WO2005079459A2 - Ip for switch based acl's - Google Patents
Ip for switch based acl's Download PDFInfo
- Publication number
- WO2005079459A2 WO2005079459A2 PCT/US2005/005067 US2005005067W WO2005079459A2 WO 2005079459 A2 WO2005079459 A2 WO 2005079459A2 US 2005005067 W US2005005067 W US 2005005067W WO 2005079459 A2 WO2005079459 A2 WO 2005079459A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- access
- entity
- network
- internal network
- items
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04K—SECRET COMMUNICATION; JAMMING OF COMMUNICATION
- H04K1/00—Secret communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/088—Access security using filters or firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
Definitions
- the present invention relates generally to securing internal networks from internal threats, and more particularly to securing internal networks from internal threats via providing a multi-layered security system that facilitates restricting access to particular entities to a portion of an internal network.
- a disgruntled employee can have access to an entire network (e.g., including portions of a network completely unrelated to the employee's employment). More particularly, an engineer within a business can have access to a portion of an internal network that includes payroll data, even though the engineer's employment is not related to maintaining/providing payroll information.
- an internal network utilize dynamically allocated IP addresses, any individual with a laptop or other computing device can connect to a network port and have complete network access. Portions of an internal network can be provided with password protection, thereby allowing only those who know the password to have access to that portion of the internal network. Passwords, however, are easily compromised.
- the present invention facilitates securing an internal network from internal attacks without costs and drawbacks associated with applying multiple firewalls to an internal network.
- the present invention utilizes a multi-layered security concept to limit access to resources within an internal network.
- the present invention provides a system and/or methodology for determining whether an entity is authorized to access an internal network, where an entity can be a user, a client, a program, or the like.
- various authentication standards and/or protocols can be employed to determine whether an entity is authorized to access the internal network.
- the 802:1 x standard of authentication can be utilized to determine whether an entity is authorized to access the network. It is to be understood, however, that any suitable mechanism for determining whether an entity is authorized to access an internal network can be utilized in connection with the present invention. If an entity is determined be authorized to access the internal network, resources within the network can be restricted according to an identity of the entity.
- an entity can be associated with a particular role in a company (e.g., payroll). After it has been determined that the entity is authorized to access the network, the entity can be restricted to accessing resources on the network related to payroll. Such restriction can in effect generate a virtual network, wherein such virtual network is a network comprising only resources that are pertinent to the entity. This mitigates problems that can arise when a malicious user exists within an internal network, as the malicious user will not have access to sensitive information that can compromise the network. Furthermore, scanning worms will not have an ability to corrupt an entire network, as security of the present invention limits resources that a scanning worm could reach.
- a virtual network is a network comprising only resources that are pertinent to the entity.
- switch-based access controls can be employed to restrict an entity's access to a portion of an internal network that is pertinent to the entity. More particularly, one or more entity-specific Access Control Lists (ACLs) can be loaded into a switch that is related to the entity. ACLs can include a list of services available on a network and/or server, and can further include hosts (entities) that are permitted to use each service. After the ACL is loaded into the switch related to the entity, a port that allows the entity to obtain access to a particular portion of the network germane to entity tasks is opened.
- ACLs entity-specific Access Control Lists
- entity-specific ACLs can be generated and utilized in connection with a switch to create virtual networks (e.g., a portion of a network that is accessible to a particular entity).
- Benefits of the present invention can be better understood when compared to conventional security measures for internal networks. For example, firewalls can restrict access of an entity to a particular portion of a network. Installing multiple firewalls for disparate users/groups, however, can be extremely expensive. Further, firewalls do not address concerns about unauthorized users entering an internal network prior to reaching the firewall.
- the present invention can employ switches that connect directly to clients; therefore, client-to-client interaction can be prevented. In contrast, firewalls cannot prevent client-to-client interaction before such firewall. Therefore, illegal sharing of copyrighted works, for instance, can occur when utilizing firewalls.
- FIG. 1 is a block diagram of a system that facilitates securing an internal network from internal attacks in accordance with an aspect of the present invention.
- FIG. 2 is another block diagram of a system that facilitates securing an internal network from internal attacks in accordance with an aspect of the present invention.
- FIG. 3 is yet another block diagram of a system that facilitates securing an internal network from internal attacks in accordance with an aspect of the present invention.
- FIG. 4 is still yet another block diagram of a system that facilitates securing an internal network from internal attacks in accordance with an aspect of the present invention.
- FIG. 5 is another block diagram of a system that facilitates securing an internal network from internal attacks in accordance with an aspect of the present invention.
- FIG. 6 is a flow diagram of a method for providing multi-layer security for an internal network in accordance with an aspect of the present invention.
- FIG. 7 is a flow diagram of a method for providing multi-layer security for an internal network in accordance with an aspect of the present invention.
- FIG. 8 is a flow diagram of a method for providing multi-layer security for an internal network in accordance with an aspect of the present invention.
- FIG. 9 is an exemplary embodiment illustrating benefits related to one or more aspects of the present invention.
- FIG. 10 is a system and methodology that illustrates one particular embodiment of providing multi-layered security against internal attacks in an internal network.
- FIG. 11 is a system that facilitates authentication with respect to a user obtaining access to an internal network in accordance with an aspect of the present invention.
- FIG. 12 illustrates an example-operating environment in which the present invention can function.
- FIG. 13 illustrates another example operating environment in which the present invention can function.
- system and the like are intended to refer to a computer-related entity, either hardware, a combination of hardware and software, software, or software in execution.
- a component may be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer.
- an application rum ing on a server and the server can be a component.
- One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers. Also, these components can execute from various computer readable media having various data structures stored thereon.
- the components may communicate via local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the Internet with other systems via the signal).
- a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the Internet with other systems via the signal).
- Fig. 1 a system 100 that facilitates robust protection of an internal network from internal attacks is illustrated.
- the system 100 includes a collection 102 of network items 104 - 110 that are related to particular tasks, departments, roles, individuals, and/or other similar groups within an organization (e.g., a business, non-profit organization, ).
- item A 104 can be related to payroll
- item B 106 can be related to an engineering project
- item C 108 can be related to human resources
- item D UO can be related to a particular business strategy.
- the items 104-110 can be related to any suitable grouping within an organization.
- the items 104-110 can be any suitable items within a network (e.g., a server, an Internet proxy, ). Entities A and
- B 112-114 are entities that desire internal access to the collection 102 of items via an internal network.
- the entities 112-114 can be employees, programs, or other internal entities that desire access to the collection 102 of network items. While only entities A and B 112-114 are illustrated, it is to be understood that any suitable number of entities can desire access to the collection 102 of network items via the internal network. As illustrated in this Figure, the entities 112-114 desire access to one or more items 104-110 within the collection 102.
- a multi-layered security component 116 is provided to ensure that the entities 112-114 are authorized to be on the network as well as provide the entities 112-114 with access only to an item corresponding to such entities 112-114.
- the multi-layered security component 116 can utilize 802. lx, a published standard for port-based network access control.
- 802. lx provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. While 802. lx has become the standard for regulating access in wireless environments, 802. lx can also be employed in wired environments. For example, 802. lx can employ the Extensible Authentication Protocol (EAP) to provide authentication of one or more of the entities 112-114 that desire to access the collection 102 via an internal network.
- EAP Extensible Authentication Protocol
- EAP is a general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards.
- 802. lx can utilize authentication algorithms such as Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP), and other similar protocols employed in connection with authenticating that the entities 112-114 are authorized to access the items 104-110 within the collection 102 via the network.
- PEAP could be employed when authentication data (e.g., user names, passwords, ...) is utilized within a wireless internal network.
- PEAP authenticates wireless LAN clients using only server-side digital certificates via creating an encrypted SSL/TLS tunnel between the entities 112-114 and an authentication server (not shown).
- the tunnel thereafter protects user authentication exchange.
- protocols e.g., 802. lx, EAP
- any suitable protocols for carrying out the various functionalities of the claimed invention can be employed, and employment of such protocols are intended to fall within the scope of the claims of this application.
- a 112 is entitled to access item A 104
- entity B 114 is entitled to access item B 106.
- the multi-layered security component 116 provides entity A 112 with access to item A 104, but to no other items within the collection 102.
- item B, item C, item D, and other items within the data store 102 are secure against attacks from entity A.
- entity B is entitled to access item A 104
- entity D is entitled to access item B 106.
- the multi-layered security component 116 provides entity A 112 with access to item A 104, but to no other items within the collection 102.
- item B, item C, item D, and other items within the data store 102 are secure against attacks from entity A.
- the multi- layered security component 116 can provide entity B 114 with access to item B 106 and only data set B.
- access- based switch controls can be employed to restrict access of the entities 112-114 to the items A and B 104-106, respectively.
- the multi-layered security component 116 can employ custom switch level access controls for each entity 112- 114. For instance, after the multi-layered security component 116 authorizes the entity 112, an Access Control List (ACL) specific to the entity 112 can be loaded into a switch that provides access to item A 104 (and not other items within the collection 102).
- ACL Access Control List
- An ACL is a set of data that informs a computer's operating system of which permissions or access rights that the entity 112 has to an internal network. Employing an entity-specific ACL in connection with a switch ensures that the entities 112-114 will only be granted access to items within the collection 102 of network items with which they have been granted permission.
- the ACL's can be defined in numerous manners. For example, ACL's can be defined by roles (e.g., engineers, maintenance, ...), function, groups, individually, etc. More particularly, if the ACL's were defined by role, access to data sets would only be allowed to entities that require such data sets to perform their role.
- the system 100 would provide a plurality of benefits over conventional security systems for internal networks.
- the system 100 minimizes spreading of worms (e.g., NIMDA, scanning worms, ). This is because flow of data is highly restricted within the internal network. Thus, a worm can be isolated to a particular item within the internal network and be unable to reach other items. Furthermore, the present invention can be employed to mitigate illegal file trading
- the system 200 includes a collection 202 of network items that are utilized in connection with an internal network.
- An entity e.g., copying and dissemination of copyrighted works
- the system 100 can prevent unauthorized server services from being accessed on a client, as well as protect clients from port scanning other clients.
- scanning or traffic issues can be located early and an appropriate technician can be notified.
- Fig. 2 a system 200 that facilitates securing an internal network from internal attacks is illustrated.
- the system 200 includes a collection 202 of network items that are utilized in connection with an internal network.
- a 204 desires access to the collection 202 via the internal network, and more particularly desires to maliciously attack items B, C, and D 206-210 that are within the collection 202.
- the entity A 204 only has privileges to access item A 212.
- the entity A 204 can be associated with a particular role within an organization, and item A 212 is the only item that the entity A 204 requires to perform the role.
- a multi-layered security component 213 is employed to maintain security of an internal network (and thus of the collection 202 of network items that at least partially make up the network).
- the multi-layered security component includes a network authorizer 214 that determines that the entity A 204 is allowed to access the collection 202.
- the network authorizer 214 can utilize any suitable conventional standard that verifies that an entity is authorized to access a network.
- the network authorizer 214 can employ the 802. lx standard to authenticate that the entity A 204 is authorized to access the collection 202 via an internal network.
- the entity A 204 will be unable to transmit any traffic via the network until such entity A 204 has been authenticated.
- implementing the present invention utilizing the 802. lx standard will be efficient and low-cost, as virtually all operating systems provide support for 802. lx, and the authentication process is transparent to an end user.
- the system 200 further comprises a switch 216 that is employed to enable access of particular items to the entity A 204.
- a switch 216 that is employed to enable access of particular items to the entity A 204.
- item A 212 is a server
- the switch 216 can be employed to enable entity A 204 to obtain access to that server and no other servers on the internal network. This can be accomplished via providing the switch 216 with switch access controls 218 that are generated based upon an
- the switch 216 and the switch access controls 218 ensure that the entity A 204 will be granted access only to servers that it has permission to access. After determining a level of access that the entity A 204 has. to the collection 202 of network items, the entity A 204 can access one or more items that it has permission to access via the switch 216.
- a system 300 that facilitates securing an internal network from internal attacks is illustrated.
- the system 300 includes a collection 302 of network items (e.g., servers, Internet proxies, ...) that are employed within an internal network. More particularly, the collection 302 of network items includes item A 304, item B 306, item C 308, and item D 310.
- the collection 302 is shown to include four network items, it is to be understood that the collection 302 can include any suitable number of network items.
- the network items 304- 310 can be associated with particular roles.
- item A 304 can be associated with payroll
- item B can be associated with accounting, etc.
- the system 300 includes an entity 312 that has been assigned a set of permissions pertaining to which items within the collection 302 the entity 312 can access.
- the entity 312 can be a user.
- the entity 312 can be a program that desires access to one or more network items 304- 310.
- the entity 312 desires access to the collection 302 of network items via an internal network.
- the entity 312 can attempt to request access to one or more particular items within the collection 302 of network items via the network.
- a multi- layered security component 314 receives the request to access the internal network (and to access one or more items 304-310).
- the multi-layered security component 314 ensures that the entity 312 is authorized to be on the internal network, and if so determines which items 304-310 the entity 312 has permission to access.
- the multi-layered security component 314 includes a network authorizer 316 that determines whether the entity 312 is allowed to be on the internal network.
- the network authorizer 316 utilizes the 802.1 x standard to make such determination.
- the authentication server 320 can be a Remote Access Dial-in User Services (RADIUS) server.
- RADIUS systems can employ a plurality of authentication schemes, such as Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP).
- PAP Password Authentication Protocol
- CHAP Challenge-Handshake Authentication Protocol
- the authentication server 320 can be a Terminal Access Controller Access Control System (TACACS) server, an Extended TACACS server, a TACACS+ server, and/or any other suitable authentication server.
- TACACS Terminal Access Controller Access Control System
- the entity (client) 312, the authenticator 318, and the authentication sever 320 interact in the following manner - first, the entity 312 attempts to enter an internal network.
- the authenticator 318 requests that the entity 312 provide identification.
- the entity 312 thereafter provides its identification to the authenticator 318, which passes the ID onto the authentication server 320. If the identification is valid, the authentication server 320 then informs the authenticator 318 that a password is desired, and the authenticator 318 passes this to the entity 312.
- the entity 312 responds with a password that corresponds to the identification, which is delivered to the authentication server 320.
- the authentication server 320 thereafter informs the authenticator 318 whether the user password was correct.
- the entity 312 will be denied access to the internal network (and thus to the collection 302 of network items). If the password is correct, a switch 322 is provided to allow the entity 312 to obtain access to an item that corresponds with permissions assigned to the entity 312. The switch 322 utilizes switch access controls 324 to determine which item(s) are accessible by the entity 312. In one example, the entity
- the system 400 includes a collection 402 of internal network items 404-410 that can be accessed by an entity 412 via an internal network.
- the collection 402 can be accessed by a plurality of other entities (not shown) that are comiected to the internal network. More particularly, in a business setting each client can be have access to the internal network.
- a multi- layered security component 414 is provided to ensure that the entity 412 is authorized to access the collection 402, and to further limit the entity's access to the collection
- the entity 412 can be within a particular department of an organization, wherein members of that department only utilize item A 404 (or data thereon) to complete tasks assigned to that department.
- the multi-layered security component 414 can effectively limit the entity's access to only item A 404 (and not item B 406, item C 408, ).
- the multi-layered security component 414 accomplishes this task by employing a network authorizer 416 to determine whether the entity 412 is approved to be on the internal network.
- the network authorizer 416 can utilize an authentication server or the like in connection with user names and passwords to determine whether the entity 412 should have access to the internal network (and thus have access to one or more of the items 404-410).
- the multi-layered security component 414 also utilizes a switch 418 to filter and forward data packets between the entity 412 and the collection 402. More particularly, the switch 418 is generated to allow the entity 412 to access only item(s) within the collection 402 that the entity 412 has permission to access. The switch 418 can prevent delivery of data packets generated by the entity 412 from reaching an item (e.g., items 406-410) that the entity 412 does not have permission to access. Likewise, the switch 418 can prevent the entity 412 from receiving data from items that the entity 412 does not have permission to access. Permissions relating to the entity 412 are generated based at least in part upon switch access controls 420 that employ an access control list 422 specific to the entity 412.
- the access control list 422 is essentially a list of items and computing services available within the collection 402 that the entity 412 has been granted permission to access. Based upon this access control list 422 the switch access controls 420 can be generated, which control the operation of the switch 418.
- the access control list 422 can be configured at the switch level without being vendor specific, thereby creating a robust and efficient security device.
- the access control list 422 can be interoperable with existing account databases (Active Directory, LDAP, ).
- the access control list 422 can account for point-of-access when determining which permissions to assign to the entity 412.
- the access control list 422 will include different criteria as a user's geographic location changes (and thus the switch access controls 420 will be different when the user's geographic location changes). Therefore the system 400 provides location aware authentication and an ability to pinpoint a physical location where access is occurring.
- the system 400 provides location aware authentication and an ability to pinpoint a physical location where access is occurring.
- the system 500 includes a collection 502 of internal network items 504-510 that are within and/or at least partially create an internal network for an organization.
- An entity 512 desires access to at least one of the items 504-510 within the collection 502.
- the entity can be a user operating on a client, a program that automatically requests access to the collection 502, etc.
- a multi-layered security component 514 is employed by the system 500 to ensure that the internal network is secure in light of requests to access such network (e.g., requests for items within the collection 502).
- the multi-layered security component 514 includes a network authorizer 516 that ensures that the entity 512 should be on the internal network. For instance, a salesman that is selling within an organization should not be allowed access to the network in general, and the network authorizer 516 would prevent such salesman from obtaining access.
- the 802. lx standard can be employed to ensure that unauthorized users are denied access to the internal network (and thus denied access to the items 504-510).
- the network authorizer 516 informs a switch 518, and the switch 518 grants the entity access to the collection 502 based upon permissions. For instance, permissions can be assigned based upon a role, a function, a group, or other suitable organizational indicia. More particularly, the entity can be associated with a payroll function in a business, and item A 504 is the sole item within the collection 502 that is related to payroll.
- the switch 518 then is employed to filter communications between the entity 512 and the collection 502 to effectuate communication only between the entity 512 and item A 504.
- the switch 518 is associated with switch access controls 520 that control operation of the switch 518 given a particular entity and collection of internal network items.
- the system 500 further includes a data privilege assignor 522 that determines rights the entity 512 can utilize with respect to the item(s) within the collection 502 that the switch 518 grants the entity 512 access.
- the switch 518 can operate to provide the entity 512 with access only to item A 504.
- the data privilege assignor 522 determines rights the entity 512 can employ with respect to data transferred to and/or from item A 504.
- item A 504 can be a server with a data store.
- the switch 518 can grant the entity 512 access to such server, and the data privilege assignor 522 can assign rights to the item with respect to read operations, write operations, etc, and various other privileges of the entity 512.
- the entity 512 may be desirable to allow the entity 512 to access item A 504, but with read-only privileges.
- a salesman not employed by an organization might desire to obtain inventory information, but it would not be safe to allow the salesman to alter the inventory information (e.g., the salesman could alter numbers to make it appear that more equipment is required).
- the data privilege assignor 522 can be employed to assign privileges with respect to data relating to items in the collection 502. For example, read only, read/write, write only and other similar privileges can be assigned via the data privilege assignor 522.
- the data privilege assignor 522 can operate in connection with sensor(s) 524 and a utility component 526 to assign privileges to the entity 512.
- the entity 512 may be desirable to assign disparate data privileges to the entity at different times or when the entity 512 is in disparate geographic locations.
- Sensor(s) e.g., GPS, location identifier on a client, ...) can determine the geographic location, and the data privilege assignor 522 can employ such information to determine privileges to assign to the entity 512 with respect to particular items.
- the utility component 526 can be employed to complete a cost- benefit analysis in connection with assigning appropriate data privileges to the entity 512 with respect to particular items that the entity 512 has access to as determined by the switch 518.
- the utility component 526 can weigh costs of assigning incorrect user privileges (e.g., privileges that are too limiting) against benefits of assigning correct privileges given a probability of correctness, user state and context, historical data, etc. Furthermore, the utility component 526 can operate in connection with the switch 518 to infer which items the entity 512 should have access to given a user state and context.
- the term "inference” refers generally to the process of reasoning about or inferring states of the system, environment, and/or user from a set of observations as captured via events and/or data. Inference can be employed to identify a specific context or action, or can generate a probability distribution over states, for example.
- the inference can be probabilistic - that is, the computation of a probability distribution over states of interest based on a consideration of data and events. Inference can also refer to techniques employed for composing higher-level events from a set of events and/or data. Such inference results in the construction of new events or actions from a set of observed events and/or stored event data, whether or not the events are correlated in close temporal proximity, and whether the events and data come from one or several event and data sources.
- Various classification schemes and/or systems e.g., support vector machines, neural networks, expert systems, Bayesian belief networks, fuzzy logic, data fusion engines.
- the utility component 526 can make inferences regarding whether to allow the entity 512 access to one or more items within the collection 502.
- a president of an organization typically will have complete access to all items on an internal network (e.g., all items 504-510 within the collection 502).
- bandwidth can be utilized more efficiently when access is granted only to items that a user requires to complete a task.
- the utility component 526 can watch users and learn over time their tendencies in connection with accessing items within the collection 502.
- a methodology 600 for securing an internal network against internal attacks is illustrated. While, for purposes of simplicity of explanation, the methodology 600 is shown and described as a series of acts, it is to be understood and appreciated that the present invention is not limited by the order of acts, as some acts may, in accordance with the present invention, occur in different orders and/or concurrently with other acts from that shown and described herein. For example, those skilled in the art will understand and appreciate that a methodology could alternatively be represented as a series of interrelated states or events, such as in a state diagram.
- an access control list for a particular entity is generated.
- the entity can be a user or group of users (e.g., users who work in a particular department of an organization). Thus, for example, employees in payroll would have substantially similar access control lists.
- access control lists can be generated per individual, wherein each individual is given access to items within a network that are utilized in connection with their employment. Access control lists are employed in comiection with network switches, and are utilized to maintain security of an internal network against internal attacks.
- a request for data and/or items on the network is received, from the entity.
- information can be requested from a particular server within an internal network (e.g., a server dedicated to a particular department in the organization).
- the request could simply be a user turning on a computer device, wherein the device automatically attempts to connect to the network.
- a particular computer program could request access to the network to complete a predefined task that requires particular data that resides within the network.
- a determination is made regarding whether the entity is authorized to access the network. Any suitable authorization mechanism can be employed to determine whether the entity is authorized to access the network.
- the standard 802. lx is utilized to enforce authorized use of the internal network.
- an authentication server can be provided together with an authenticator to facilitate the determination of whether the entity is authorized to access the network.
- the methodology ends at 608. If access is allowed, at 610 the port is activated based upon the access control list for the entity. For example, a switch that the access control list is associated with can limit the entity's access to items and/or data on the network that the entity utilizes in connection with a job function. Thus, a user in a first department in an organization (e.g., business) will not be granted access to data that is not related to the first department but rather is related to a second department within the organization.
- a switch that the access control list is associated with can limit the entity's access to items and/or data on the network that the entity utilizes in connection with a job function.
- the methodology 600 thus effectively mitigates occurrences of malicious internal attacks on a network. For example, if an internal attack affected a particular item on the network, rather than interrogate everyone on such network the attacker could be located via reviewing those that had privileges to access the item.
- Fig. 7 a methodology 700 for securing a network against internal attacks is illustrated. The methodology 700 is described with respect to the
- identification information is requested from a client that desires to obtain access to a network.
- a switch or access point e.g., an authenticator
- delivers the identification request to the client e.g., a particular computer that a specific user is utilizing to access the network.
- the client provides the identification requested by the authenticator. Such identification information can then be relayed to an authentication server for analysis.
- authentication protocols such as PEOP, LEAP, PAP and other suitable protocols can be employed in connection with communication of identification information and passwords.
- the authentication server can be a RADIUS server, A TACACS server, an XTACAS server, a TACAS+ server, or other suitable server.
- a determination is made regarding whether the identification is correct. For example, the determination can be made at an authentication server. If the given identification is not correct, access is denied to the client at 708, and the only information that can be relayed and/or received by the client is 802.1 x data.
- a password is requested from the client.
- the password request can originate from the authentication server after it has authenticated the identification given by the client.
- the authenticator can then receive the password request and relay it to the client.
- the client provides the requested password, which is delivered to the authenticator and relayed to the authentication server.
- a determination is made regarding whether the password given by the client is correct. If the password is not recognized and/or is not correct, access to the network is denied to the client at 708. If the password is correct, an access control list is loaded into a switch at 716.
- the access control list is utilized as a permission system that can grant particular access levels to disparate sources.
- the switch in connection with the access control list can be employed to grant the client access to a portion of the network that is relevant to a function, role, group, etc. that the user utilizing the client is involved with.
- the access control list is loaded into the switch, at 718 the port between the client and a server containing desirable information is activated.
- the client can obtain information relevant to the user, but camiot obtain and/or compromise information/data/items that are not related to the user.
- Fig. 8 a methodology that facilitates mitigating occurrences of internal attacks on a network is illustrated.
- an access control list is assigned to a particular entity.
- the access control list is employed to control a switch, wherein the access control list is a permission system utilized to grant an entity a level of access to resources on the network.
- different access control lists can have disparate levels of permission. For example, an access control list related to a president of an organization would be associated with more permissions than an access control list related to an office assistant.
- an internal request for network data by an entity e.g., client, user, program, ...) is received.
- a determination is made regarding whether the entity is allowed access to the network.
- an authentication server and a switch and/or point of access are utilized in connection with determining whether the entity is authorized access to the network.
- various protocols can be employed in connection with transferring authentication data between the entity and the authentication server/switch/point of access. If it is determined that access is not allowed, then access is denied at 808. If the entity is authorized to access the network, at 810 privileges are assigned to data resident on the network according to the entity that has access to the network. For example, a particular entity may be assigned read-only privileges to particular data on the network even though the entity is allowed access to such network. Similarly, read/write, write-only, and other suitable privileges can be assigned to data resident upon the network with respect to a particular entity that is accessing such data.
- contextual information (user state, user context, time, point of entry, ...) can be utilized to determine a level of privileges to assign to data on the network.
- a port between the entity and desired item is activated based upon the access control list for the entity as well as the assigned privileges. For example, a switch that the access control list is associated with can limit the entity's access to items and/or data on the network that the entity utilizes in connection with a job function.
- the privileges can determine whether and/or how data related to the item can be modified. The methodology 800 thus effectively mitigates occurrences of malicious internal attacks on a network, and further addresses concerns regarding modification of data related to accessed items. Now turning to Fig.
- the embodiment illustrates a network infrastructure 902, wherein the infrastructure comprises a payroll application server 904, a database server 906, an accounting application server 908, an accounting web server 910, a payroll web server 912, and an Internet proxy 914.
- the embodiment 900 further illustrates two disparate users: a payroll person 916 and an accounting person 918.
- a payroll person 916 In conventional internal network security systems, once a user gained access to the network infrastructure, such user would have access to all of the items 904-914 within the infrastructure. This is problematic, as the accounting person 918 does not need to obtain access to the payroll web server 912.
- the payroll person 916 has access to a virtual network that only includes items that are related to their role within an organization. More particularly, the payroll web server
- a system and methodology 1000 in accordance with one particular implementation of the present invention is illustrated. According to
- a client 1002 delivers authentication information via 802. lx to a Network Attached Storage (NAS) server 1004.
- the NAS server includes a switch, and such switch relays a request for access to the network to a RADIUS server 1006 at Act 2.
- the RADIUS server 1006 will execute a script that sets access control lists based at least in part upon the user for a specific access port.
- the RADIUS server delivers a message to the NAS server 1004 that will enable a port between the client 1002 and a desired item 1008. Thereafter at Act 5 the client 1002 can access the item 1008 through a switch, provided that the access control lists allow such access. Upon termination of the connection, the port is disabled and the access control lists are removed.
- the system 1000 can also include an optional account database 1010 that includes Active Directory®, which allows administrators to assign policies to workstations, deploy programs to many computers, and apply critical updates to an entire organization. Active Directory® also stores information about its users and can act in a similar manner to a phone book. This allows all of the information and computer settings about an organization to be stored in a central, organized database.
- the optional account data base 1010 can utilize Lightweight Directory Access Protocol (LDAP) or other suitable protocol to access information from a directory.
- LDAP Lightweight Directory Access Protocol
- the system 1100 includes an authenticator 1104 that facilitates determining whether the supplicant 1102 is authorized to access an internal network.
- the authenticator 1104 can be a NAS server that includes one or more switches and/or points of access.
- the switch provided in the NAS server can be associated with a plurality of access control lists that inform the switch regarding how to operate with respect to the supplicant 1102 and a resource (not shown) desirably accessed by the supplicant 1102.
- the authenticator 1104 requests an ID from the supplicant 1102, and according to that request a user associated with the supplicant 1102 can provide an identification that enables access to the network.
- the identification given by the supplicant 1102 is delivered to an authentication server 1106 via the switch.
- the authentication server 1106 can be a RADIUS server. If the identification is valid, then the authentication server 1106 requests a password from the supplicant 1102 via the switch in the authenticator 1104. The supplicant 1102 thereafter responds to the request with a password, which is again delivered to the authentication server 1106 via the switch. The authentication server 1106 then informs the authenticator 1104 that the supplicant 1102 is authorized to access the network. While not shown, control access lists can then be employed in connection with the switch to create a virtual network for the supplicant 1102, similar to those shown with respect to Fig. 9.
- an exemplary environment 1210 for implementing various aspects of the invention includes a computer 1212.
- the computer 1212 includes a processing unit 1214, a system memory 1216, and a system bus 1218.
- the system bus 1218 couples system components including, but not limited to, the system memory 1216 to the processing unit 1214.
- the processing unit 1214 can be any of various available processors. Dual microprocessors and other multiprocessor architectures also can be employed as the processing unit 1214.
- the system bus 1218 can be any of several types of bus structure(s) including the memory bus or memory controller, a peripheral bus or external bus, and/or a local bus using any variety of available bus architectures including, but not limited to, 11- bit bus, Industrial Standard Architecture (ISA), Micro-Channel Architecture (MSA), Extended ISA (EISA), Intelligent Drive Electronics (IDE), VESA Local Bus (VLB), Peripheral Component Interconnect (PCI), Universal Serial Bus (USB), Advanced Graphics Port (AGP), Personal Computer Memory Card International Association bus
- ISA Industrial Standard Architecture
- MSA Micro-Channel Architecture
- EISA Extended ISA
- IDE Intelligent Drive Electronics
- VLB VESA Local Bus
- PCI Peripheral Component Interconnect
- USB Universal Serial Bus
- AGP Advanced Graphics Port
- PCI Peripheral Component Interconnect
- USB Universal Serial Bus
- AGP Advanced Graphics Port
- the system memory 1216 includes volatile memory 1220 and nonvolatile memory 1222.
- the basic input/output system (BIOS) containing the basic routines to transfer information between elements within the computer 1212, such as during start- up, is stored in nonvolatile memory 1222.
- nonvolatile memory 1222 can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM), or flash memory.
- Volatile memory 1220 includes random access memory (RAM), which acts as external cache memory.
- RAM is available in many forms such as synchronous RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), and direct Rambus RAM (DRRAM).
- Computer 1212 also includes removable/non-removable, volatile/non- volatile computer storage media.
- Fig. 12 illustrates, for example a disk storage 1224.
- Disk storage 1224 includes, but is not limited to, devices like a magnetic disk drive, floppy disk drive, tape drive, Jaz drive, Zip drive, LS-100 drive, flash memory card, or memory stick.
- disk storage 1224 can include storage media separately or in combination with other storage media including, but not limited to, an optical disk drive such as a compact disk ROM device (CD-ROM), CD recordable drive (CD-R Drive), CD rewritable drive (CD-RW Drive) or a digital versatile disk ROM drive (DVD-ROM).
- an optical disk drive such as a compact disk ROM device (CD-ROM), CD recordable drive (CD-R Drive), CD rewritable drive (CD-RW Drive) or a digital versatile disk ROM drive (DVD-ROM).
- CD-ROM compact disk ROM device
- CD-R Drive CD recordable drive
- CD-RW Drive CD rewritable drive
- DVD-ROM digital versatile disk ROM drive
- interface 1226 a removable or non-removable interface
- Fig. 12 describes software that acts as an intermediary between users and the basic computer resources described in suitable operating environment 1210.
- Such software includes an operating system 1228.
- Operating system 1228 which can be stored on disk storage
- System applications 1230 take advantage of the management of resources by operating system 1228 through program modules 1232 and program data 1234 stored either in system memory 1216 or on disk storage 1224. It is to be appreciated that the present invention can be implemented with various operating systems or combinations of operating systems.
- a user enters commands or information into the computer 1212 through input device(s) 1236.
- Input devices 1236 include, but are not limited to, a pointing device such as a mouse, trackball, stylus, touch pad, keyboard, microphone, joystick, game pad, satellite dish, scanner, TV tuner card, digital camera, digital video camera, web camera, and the like. These and other input devices connect to the processing unit 1214 through the system bus 1218 via interface port(s) 1238.
- Interface port(s) 1238 include, for example, a serial port, a parallel port, a game port, and a universal serial bus (USB).
- Output device(s) 1240 use some of the same type of ports as input device(s) 1236.
- a USB port may be used to provide input to computer 1212, and to output information from computer 1212 to an output device 1240.
- Output adapter 1242 is provided to illustrate that there are some output devices 1240 like monitors, speakers, and printers, among other output devices 1240, which require special adapters.
- the output adapters 1242 include, by way of illustration and not limitation, video and sound cards that provide a means of connection between the output device 1240 and the system bus 1218.
- Computer 1212 can operate in a networked environment using logical connections to one or more remote computers, such as remote computers) 1244.
- the remote computer(s) 1244 can be a personal computer, a server, a router, a network
- Network interface 1248 encompasses communication networks such as local-area networks (LAN) and wide- area networks (WAN).
- LAN technologies include Fiber Distributed Data Interface (FDDI), Copper Distributed Data Interface (CDDI), Ethernet/IEEE 1102.3, Token Ring/IEEE 1102.5 and the like.
- WAN technologies include, but are not limited to, point-to-point links, circuit switching networks like Integrated Services Digital Networks (ISDN) and variations thereon, packet switching networks, and Digital Subscriber Lines (DSL).
- Communication connection(s) 1250 refers to the hardware/software employed to connect the network interface 1248 to the bus 1218. While communication connection 1250 is shown for illustrative clarity inside computer 1212, it can also be external to computer 1212.
- the hardware/software necessary for connection to the network interface 1248 includes, for exemplary purposes only, internal and external technologies such as, modems including regular telephone grade modems, cable modems and DSL modems, ISDN adapters, and Ethernet cards. Fig.
- the system 1300 includes one or more client(s) 1310.
- the client(s) 1310 can be hardware and/or software (e.g., threads, processes, computing devices).
- the system 1300 also includes one or more server(s) 1330.
- the server(s) 1330 can also be hardware and/or software (e.g., threads, processes, computing devices).
- the servers 1330 can house threads to perform transformations by employing the present invention, for example.
- One possible communication between a client 1310 and a server 1330 can be in the form of a data packet adapted to be transmitted between two or more computer processes.
- the system 1300 includes a communication framework 1350 that can be employed to facilitate communications between the client(s) 1310 and the server(s) 1330.
- the client(s) 1310 are operably connected to one or more client data store(s) 1360 that can be employed to store information local to the client(s) 1310.
- the server(s) 1330 are operably connected to one or more server data store(s) 1340 that can be employed to store information local to the servers 1330.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP05723215A EP1756992A2 (en) | 2004-02-19 | 2005-02-17 | Ip for switch based acl's |
CA002556549A CA2556549A1 (en) | 2004-02-19 | 2005-02-17 | Ip for switch based acl's |
KR1020067019263A KR101229205B1 (en) | 2004-02-19 | 2005-02-17 | Ip for switch based acl's |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US54611604P | 2004-02-19 | 2004-02-19 | |
US60/546,116 | 2004-02-19 | ||
US10/842,289 | 2004-05-10 | ||
US10/842,289 US20050188211A1 (en) | 2004-02-19 | 2004-05-10 | IP for switch based ACL's |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2005079459A2 true WO2005079459A2 (en) | 2005-09-01 |
WO2005079459A3 WO2005079459A3 (en) | 2007-08-16 |
Family
ID=34864551
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2005/005067 WO2005079459A2 (en) | 2004-02-19 | 2005-02-17 | Ip for switch based acl's |
Country Status (6)
Country | Link |
---|---|
US (1) | US20050188211A1 (en) |
EP (1) | EP1756992A2 (en) |
KR (1) | KR101229205B1 (en) |
CN (1) | CN104202293A (en) |
CA (1) | CA2556549A1 (en) |
WO (1) | WO2005079459A2 (en) |
Families Citing this family (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7346664B2 (en) * | 2003-04-24 | 2008-03-18 | Neopath Networks, Inc. | Transparent file migration using namespace replication |
US7587422B2 (en) * | 2003-04-24 | 2009-09-08 | Neopath Networks, Inc. | Transparent file replication using namespace replication |
US7831641B2 (en) * | 2003-04-24 | 2010-11-09 | Neopath Networks, Inc. | Large file support for a network file server |
WO2005029251A2 (en) * | 2003-09-15 | 2005-03-31 | Neopath Networks, Inc. | Enabling proxy services using referral mechanisms |
US7549048B2 (en) * | 2004-03-19 | 2009-06-16 | Microsoft Corporation | Efficient and secure authentication of computing systems |
US7681007B2 (en) * | 2004-04-15 | 2010-03-16 | Broadcom Corporation | Automatic expansion of hard disk drive capacity in a storage device |
US20050235063A1 (en) * | 2004-04-15 | 2005-10-20 | Wilson Christopher S | Automatic discovery of a networked device |
US20050231849A1 (en) * | 2004-04-15 | 2005-10-20 | Viresh Rustagi | Graphical user interface for hard disk drive management in a data storage system |
US20050235364A1 (en) * | 2004-04-15 | 2005-10-20 | Wilson Christopher S | Authentication mechanism permitting access to data stored in a data processing device |
US7720796B2 (en) * | 2004-04-23 | 2010-05-18 | Neopath Networks, Inc. | Directory and file mirroring for migration, snapshot, and replication |
US8195627B2 (en) * | 2004-04-23 | 2012-06-05 | Neopath Networks, Inc. | Storage policy monitoring for a storage network |
US8190741B2 (en) * | 2004-04-23 | 2012-05-29 | Neopath Networks, Inc. | Customizing a namespace in a decentralized storage environment |
US20060248252A1 (en) * | 2005-04-27 | 2006-11-02 | Kharwa Bhupesh D | Automatic detection of data storage functionality within a docking station |
US20060265395A1 (en) * | 2005-05-19 | 2006-11-23 | Trimergent | Personalizable information networks |
WO2007002855A2 (en) * | 2005-06-29 | 2007-01-04 | Neopath Networks, Inc. | Parallel filesystem traversal for transparent mirroring of directories and files |
US20070028092A1 (en) * | 2005-07-28 | 2007-02-01 | Alper Yegin | Method and system for enabling chap authentication over PANA without using EAP |
US8131689B2 (en) * | 2005-09-30 | 2012-03-06 | Panagiotis Tsirigotis | Accumulating access frequency and file attributes for supporting policy based storage management |
US7958368B2 (en) * | 2006-07-14 | 2011-06-07 | Microsoft Corporation | Password-authenticated groups |
CN100591011C (en) * | 2006-08-31 | 2010-02-17 | 华为技术有限公司 | Identification method and system |
US20080137266A1 (en) * | 2006-09-29 | 2008-06-12 | Rockwell Automation Technologies, Inc. | Motor control center with power and data distribution bus |
US8307411B2 (en) * | 2007-02-09 | 2012-11-06 | Microsoft Corporation | Generic framework for EAP |
US20090193247A1 (en) * | 2008-01-29 | 2009-07-30 | Kiester W Scott | Proprietary protocol tunneling over eap |
US10102566B2 (en) * | 2014-09-08 | 2018-10-16 | Leeo, Icnc. | Alert-driven dynamic sensor-data sub-contracting |
US11350254B1 (en) | 2015-05-05 | 2022-05-31 | F5, Inc. | Methods for enforcing compliance policies and devices thereof |
US11757946B1 (en) | 2015-12-22 | 2023-09-12 | F5, Inc. | Methods for analyzing network traffic and enforcing network policies and devices thereof |
US11178150B1 (en) * | 2016-01-20 | 2021-11-16 | F5 Networks, Inc. | Methods for enforcing access control list based on managed application and devices thereof |
CN106131046B (en) * | 2016-08-12 | 2019-12-06 | 新华三技术有限公司 | anti-attack processing method and device |
US11343237B1 (en) | 2017-05-12 | 2022-05-24 | F5, Inc. | Methods for managing a federated identity environment using security and access control data and devices thereof |
US11122042B1 (en) | 2017-05-12 | 2021-09-14 | F5 Networks, Inc. | Methods for dynamically managing user access control and devices thereof |
US10448434B1 (en) * | 2017-06-27 | 2019-10-15 | Vivint, Inc. | Dedicated wireless network for security and automation system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040010713A1 (en) * | 2002-07-12 | 2004-01-15 | Vollbrecht John R. | EAP telecommunication protocol extension |
US6754829B1 (en) * | 1999-12-14 | 2004-06-22 | Intel Corporation | Certificate-based authentication system for heterogeneous environments |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6321337B1 (en) * | 1997-09-09 | 2001-11-20 | Sanctum Ltd. | Method and system for protecting operations of trusted internal networks |
US6845453B2 (en) * | 1998-02-13 | 2005-01-18 | Tecsec, Inc. | Multiple factor-based user identification and authentication |
US6357010B1 (en) * | 1998-02-17 | 2002-03-12 | Secure Computing Corporation | System and method for controlling access to documents stored on an internal network |
US6317837B1 (en) * | 1998-09-01 | 2001-11-13 | Applianceware, Llc | Internal network node with dedicated firewall |
US6915426B1 (en) * | 1999-07-23 | 2005-07-05 | Networks Associates Technology, Inc. | System and method for enabling authentication at different authentication strength-performance levels |
US20020016831A1 (en) * | 2000-08-07 | 2002-02-07 | Vidius Inc. | Apparatus and method for locating of an internet user |
US20020103905A1 (en) * | 2001-01-31 | 2002-08-01 | Prabahkar Subramaniam | Method and system for providing business partners with access to a company's internal computer resources |
US20020143914A1 (en) * | 2001-03-29 | 2002-10-03 | Cihula Joseph F. | Network-aware policy deployment |
US7450595B1 (en) * | 2001-05-01 | 2008-11-11 | At&T Corp. | Method and system for managing multiple networks over a set of ports |
US6938155B2 (en) * | 2001-05-24 | 2005-08-30 | International Business Machines Corporation | System and method for multiple virtual private network authentication schemes |
US7017183B1 (en) * | 2001-06-29 | 2006-03-21 | Plumtree Software, Inc. | System and method for administering security in a corporate portal |
US7130852B2 (en) * | 2001-07-27 | 2006-10-31 | Silicon Valley Bank | Internal security system for a relational database system |
JP3683848B2 (en) * | 2001-11-20 | 2005-08-17 | コナミ株式会社 | Network system |
US7069336B2 (en) * | 2002-02-01 | 2006-06-27 | Time Warner Cable | Policy based routing system and method for caching and VPN tunneling |
US6990515B2 (en) * | 2002-04-29 | 2006-01-24 | International Business Machines Corporation | Secure method and system to prevent internal unauthorized remotely initiated power up events in computer systems |
US7336660B2 (en) * | 2002-05-31 | 2008-02-26 | Cisco Technology, Inc. | Method and apparatus for processing packets based on information extracted from the packets and context indications such as but not limited to input interface characteristics |
-
2004
- 2004-05-10 US US10/842,289 patent/US20050188211A1/en not_active Abandoned
-
2005
- 2005-02-17 WO PCT/US2005/005067 patent/WO2005079459A2/en active Application Filing
- 2005-02-17 CN CN201410353111.0A patent/CN104202293A/en active Pending
- 2005-02-17 KR KR1020067019263A patent/KR101229205B1/en not_active IP Right Cessation
- 2005-02-17 CA CA002556549A patent/CA2556549A1/en not_active Abandoned
- 2005-02-17 EP EP05723215A patent/EP1756992A2/en not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6754829B1 (en) * | 1999-12-14 | 2004-06-22 | Intel Corporation | Certificate-based authentication system for heterogeneous environments |
US20040010713A1 (en) * | 2002-07-12 | 2004-01-15 | Vollbrecht John R. | EAP telecommunication protocol extension |
Non-Patent Citations (1)
Title |
---|
CASE J. ET AL.: 'RFC1098: A Simple Network Management Protocol', [Online] May 1990, pages 1 - 34, XP003016521 Retrieved from the Internet: <URL:http://www.ietf.org/rfc/rfc1098.txt> * |
Also Published As
Publication number | Publication date |
---|---|
EP1756992A2 (en) | 2007-02-28 |
CN104202293A (en) | 2014-12-10 |
KR101229205B1 (en) | 2013-02-04 |
KR20060128015A (en) | 2006-12-13 |
CA2556549A1 (en) | 2005-09-01 |
WO2005079459A3 (en) | 2007-08-16 |
US20050188211A1 (en) | 2005-08-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20050188211A1 (en) | IP for switch based ACL's | |
CA2868896C (en) | Secure mobile framework | |
US8973122B2 (en) | Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method | |
US7428754B2 (en) | System for secure computing using defense-in-depth architecture | |
US9686262B2 (en) | Authentication based on previous authentications | |
JP2020536304A (en) | Enable multi-tenant data access on a single industrial network | |
D'Silva et al. | Building a zero trust architecture using kubernetes | |
US8826457B2 (en) | System for enterprise digital rights management | |
US20090193503A1 (en) | Network access control | |
US9081982B2 (en) | Authorized data access based on the rights of a user and a location | |
US9160545B2 (en) | Systems and methods for A2A and A2DB security using program authentication factors | |
US8272043B2 (en) | Firewall control system | |
JP2006260027A (en) | Quarantine system, and quarantine method using vpn and firewall | |
KR101404537B1 (en) | A server access control system by automatically changing user passwords and the method thereof | |
JP2005202970A (en) | Security system and security method for firewall, and computer program product | |
Basu et al. | Strengthening Authentication within OpenStack Cloud Computing System through Federation with ADDS System | |
Jensen | Identity management lifecycle-exemplifying the need for holistic identity assurance frameworks | |
US10560478B1 (en) | Using log event messages to identify a user and enforce policies | |
CN112912879A (en) | Apparatus and method for inter-process secure messaging | |
Simpson | Zero trust philosophy versus architecture | |
US20220311777A1 (en) | Hardening remote administrator access | |
EP4142256A1 (en) | System and method for providing dual endpoint access control of remote cloud-stored resources | |
William | Zero Trust Philosophy Versus Architecture | |
Sheikh et al. | Authentication and Remote Access | |
CN101129010A (en) | IP for switch based ACL |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
DPEN | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2005723215 Country of ref document: EP Ref document number: 2556549 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 4742/DELNP/2006 Country of ref document: IN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020067019263 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200580009561.7 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 1020067019263 Country of ref document: KR |
|
WWP | Wipo information: published in national office |
Ref document number: 2005723215 Country of ref document: EP |