 (en) 1999-05-06 2002-08-06 Cisco Technology, Inc. Virtual private data network session count limitation
US6529955B1 (en) 1999-05-06 2003-03-04 Cisco Technology, Inc. Proxy session count limitation
US6611868B1 (en) 1999-05-21 2003-08-26 3Com Corporation Method and system for automatic link hang up
US6654387B1 (en) 1999-05-21 2003-11-25 3Com Corporation Method for network address table maintenance in a data-over-cable system using a network device registration procedure
US6697862B1 (en) 1999-05-21 2004-02-24 3Com Corporation System and method for network address maintenance using dynamic host configuration protocol messages in a data-over-cable system
WO2000072574A2 (en) * 1999-05-21 2000-11-30 Quokka Sports, Inc. An architecture for controlling the flow and transformation of multimedia data
US6668283B1 (en) 1999-05-21 2003-12-23 Cisco Technology, Inc. ISDN B-channel count limitation
US6754622B1 (en) 1999-05-24 2004-06-22 3Com Corporation Method for network address table maintenance in a data-over-cable system using destination reachibility
US6985437B1 (en) 1999-05-25 2006-01-10 3Com Corporation Method for dynamic performance optimization in a data-over-cable system
US6785292B1 (en) 1999-05-28 2004-08-31 3Com Corporation Method for detecting radio frequency impairments in a data-over-cable system
US6591304B1 (en) 1999-06-21 2003-07-08 Cisco Technology, Inc. Dynamic, scaleable attribute filtering in a multi-protocol compatible network access environment
US6374292B1 (en) * 1999-07-20 2002-04-16 Sun Microsystems, Inc. Access control system for an ISP hosted shared email server
US6865594B1 (en) 1999-07-20 2005-03-08 Sun Microsystems, Inc. Methods and apparatus for automatically generating a routing table in a messaging server
US7058683B1 (en) 1999-07-20 2006-06-06 Sun Microsystems, Inc. Methods and apparatus for providing a virtual host in electronic messaging servers
US6553568B1 (en) 1999-09-29 2003-04-22 3Com Corporation Methods and systems for service level agreement enforcement on a data-over cable system
US6742126B1 (en) 1999-10-07 2004-05-25 Cisco Technology, Inc. Method and apparatus for identifying a data communications session
US7043553B2 (en) * 1999-10-07 2006-05-09 Cisco Technology, Inc. Method and apparatus for securing information access
US6467049B1 (en) 1999-10-15 2002-10-15 Cisco Technology, Inc. Method and apparatus for configuration in multi processing engine computer systems
WO2001030009A2 (en) * 1999-10-15 2001-04-26 Thomson Licensing S.A. Secure internet compatible bi-directional communication system and user interface
US6918044B1 (en) 1999-10-15 2005-07-12 Cisco Technology, Inc. Password protection for high reliability computer systems
US8190708B1 (en) 1999-10-22 2012-05-29 Nomadix, Inc. Gateway device having an XML interface and associated method
US6718467B1 (en) 1999-10-28 2004-04-06 Cisco Technology, Inc. Password based protocol for secure communications
US7308700B1 (en) * 1999-12-15 2007-12-11 Stmicroelectronics, Inc. Network station management system and method
US6798746B1 (en) 1999-12-18 2004-09-28 Cisco Technology, Inc. Method and apparatus for implementing a quality of service policy in a data communications network
DE19961399C2 (en) * 1999-12-20 2002-08-22 Mueschenborn Hans Joachim Protection of security-critical data in networks
US6674743B1 (en) 1999-12-30 2004-01-06 3Com Corporation Method and apparatus for providing policy-based services for internal applications
US6895434B1 (en) 2000-01-03 2005-05-17 Cisco Technology, Inc. Sharing of NAS information between PoPs
WO2001055912A1 (en) * 2000-01-28 2001-08-02 Ibeam Broadcasting Corporation Method and apparatus for client-side authentication and stream selection in a content distribution system
US6816944B2 (en) 2000-02-02 2004-11-09 Innopath Software Apparatus and methods for providing coordinated and personalized application and data management for resource-limited mobile devices
US6928467B2 (en) * 2000-02-02 2005-08-09 Inno Path Software, Inc. Apparatus and methods for providing data synchronization by facilitating data synchronization system design
US6643694B1 (en) 2000-02-09 2003-11-04 Michael A. Chernin System and method for integrating a proxy server, an e-mail server, and a DHCP server, with a graphic interface
US7089580B1 (en) 2000-03-29 2006-08-08 3Com Corporation Method for improved cable modem ranging in a data-over-cable system
US6804262B1 (en) 2000-04-28 2004-10-12 3Com Corporation Method and apparatus for channel determination through power measurements
US6769023B1 (en) 2000-05-31 2004-07-27 International Business Machines Corporation Facility for managing a service connection between a client process having a single threaded library and a server process
US6944881B1 (en) 2000-06-19 2005-09-13 3Com Corporation Method for using an initial maintenance opportunity for non-contention ranging
US7313608B1 (en) * 2000-06-21 2007-12-25 Nortel Networks Limited Method and apparatus for using documents written in a markup language to access and configure network elements
US6832239B1 (en) 2000-07-07 2004-12-14 International Business Machines Corporation Systems for managing network resources
US6816500B1 (en) 2000-07-10 2004-11-09 3Com Corporation Apparatus, method and system for multimedia access network channel management
US6771665B1 (en) 2000-08-31 2004-08-03 Cisco Technology, Inc. Matching of RADIUS request and response packets during high traffic volume
US7411981B1 (en) 2000-08-31 2008-08-12 Cisco Technology, Inc. Matching of radius request and response packets during high traffic volume
US7840691B1 (en) 2000-09-07 2010-11-23 Zamora Radio, Llc Personal broadcast server system for providing a customized broadcast
US6807576B1 (en) 2000-09-08 2004-10-19 International Business Machines Corporation Method and system for determining and graphically representing frame classification rule relationships
US7107326B1 (en) 2000-10-13 2006-09-12 3Com Corporation Method and system for integrating IP address reservations with policy provisioning
US7068597B1 (en) * 2000-11-27 2006-06-27 3Com Corporation System and method for automatic load balancing in a data-over-cable network
US7046680B1 (en) * 2000-11-28 2006-05-16 Mci, Inc. Network access system including a programmable access device having distributed service control
US8185615B1 (en) 2000-11-28 2012-05-22 Verizon Business Global Llc Message, control and reporting interface for a distributed network access system
US8180870B1 (en) * 2000-11-28 2012-05-15 Verizon Business Global Llc Programmable access device for a distributed network access system
US7657628B1 (en) 2000-11-28 2010-02-02 Verizon Business Global Llc External processor for a distributed network access system
US6948184B1 (en) 2000-11-30 2005-09-20 3Com Corporation System and method for calibrating power level during initial ranging of a network client device
US6940874B2 (en) 2000-11-30 2005-09-06 3Com Corporation Method for reducing interference from initializing network devices in a data-over-cable system
US7047563B1 (en) 2000-12-07 2006-05-16 Cisco Technology, Inc. Command authorization via RADIUS
US7389354B1 (en) 2000-12-11 2008-06-17 Cisco Technology, Inc. Preventing HTTP server attacks
US6985935B1 (en) 2000-12-20 2006-01-10 Cisco Technology, Inc. Method and system for providing network access to PPP clients
US20020107953A1 (en) * 2001-01-16 2002-08-08 Mark Ontiveros Method and device for monitoring data traffic and preventing unauthorized access to a network
US6988148B1 (en) 2001-01-19 2006-01-17 Cisco Technology, Inc. IP pool management utilizing an IP pool MIB
US6952428B1 (en) 2001-01-26 2005-10-04 3Com Corporation System and method for a specialized dynamic host configuration protocol proxy in a data-over-cable network
US7073055B1 (en) 2001-02-22 2006-07-04 3Com Corporation System and method for providing distributed and dynamic network services for remote access server users
US20020120484A1 (en) * 2001-02-23 2002-08-29 International Business Machines Corporation Method and system for providing intelligent rules-based engine with heuristics for determining optimal routing and processing of business events
US7222255B1 (en) 2001-02-28 2007-05-22 3Com Corporation System and method for network performance testing
US20020129276A1 (en) * 2001-03-08 2002-09-12 Watts Michael P.C. Dual network with distributed firewall for network security
US20040139204A1 (en) * 2001-04-23 2004-07-15 Siegried Ergezinger Architecture for providing services in the internet
US7962482B2 (en) 2001-05-16 2011-06-14 Pandora Media, Inc. Methods and systems for utilizing contextual feedback to generate and modify playlists
US6987735B2 (en) * 2001-05-24 2006-01-17 International Business Machines Corporation System and method for enhancing the availability of routing systems through equal cost multipath
US7197549B1 (en) 2001-06-04 2007-03-27 Cisco Technology, Inc. On-demand address pools
US7788345B1 (en) 2001-06-04 2010-08-31 Cisco Technology, Inc. Resource allocation and reclamation for on-demand address pools
US6947983B2 (en) * 2001-06-22 2005-09-20 International Business Machines Corporation Method and system for exploiting likelihood in filter rule enforcement
US7845004B2 (en) * 2001-07-27 2010-11-30 International Business Machines Corporation Correlating network information and intrusion information to find the entry point of an attack upon a protected computer
US7209962B2 (en) * 2001-07-30 2007-04-24 International Business Machines Corporation System and method for IP packet filtering based on non-IP packet traffic attributes
US7088678B1 (en) 2001-08-27 2006-08-08 3Com Corporation System and method for traffic shaping based on generalized congestion and flow control
US7146402B2 (en) * 2001-08-31 2006-12-05 Sendmail, Inc. E-mail system providing filtering methodology on a per-domain basis
EP1433066B1 (en) * 2001-09-14 2010-08-11 Nokia Inc. Device and method for packet forwarding
US7085306B1 (en) 2001-10-30 2006-08-01 3Com Corporation System and method for a multi-frequency upstream channel in a computer network
US7672249B2 (en) 2001-12-13 2010-03-02 Cisco Technology, Inc. Configurable network appliance
US7953087B1 (en) * 2001-12-28 2011-05-31 The Directv Group, Inc. Content filtering using static source routes
US7072337B1 (en) 2002-01-25 2006-07-04 3Com Corporation System and method for resolving network addresses for network devices on distributed network subnets
KR100527794B1 (en) * 2002-02-26 2005-11-09 (주)넷피아닷컴 system for interceptting an acces of a network and method thereof
US20030191845A1 (en) * 2002-04-03 2003-10-09 Hinds John Sherman Method, apparatus and system for establishing communications between communications devices
US7443865B1 (en) 2002-04-04 2008-10-28 Cisco Technology, Inc. Multiple network connections from a single PPP link with network address translation
US8959231B2 (en) * 2002-04-12 2015-02-17 Siemens Aktiengesellschaft Representation of Boolean expressions for specifying filters using XML
US7386632B1 (en) 2002-06-07 2008-06-10 Cisco Technology, Inc. Dynamic IP addressing and quality of service assurance
US20040003069A1 (en) * 2002-06-28 2004-01-01 Broadcom Corporation Selective early drop method and system
US6917946B2 (en) * 2002-08-12 2005-07-12 International Business Machines Corporation Method and system for partitioning filter rules for multi-search enforcement
WO2004034229A2 (en) * 2002-10-10 2004-04-22 Rocksteady Networks, Inc. System and method for providing access control
US7587512B2 (en) * 2002-10-16 2009-09-08 Eric White System and method for dynamic bandwidth provisioning
GB0226573D0 (en) * 2002-11-14 2002-12-18 Hewlett Packard Co Data delivery
US20040128545A1 (en) * 2002-12-31 2004-07-01 International Business Machines Corporation Host controlled dynamic firewall system
US6961413B2 (en) 2003-02-19 2005-11-01 Sarakas Stephen T Residential telephone system and method
US7490348B1 (en) 2003-03-17 2009-02-10 Harris Technology, Llc Wireless network having multiple communication allowances
US20040193906A1 (en) * 2003-03-24 2004-09-30 Shual Dar Network service security
US7624438B2 (en) * 2003-08-20 2009-11-24 Eric White System and method for providing a secure connection between networked computers
US7899918B1 (en) 2003-10-10 2011-03-01 Cisco Technology, Inc. Service accounting in a network
US7853705B2 (en) * 2003-11-06 2010-12-14 Cisco Technology, Inc. On demand session provisioning of IP flows
US7558864B2 (en) * 2004-01-27 2009-07-07 International Business Machines Corporation Method, system and product for identifying, reserving, and logically provisioning resources in provisioning data processing systems
US7610621B2 (en) 2004-03-10 2009-10-27 Eric White System and method for behavior-based firewall modeling
US7665130B2 (en) * 2004-03-10 2010-02-16 Eric White System and method for double-capture/double-redirect to a different location
US8543710B2 (en) 2004-03-10 2013-09-24 Rpx Corporation Method and system for controlling network access
AU2005258459B2 (en) * 2004-07-06 2008-09-18 Ntt Docomo, Inc. Message transfer system and message transfer method
US7792523B2 (en) 2004-07-06 2010-09-07 Ntt Docomo, Inc. Message transmission system and message transmission method
US7782878B2 (en) * 2004-08-16 2010-08-24 I2Telecom Ip Holdings, Inc. System and method for sharing an IP address
US20060041935A1 (en) * 2004-08-17 2006-02-23 Conley James W Methodology for configuring network firewall
US20060190990A1 (en) * 2005-02-23 2006-08-24 Shimon Gruper Method and system for controlling access to a service provided through a network
US7437435B2 (en) * 2005-10-31 2008-10-14 Inventec Corporation Automatically setting method and related system
CN101317369B (en) * 2005-11-29 2015-11-25 艾利森电话股份有限公司 Method and apparatus in connecting system
US20070245414A1 (en) * 2006-04-14 2007-10-18 Microsoft Corporation Proxy Authentication and Indirect Certificate Chaining
TW200746780A (en) * 2006-06-09 2007-12-16 Color City Entpr Co Ltd Automatic Internet access apparatus and method for Internet phone
CN101102266B (en) * 2006-07-03 2010-05-19 华为技术有限公司 Routing method and system based on packet network
US7929552B2 (en) 2006-10-26 2011-04-19 At&T Intellectual Property I, L.P. Automated IP pool management
US20080162284A1 (en) * 2006-12-27 2008-07-03 Clarus Marketing Group, Llc System and method for conducting electronic commerce and providing incentives therein
US20120117110A1 (en) 2010-09-29 2012-05-10 Eloy Technology, Llc Dynamic location-based media collection aggregation
US9344403B2 (en) * 2013-03-15 2016-05-17 Tempered Networks, Inc. Industrial network security
US9294503B2 (en) 2013-08-26 2016-03-22 A10 Networks, Inc. Health monitor based distributed denial of service attack mitigation
US9729580B2 (en) 2014-07-30 2017-08-08 Tempered Networks, Inc. Performing actions via devices that establish a secure, private network
US9756071B1 (en) 2014-09-16 2017-09-05 A10 Networks, Inc. DNS denial of service attack protection
US9537886B1 (en) 2014-10-23 2017-01-03 A10 Networks, Inc. Flagging security threats in web service requests
US9584318B1 (en) 2014-12-30 2017-02-28 A10 Networks, Inc. Perfect forward secrecy distributed denial of service attack defense
US9900343B1 (en) 2015-01-05 2018-02-20 A10 Networks, Inc. Distributed denial of service cellular signaling
US9848013B1 (en) 2015-02-05 2017-12-19 A10 Networks, Inc. Perfect forward secrecy distributed denial of service attack detection
US10063591B1 (en) 2015-02-14 2018-08-28 A10 Networks, Inc. Implementing and optimizing secure socket layer intercept
US9300635B1 (en) 2015-06-15 2016-03-29 Tempered Networks, Inc. Overlay network with position independent insertion and tap points
US10505984B2 (en) 2015-12-08 2019-12-10 A10 Networks, Inc. Exchange of control information between secure socket layer gateways
US10469594B2 (en) 2015-12-08 2019-11-05 A10 Networks, Inc. Implementation of secure socket layer intercept
US10116634B2 (en) 2016-06-28 2018-10-30 A10 Networks, Inc. Intercepting secure session upon receipt of untrusted certificate
US9729581B1 (en) 2016-07-01 2017-08-08 Tempered Networks, Inc. Horizontal switch scalability via load balancing
US10158666B2 (en) 2016-07-26 2018-12-18 A10 Networks, Inc. Mitigating TCP SYN DDoS attacks using TCP reset
US10981051B2 (en) 2017-12-19 2021-04-20 Activision Publishing, Inc. Synchronized, fully programmable game controllers
US10069726B1 (en) 2018-03-16 2018-09-04 Tempered Networks, Inc. Overlay network identity-based relay
US10116539B1 (en) 2018-05-23 2018-10-30 Tempered Networks, Inc. Multi-link network gateway with monitoring and dynamic failover
US10158545B1 (en) 2018-05-31 2018-12-18 Tempered Networks, Inc. Monitoring overlay networks
US10911418B1 (en) 2020-06-26 2021-02-02 Tempered Networks, Inc. Port level policy isolation in overlay networks
US11329956B2 (en) 2020-07-28 2022-05-10 Bank Of America Corporation Scalable encryption framework using virtualization and adaptive sampling
US11070594B1 (en) 2020-10-16 2021-07-20 Tempered Networks, Inc. Applying overlay network policy based on users
US10999154B1 (en) 2020-10-23 2021-05-04 Tempered Networks, Inc. Relay node management for overlay networks

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0442838A2 (en) * 1990-02-15 1991-08-21 International Business Machines Corporation Method for providing user access control within a distributed data processing system by the exchange of access control profiles
EP0658837A2 (en) * 1993-12-15 1995-06-21 Checkpoint Software Technologies, Ltd. Method for controlling computer network security

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1994001828A1 (en) * 1992-07-02 1994-01-20 Wellfleet Communications Data packet processing method and apparatus
US5446736A (en) * 1993-10-07 1995-08-29 Ast Research, Inc. Method and apparatus for connecting a node to a wireless network using a standard protocol
US5530703A (en) * 1994-09-23 1996-06-25 3Com Corporation Remote communication server with automatic filtering
US5541911A (en) * 1994-10-12 1996-07-30 3Com Corporation Remote smart filtering communication management system
JPH08116334A (en) * 1994-10-14 1996-05-07 Fujitsu Ltd Method and device for monitoring/fault analysis in network constituted of plural lans
CA2137587C (en) * 1994-12-08 1999-03-23 Murray Charles Baker Broadcast/multicast filtering by the bridge-based access point
US5648965A (en) * 1995-07-07 1997-07-15 Sun Microsystems, Inc. Method and apparatus for dynamic distributed packet tracing and analysis

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0442838A2 (en) * 1990-02-15 1991-08-21 International Business Machines Corporation Method for providing user access control within a distributed data processing system by the exchange of access control profiles
EP0658837A2 (en) * 1993-12-15 1995-06-21 Checkpoint Software Technologies, Ltd. Method for controlling computer network security

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001022642A2 (en) * 1999-09-24 2001-03-29 Comverse Network Systems Ltd. System and method for presorting rules for filtering packets on a network
WO2001022642A3 (en) * 1999-09-24 2002-05-30 Comverse Network Systems Ltd System and method for presorting rules for filtering packets on a network
WO2001065343A1 (en) * 2000-03-02 2001-09-07 Check Point Software Technologies Ltd. System, device and method for rapid packet filtering and processing
US7409458B2 (en) 2004-03-12 2008-08-05 Fujitsu Limited Network system with shared filtering information
WO2009008003A2 (en) * 2007-07-10 2009-01-15 Bhavin Turakhia Method and system for restricting access of one or more users to a service
WO2009008003A3 (en) * 2007-07-10 2010-07-22 Bhavin Turakhia Method and system for restricting access of one or more users to a service

Also Published As

Publication number Publication date
US5835727A (en) 1998-11-10
DE69735311D1 (en) 2006-04-27
JP2001510603A (en) 2001-07-31
EP0943199A1 (en) 1999-09-22
EP0943199B1 (en) 2006-02-22

Similar Documents

Publication Publication Date Title
EP0943199B1 (en) Method and apparatus for access control in a distributed multiserver network environment
US5848233A (en) Method and apparatus for dynamic packet filter assignment
US6070242A (en) Method to activate unregistered systems in a distributed multiserver network environment
EP0854621B1 (en) System and method for providing peer level access control on a network
US7016956B2 (en) Directory-enabled intelligent broadband service switch
US6233618B1 (en) Access control of networked data
US8484695B2 (en) System and method for providing access control
CA2330857C (en) User specific automatic data redirection system
US7869361B2 (en) Managing hierarchically organized subscriber profiles
US7650420B2 (en) System and method for content filtering
US7149219B2 (en) System and method for content filtering using static source routes
US6219786B1 (en) Method and system for monitoring and controlling network access
EP1317111B1 (en) A personalized firewall
US20020042883A1 (en) Method and system for controlling access by clients to servers over an internet protocol network
EP1571806A2 (en) Network management method and network managing server
Cisco M through R Commands
WO2002030082A2 (en) A method and system for controlling access by clients to servers over an internet protocol network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): JP

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 1997951533

Country of ref document: EP

ENP Entry into the national phase

Ref country code: JP

Ref document number: 1998 526794

Kind code of ref document: A

Format of ref document f/p: F

WWP Wipo information: published in national office

Ref document number: 1997951533

Country of ref document: EP

WWG Wipo information: grant in national office

Ref document number: 1997951533

Country of ref document: EP