Secure network file access controller implementing access control and auditing
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-009/00
H04L-009/32
G06F-011/30
G06F-012/14
출원번호
US-0201358
(2002-07-22)
§371/§102 date
20000607
(20000607)
발명자
/ 주소
Pham, Duc
Nguyen, Tien Le
Zhang, Pu Paul
Lo, Mingchen
출원인 / 주소
Vormetric, Inc.
대리인 / 주소
NewTechLaw
인용정보
피인용 횟수 :
125인용 특허 :
119
초록▼
A network file access appliance operates as a secure portal for network file access operations between client computer systems and network storage resources. The file access appliance terminates network file access transactions, identified by packet information including client system, mount point,
A network file access appliance operates as a secure portal for network file access operations between client computer systems and network storage resources. The file access appliance terminates network file access transactions, identified by packet information including client system, mount point, and file request identifiers, between client systems and mount points supported by the access controller. A policy parser determines, based on the packet information, to selectively initiate network file access transactions between the access controller and network storage resources to enable completion of selected network file access transactions directed from the clients to the network file access appliance. The network file access transactions directed to the network storage resources are modified counterparts of policy selected client network file access transactions modified to reference mapped network storage resource mount points and support the secure transfer and storage of network file data.
대표청구항▼
1. A secure portal for network file access transactions between client computer systems and network storage resources, said secure portal comprising:a) a network interface supporting network connections to a client system and a network storage resource, respectively; and b) an access controller coup
1. A secure portal for network file access transactions between client computer systems and network storage resources, said secure portal comprising:a) a network interface supporting network connections to a client system and a network storage resource, respectively; and b) an access controller coupled to said network interface, said access controller operative to terminate a first network file access transaction between said client system and a virtual mount point supported by said access controller, wherein said access controller includes a policy parser, responsive to a client system identifier, authorization data including a user session identifier that references a session related group of one or more user processes executing on the client system identified by said client system identifier, a virtual mount point identifier, and a request identifier provided with a first network file request received within said first network file access transaction, operative to selectively enable initiation of a second network file access transaction between said access controller and a defined mount point of said network storage resource dependent on a defined combination including said client system identifier, said virtual mount point identifier, and said request identifier, said second network file access transaction including a second network file request having a modified correspondence with said first network file request to support completion of said first network file access transaction relative to said defined mount point. 2. The secure portal of claim 1 wherein said policy parser is further responsive to a user identifier and a group identifier included with said authorization data and wherein said second network file access transaction is selectively enabled dependent on said defined combination including said client system identifier, said virtual mount point identifier, said user session identifier, said user identifier, said group identifier, and said request identifier.3. The secure portal of claim 1 wherein said policy parser includes policy sets defined for predetermined combinations of said client system identifier, said authorization data, said virtual mount point identifier, and said request identifier, said second network file access transaction being enabled dependent on said policy sets including a defined policy set corresponding to said defined combination.4. The secure portal of claim 3 wherein said policy parser is further responsive to a user identifier and a group identifier included with said authorization data, wherein said policy sets are further defined for predetermined combinations of said client system identifier, user session identifier, said user identifier, said group identifier, said virtual mount point identifier, and said request identifier, and wherein said second network file access transaction is selectively enabled dependent on said defined combination including said client system identifier, user session identifier, said user identifier, said group identifier, said virtual mount point identifier, and said request identifier.5. The secure portal of claim 4 wherein said access controller is operative to provide auditing report data and wherein said access controller includes said defined combination in said auditing report data where said policy sets fail to contain said defined policy set corresponding to said defined combination.6. The secure portal of claim 5 wherein said access controller is operative to provide an administrative alarm selectively based on said defined combination where said policy sets fail to contain said defined policy set corresponding to said defined combination.7. A network file access controller providing secure access controls over accesses by client computer systems to network storage resources, said network file access controller comprising:a) a client network interface presenting a plurality of client mount points for connecting to logical network storage resources; b) a storage network interface coupleable to a plurality of network storage resources; c) a file access processor, responsive to session and control information provided by a client computer system in a network data packet within a client network file transaction, operative to selectively perform a storage network file transaction to support completion of said client network file transaction, wherein said session and control information includes a target client mount point specification, a process identifier, and a file access request, and wherein said process identifier references a session related group of one or more user processes executing on said client computer system; and d) a policy parser, responsive to said file access processor, operative to evaluate a plurality of predefined access constraints against said session and control information to enable said storage network file transaction. 8. The network file access controller of claim 7 wherein said file access processor includes mapping data, accessible by said policy parser, establishing a correspondence between said plurality of client mount points and said plurality of network storage resources.9. The network file access controller of claim 8 wherein said mapping data supports aliasing between said plurality of client mount points and said plurality of network storage resources.10. The network file access controller of claim 9 wherein said session and control information includes a file path specification and wherein said policy parser is responsive to said file path specification in evaluating said plurality of predefined access constraints.11. The network file access controller of claim 10 wherein said client network file transaction references a network file and wherein said policy parser qualifies execution of said storage network file transaction to retrieve an encryption key specific to said network file.12. The network file access controller of claim 11 wherein said policy parser qualifies execution of said storage network file transaction to retrieve an encryption key identifier, specific to said network file, from said plurality of network storage resources.13. The network file access controller of claim 12 wherein said file access processor includes a policy store and wherein said encryption key is accessed from said policy store based on said encryption key identifier.14. The network file access controller of claim 12 wherein said encryption key is retrieved from a trusted encryption key server based on said encryption key identifier.15. A method of controlling access by client systems to network storage resources, said method comprising the steps of:a) terminating first network file request transactions, including first file access requests and client and session identifications, initiated by client systems directed against first network files identified by first path specifications, wherein a session identification references a session related group of one or more user processes executing on the client system identified by the associated client identification; b) selecting predetermined ones of said first file access requests discriminated by said first path specifications by comparison of said first file access requests and said client and session identifications against a predefined set of policy specifications; and c) initiating second network file request transactions, including second file access requests, against second network files, identified by second file path specifications, stored by network storage resources, wherein said second file access requests correspond to said predetermined ones of said first file access requests to enable completion of said first network file request transactions, and wherein said second file path specifications correspond to said first file path specifications of said predetermined ones of said first file access requests. 16. The method of claim 15 further comprising the step of recording an audit log of said first network file request transactions with respect to said first file access requests as evaluated against said predefined set of policy specifications to select said predetermined ones of said first file access requests.17. The method of claim 15 wherein said first path specifications include client mount point identifiers, wherein said second path specifications include resource mount point identifiers, and wherein said step of initiating provides for the conversion of said client mount point identifiers to said resource mount point identifiers.18. The method of claim 17 wherein said step of selecting minimally evaluates said client mount point identifiers of said first path specifications against said predefined set of policy specifications to select said predetermined ones of said first file access requests.19. The method of claim 18 wherein said client and session identifications include client source IPs and process identifiers.20. The method of claim 19 wherein said client and session identifications further include authenticated user and group identifiers.21. The method of claim 20 further comprising the step of recording an audit log of said first network file request transactions with respect to said first file access requests as evaluated against said predefined set of policy specifications to select said predetermined ones of said first file access requests.22. A method of operating a secure portal appliance to control access to files stored on network storage resources, said method comprising the steps of:a) establishing a plurality of virtual mount points accessible by client systems for establishing network file access connections within which to receive first network file access requests, wherein said first network file access requests include client session information that identifies the user session processes executing on a client system that originates a corresponding one of said first network file access requests; b) evaluating said first network file access requests, including said client session information, against a predetermined set of access policies associated by said virtual mount points to identify a second network file requests executable to selectively complete said first network file access requests; and c) issuing said second network file requests to access network file data to enable selective completion of said first network file access requests. 23. The method of claim 22 wherein said client session information includes a client process identifier.24. The method of claim 22 wherein said client session information includes a source client identifier and an authenticated user identifier.25. The method of claim 22 wherein said client session information includes a source client identifier, a user identifier, a group identifier, and a client process identifier.26. The method of claim 22 wherein said step of issuing issues said second network file requests with respect to network storage resources having a predetermined correspondence with said plurality of virtual mount points.27. The method of claim 26 wherein said predetermined correspondence is determined by said predetermined set of access policies.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (119)
Andreas V. Bechtolsheim ; David R. Cheriton, Access control list processing in hardware.
Wobber Edward (Menlo Park CA) Abadi Martin (Palo Alto CA) Birrell Andrew (Los Altos CA) Lampson Butler (Cambridge MA), Access control subsystem and method for distributed computer system using locally cached authentication credentials.
Lloyd Brian ; McGregor Glenn, Centralized authentication, authorization and accounting server with support for multiple transport protocols and multiple client types.
Lin Cher-Wen ; Ramaswamy Kumar ; Rahman Mizanur Mohammed ; Rettberg Randall David ; Doolittle Robert Arthur, Computer data packet switching and load balancing system using a general-purpose multiprocessor architecture.
Brownlie Michael,CAX ; Hillier Stephen,CAX ; Van Oorschot Paul C.,CAX, Computer network security system and method having unilateral enforceable security policy provision.
Fischer Addison M. (60 14th Ave. South Naples FL 33942), Computer system security method and apparatus having program authorization information data structures.
Carlson Brent A. (Rochester MN) Huss Frederic L. (Rochester MN) Schmucki Nancy M. (Rochester MN) Zelenski Richard E. (Rochester MN), Connection authorizer for controlling access to system resources.
Peirce, Jr., Kenneth L.; Xu, Yingchun; Mortsolf, Timothy Glenn; Harper, Matthew, Control and coordination of encryption and compression between network entities.
Engel, Robert; Barzilai, Tsipora P.; Kandlur, Dilip Dinkar; Mehra, Ashish, Efficient classification, manipulation, and control of network transmissions by associating network flows with rule based functions.
Brundrett Peter ; Garg Praerit ; Gu Jianrong ; Kelly ; Jr. James W. ; Kaplan Keith S. ; Reichel Robert P. ; Andrew Brian ; Kimura Gary D. ; Miller Thomas J., Encrypting file system and method.
Akizawa Mitsuru (Hachioji JPX) Yamashita Hirofumi (Yokohama JPX) Kawaguchi Hisamitsu (Sagamihara JPX) Tada Katsumi (Yokohama JPX) Kato Kanji (Yokohama JPX) Kito Akira (Ebina JPX) Yamada Hidenori (Had, File server system and file access control method of the same.
Pi-Yu Chung ; Om P. Damani ; Yennun Huang ; Chandra M. Kintala ; Yi-Min Wang, Hosting a network service on a cluster of servers using a single-address image.
Allon David (Jerusalem ILX) Bach Moshe (Haifa ILX) Moatti Yosef (Haifa ILX) Teperman Abraham (Haifa ILX), Load balancing of network by maintaining in each computer information regarding current load on the computer and load on.
Adelman Kenneth Allen ; Kashtan David Lyon ; Palter William L. ; Piper ; II Derrell D., Method and apparatus for an internet protocol (IP) network clustering system.
Timothy E. Moses CA; Glenn C. Langford CA, Method and apparatus for facilitating information security policy control on a per security engine user basis.
Schibler Ross M. (San Mateo CA) Topol A. Mitchell (Mountain View CA) Duffie P. Kingston (Palo Alto CA), Method and apparatus for generating route information for asynchronous transfer mode cell processing.
Crichton Joseph M. ; Garvin Peter F. ; Staten Jeffrey W. ; Wright Waiki L., Method and apparatus for lightweight secure communication tunneling over the internet.
Watson Colin (Issaquah WA) Herron Andrew M. (Issaquah WA), Method and apparatus for supporting multiple, simultaneous services over multiple, simultaneous connections between a cl.
Peirce Kenneth L. ; Calhoun Patrick ; Harper Matthew H. ; Schoo Daniel L. ; Vakil Sumit, Method and system for coordination and control of data streams that terminate at different termination units using virtual tunneling.
Takashima Youichi (Kanagawaken JPX) Ishii Shinji (Kanagawaken JPX) Yamanaka Kiyoshi (Kanagawaken JPX), Method and system for digital information protection.
Gorczyca Robert ; Rashid Aamir Arshad ; Rodgers Kevin Forress ; Warnsman Stuart ; Weaver Thomas Van, Method and system for dynamically reconfiguring a cluster of computer systems.
Kazar, Michael L.; Nydick, Daniel S.; Sanzi, Jr., Richard N.; Gohh, Fred; Bianchini, Jr., Ronald P.; Speiser, Benjamin, Method and system for responding to file system requests.
Chan, Shannon; Jensenworth, Gregory; Goertzel, Mario C.; Shah, Bharat; Swift, Michael M.; Ward, Richard B., Method and system for secure running of untrusted content.
Theimer Marvin M. (Mountain View CA) Nichols David A. (Mountain View CA) Terry Douglas B. (San Carlos CA), Method for delegating access rights through executable access control program without delegating access rights not in a.
Bass Walter E. (Sunnyvale CA) Matyas Stephen M. (Kingston NY) Oseas Jonathan (Hurley NY), Method for establishing user authenication with composite session keys among cryptographically communicating nodes.
Witte Martin (Ulm DEX) Oehlerich Joerg (Stockdorf DEX) Held Walter (Geretsried DEX), Method for load balancing in a multi-processor system where arising jobs are processed by a plurality of processors unde.
Puhl Larry C. (Sleepy Hollow IL) Finkelstein Louis D. (Wheeling IL) Dabbish Ezzat A. (Cary IL), Method for providing blind access to an encryption key.
Lin David Dah-Haur ; Shaheen Amal Ahmed ; Yellepeddy Krishna Kishore, Multiple remote data access security mechanism for multitiered internet computer networks.
Narad Charles E. ; Fall Kevin ; MacAvoy Neil ; Shankar Pradip ; Rand Leonard M. ; Hall Jerry J., Packet processing system including a policy engine having a classification unit.
Boebert William E. (Minneapolis MN) Hanson Mark H. (Eagan MN) Markham Thomas R. (Anoka MN), Secure computer network using trusted path subsystem which encrypts/decrypts and communicates with user through local wo.
Kumar Ramaswamy ; Cher-Wen Lin ; Randall David Rettberg ; Mizanur Mohammed Rahman, Software interface between switching module and operating system of a data packet switching and load balancing system.
Wright Tim ; Marconi Peter ; Conlin Richard ; Opalka Zbigniew, System architecture for and method of dual path data processing and management of packets and/or cells and the like.
Opalka Zbigniew ; Aggarwal Vijay ; Kong Thomas ; Firth Christopher ; Costantino Carl, System architecture for and method of processing packets and/or cells in a common switch.
East, Jeffrey A.; Walker, James J.; Jenness, Steven M.; Ozur, Mark C.; Kelly, Jr., James W., System for determining the rights of object access for a server process by combining them with the rights of the client process.
Choquier Philippe,FRX ; Peyroux Jean-Francios ; Griffin William J., System for on-line service in which gateway computer uses service map which includes loading condition of servers broad.
Berger David A. ; Weber Jay C. ; Madapurmath Vilas I., System, method and article of manufacture for virtual point of sale processing utilizing an extensible, flexible archite.
Brown, Eric William; Coden, Anni R.; Prager, John Martin; Radev, Dragomir Radkov, System, method and program product for answering questions using a search engine.
Chipman Richard R. ; Mankofsky Alan ; Karandikar Harshavardhan M.,DEX ; Warren Gary, System, method, and medium for retrieving, organizing, and utilizing networked data.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M., Systems and methods for the secure transaction management and electronic rights protection.
Chen James F. ; Wang Jieh-Shan, Token distribution, registration, and dynamic configuration of user entitlement for an application level security system.
Thompson Bruce A. (Highlands Ranch CO) Van Maren David J. (Ft. Collins CO) McCarthy John G. (Thornton CO) Purcell R. Andrew (Ft. Collins CO) Rottinghaus Michael (Greeley CO), Transparent peripheral file systems with on-board compression, decompression, and space management.
Morris C. Carson (Broad Run VA) Bielsker Barry H. (Vienna VA) Cole Donald A. (Rockville MD), Two-tiered communication security employing asymmetric session keys.
Peirce, Jr., Kenneth L.; Harper, Matthew; Mortsolf, Timothy G.; Xu, Yingchun; Dynarski, Richard J., Virtual home agent service using software-replicated home agents.
Bharadwaj, Vijay G.; Ferguson, Niels T; Ellison, Carl M.; Nyström, Magnus Bo Gustaf; Zhou, Dayi; Issoupov, Denis; Ureche, Octavian T.; Novotney, Peter J.; Ilac, Cristian M., Cryptographic key management.
Gallant, David Austin; Ashmore, Paul Andrew, Method and apparatus for external event notification management over in-band and out-of-band networks in storage system controllers.
Vainstein, Klimenty; Nath, Satyajit; Ouye, Michael Michio, Method and apparatus for transitioning between states of security policies used to secure electronic documents.
Vainstein, Klimenty; Nath, Satyajit; Ouye, Michael Michio, Method and apparatus for transitioning between states of security policies used to secure electronic documents.
Huang, Weiqing; Supramaniam, Senthilvasan; Vainstein, Klimenty, Method and system for implementing changes to security policies in a distributed security system.
Huang, Weiqing; Supramaniam, Senthilvasan; Vainstein, Klimenty, Method and system for implementing changes to security policies in a distributed security system.
Murray, Gregory L.; McClanahan, Craig R.; Burns, Edward J., Method and system for protecting publicly viewable web client reference to server resources and business logic.
Garcia, Denis Jacques Paul; Ouye, Michael Michio; Rossmann, Alain; Crocker, Steven Toye; Gilbertson, Eric; Huang, Weiqing; Humpich, Serge; Vainstein, Klimenty; Ryan, Nicholas Michael, Methods and systems for providing access control to secured data.
Garcia, Denis Jacques Paul; Ouye, Michael Michio; Rossmann, Alain; Crocker, Steven Toye; Gilbertson, Eric; Huang, Weiqing; Humpich, Serge; Vainstein, Klimenty; Ryan, Nicholas Michael, Methods and systems for providing access control to secured data.
Garcia, Denis Jacques Paul; Ouye, Michael Michio; Rossmann, Alain; Crocker, Steven Toye; Gilbertson, Eric; Huang, Weiqing; Humpich, Serge; Vainstein, Klimenty; Ryan, Nicholas Michael, Methods and systems for providing access control to secured data.
Garcia, Denis Jacques Paul; Ouye, Michael Michio; Rossmann, Alain; Crocker, Steven Toye; Gilbertson, Eric; Huang, Weiqing; Humpich, Serge; Vainstein, Klimenty; Ryan, Nicholas Michael, Methods and systems for providing access control to secured data.
Chacko, Vinoo; Agarwal, Puneet; Nanjudaswamy, Shashi; Soni, Ajay, Systems and methods for enabling assured records using fine grained auditing of virtual private network traffic.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.