WO2000000879A3 - Generalized policy server - Google Patents

Generalized policy server Download PDF

Info

Publication number
WO2000000879A3
WO2000000879A3 PCT/US1999/014585 US9914585W WO0000879A3 WO 2000000879 A3 WO2000000879 A3 WO 2000000879A3 US 9914585 W US9914585 W US 9914585W WO 0000879 A3 WO0000879 A3 WO 0000879A3
Authority
WO
WIPO (PCT)
Prior art keywords
access
policy
policies
administrators
server
Prior art date
Application number
PCT/US1999/014585
Other languages
French (fr)
Other versions
WO2000000879A2 (en
Inventor
Clifford L Hannel
Laurence R Lipstone
Davis S Schneider
Original Assignee
Internet Dynamics Inc
Clifford L Hannel
Laurence R Lipstone
Davis S Schneider
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US09/034,507 external-priority patent/US6408336B1/en
Priority to AU48386/99A priority Critical patent/AU762061B2/en
Priority to US09/720,277 priority patent/US7272625B1/en
Priority to EP99931983A priority patent/EP1105809A4/en
Application filed by Internet Dynamics Inc, Clifford L Hannel, Laurence R Lipstone, Davis S Schneider filed Critical Internet Dynamics Inc
Publication of WO2000000879A2 publication Critical patent/WO2000000879A2/en
Publication of WO2000000879A3 publication Critical patent/WO2000000879A3/en
Priority to US10/019,101 priority patent/US7580919B1/en
Priority to US11/897,626 priority patent/US7821926B2/en
Priority to US11/927,214 priority patent/US7912856B2/en
Priority to US12/850,587 priority patent/US8136143B2/en
Priority to US13/364,214 priority patent/US8935311B2/en
Priority to US13/967,208 priority patent/US9331992B2/en
Priority to US13/967,205 priority patent/US9276920B2/en
Priority to US13/967,207 priority patent/US9154489B2/en
Priority to US13/967,202 priority patent/US9438577B2/en
Priority to US15/257,747 priority patent/US20170118221A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Abstract

A policy system includes the policy server (2617); a policy database (2619) which located at policy decision point (2723); the access/response entity (2603); resource server (2711); policy message (2725) and policy enforcement point (2721). System connected through public network (2702) or internal network (103). The access filter (107, 203, 403) control access by use a local copy of an access control data base to determine whether an access request made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Access is permitted or denied according to of access policies (307) which define access in terms of the user groups (Fig 9-12) and information sets (Fig 13A-18). The rights of administrators are similarly determined by administrative policies (Fig 23A-C). Access is further permitted only if the trust levels of the network by which is made by the sufficient access (Fig 25-29). A policy server component of the access filter has been separated from the access filter and the policies have been generalized to permit administrators of the policy server to define new types of actions and new types of entities. Policies may now further have specifications for time intervals during which the policies are in force and the entities may be associated with attributes that specify how the entity is to be used when the policy applies.
PCT/US1999/014585 1997-03-10 1999-06-28 Generalized policy server WO2000000879A2 (en)

Priority Applications (13)

Application Number Priority Date Filing Date Title
AU48386/99A AU762061B2 (en) 1998-06-29 1999-06-28 Generalized policy server
US09/720,277 US7272625B1 (en) 1997-03-10 1999-06-28 Generalized policy server
EP99931983A EP1105809A4 (en) 1998-06-29 1999-06-28 Generalized policy server
US10/019,101 US7580919B1 (en) 1997-03-10 2000-06-21 Query interface to policy server
US11/897,626 US7821926B2 (en) 1997-03-10 2007-08-31 Generalized policy server
US11/927,214 US7912856B2 (en) 1998-06-29 2007-10-29 Adaptive encryption
US12/850,587 US8136143B2 (en) 1997-03-10 2010-08-04 Generalized policy server
US13/364,214 US8935311B2 (en) 1997-03-10 2012-02-01 Generalized policy server
US13/967,202 US9438577B2 (en) 1997-03-10 2013-08-14 Query interface to policy server
US13/967,207 US9154489B2 (en) 1997-03-10 2013-08-14 Query interface to policy server
US13/967,205 US9276920B2 (en) 1997-03-10 2013-08-14 Tunneling using encryption
US13/967,208 US9331992B2 (en) 1997-03-10 2013-08-14 Access control
US15/257,747 US20170118221A1 (en) 1997-03-10 2016-09-06 Query interface to policy server

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US09/034,507 US6408336B1 (en) 1997-03-10 1998-03-04 Distributed administration of access to information
US9113098P 1998-06-29 1998-06-29
US60/091,130 1998-06-29

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09/034,507 Continuation-In-Part US6408336B1 (en) 1997-03-10 1998-03-04 Distributed administration of access to information

Related Child Applications (5)

Application Number Title Priority Date Filing Date
US09/720,277 A-371-Of-International US7272625B1 (en) 1997-03-10 1999-06-28 Generalized policy server
PCT/US2000/017078 Continuation-In-Part WO2000079434A1 (en) 1997-03-10 2000-06-21 Query interface to policy server
US10/019,101 Continuation-In-Part US7580919B1 (en) 1997-03-10 2000-06-21 Query interface to policy server
US1910101A Continuation-In-Part 1997-03-10 2001-12-20
US11/897,626 Continuation US7821926B2 (en) 1997-03-10 2007-08-31 Generalized policy server

Publications (2)

Publication Number Publication Date
WO2000000879A2 WO2000000879A2 (en) 2000-01-06
WO2000000879A3 true WO2000000879A3 (en) 2000-02-17

Family

ID=26711040

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1999/014585 WO2000000879A2 (en) 1997-03-10 1999-06-28 Generalized policy server

Country Status (1)

Country Link
WO (1) WO2000000879A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8914410B2 (en) 1999-02-16 2014-12-16 Sonicwall, Inc. Query interface to policy server
US8935311B2 (en) 1997-03-10 2015-01-13 Sonicwall, Inc. Generalized policy server

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6578146B2 (en) * 1996-11-19 2003-06-10 R. Brent Johnson System, method and article of manufacture to remotely configure and utilize an emulated device controller via an encrypted validation communication protocol
US7580919B1 (en) 1997-03-10 2009-08-25 Sonicwall, Inc. Query interface to policy server
US6408336B1 (en) 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
DE60122033D1 (en) * 2000-02-04 2006-09-21 Aladdin Knowledge Systems Ltd Protection of computer networks against malicious content
JP2001308849A (en) * 2000-02-14 2001-11-02 Victor Co Of Japan Ltd Contents transmission system, authenticating device, contents-handling device, data-transmitting method, transmitting medium, reliability-deciding device, device whose reliability is decided and recording medium
US6636838B1 (en) * 2000-02-23 2003-10-21 Sun Microsystems, Inc. Content screening with end-to-end encryption
US6546486B1 (en) * 2000-02-23 2003-04-08 Sun Microsystems, Inc. Content screening with end-to-end encryption within a firewall
US6560705B1 (en) 2000-02-23 2003-05-06 Sun Microsystems, Inc. Content screening with end-to-end encryption prior to reaching a destination
EP1132797A3 (en) * 2000-03-08 2005-11-23 Aurora Wireless Technologies, Ltd. Method for securing user identification in on-line transaction systems
US6950947B1 (en) 2000-06-20 2005-09-27 Networks Associates Technology, Inc. System for sharing network state to enhance network throughput
FR2819967B1 (en) 2001-01-24 2003-03-14 Bull Sa METHOD AND SYSTEM FOR COMMUNICATING A CERTIFICATE BETWEEN A SECURITY MODULE AND A SERVER
DE10152121B4 (en) * 2001-10-23 2008-07-17 SiOS GMBH für DV-Architekturen Rule-based processing control of mobile information
US7552472B2 (en) 2002-12-19 2009-06-23 International Business Machines Corporation Developing and assuring policy documents through a process of refinement and classification
ATE500676T1 (en) * 2004-08-20 2011-03-15 Nokia Siemens Networks Gmbh METHOD AND DEVICE FOR MANAGING OBJECTS OF A COMMUNICATIONS NETWORK
EP1927930A1 (en) 2006-11-30 2008-06-04 Sap Ag Method and system for access control using resouce filters
EP1933522B1 (en) * 2006-12-11 2013-10-23 Sap Ag Method and system for authentication
FR2926429B1 (en) * 2008-01-11 2012-12-07 Radiotelephone Sfr METHOD AND SYSTEM OF COMMUNICATION AND TERMINAL AND SERVER WITH CONFIDENCE
US9690821B2 (en) 2015-05-14 2017-06-27 Walleye Software, LLC Computer data system position-index mapping
US10241965B1 (en) 2017-08-24 2019-03-26 Deephaven Data Labs Llc Computer data distribution architecture connecting an update propagation graph through multiple remote query processors
US10831917B2 (en) 2018-10-29 2020-11-10 At&T Intellectual Property I, L.P. Database system consensus-based access control

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5438508A (en) * 1991-06-28 1995-08-01 Digital Equipment Corporation License document interchange format for license management system
US5553282A (en) * 1994-12-09 1996-09-03 Taligent, Inc. Software project history database and method of operation
US5720023A (en) * 1994-03-28 1998-02-17 British Telecommnications Public Limited Company Appartus and method for storing diagram data
US5721908A (en) * 1995-06-07 1998-02-24 International Business Machines Corporation Computer network for WWW server data access over internet
US5752245A (en) * 1994-12-09 1998-05-12 Object Technology Licensing Corporation Object-oriented system for configuration history management with a project workspace and project history database for draft identification
US5787428A (en) * 1994-02-16 1998-07-28 British Telecommunications Public Limited Company Control of database access using security/user tag correspondence table
US5793964A (en) * 1995-06-07 1998-08-11 International Business Machines Corporation Web browser system
US5911776A (en) * 1996-12-18 1999-06-15 Unisys Corporation Automatic format conversion system and publishing methodology for multi-user network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5117349A (en) * 1990-03-27 1992-05-26 Sun Microsystems, Inc. User extensible, language sensitive database system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5438508A (en) * 1991-06-28 1995-08-01 Digital Equipment Corporation License document interchange format for license management system
US5787428A (en) * 1994-02-16 1998-07-28 British Telecommunications Public Limited Company Control of database access using security/user tag correspondence table
US5720023A (en) * 1994-03-28 1998-02-17 British Telecommnications Public Limited Company Appartus and method for storing diagram data
US5553282A (en) * 1994-12-09 1996-09-03 Taligent, Inc. Software project history database and method of operation
US5752245A (en) * 1994-12-09 1998-05-12 Object Technology Licensing Corporation Object-oriented system for configuration history management with a project workspace and project history database for draft identification
US5721908A (en) * 1995-06-07 1998-02-24 International Business Machines Corporation Computer network for WWW server data access over internet
US5793964A (en) * 1995-06-07 1998-08-11 International Business Machines Corporation Web browser system
US5911776A (en) * 1996-12-18 1999-06-15 Unisys Corporation Automatic format conversion system and publishing methodology for multi-user network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1105809A4 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8935311B2 (en) 1997-03-10 2015-01-13 Sonicwall, Inc. Generalized policy server
US9154489B2 (en) 1997-03-10 2015-10-06 Dell Software Inc. Query interface to policy server
US9276920B2 (en) 1997-03-10 2016-03-01 Dell Software Inc. Tunneling using encryption
US9331992B2 (en) 1997-03-10 2016-05-03 Dell Software Inc. Access control
US9438577B2 (en) 1997-03-10 2016-09-06 Dell Software Inc. Query interface to policy server
US8914410B2 (en) 1999-02-16 2014-12-16 Sonicwall, Inc. Query interface to policy server

Also Published As

Publication number Publication date
WO2000000879A2 (en) 2000-01-06

Similar Documents

Publication Publication Date Title
WO2000000879A3 (en) Generalized policy server
McDaniel On context in authorization policy
US6105132A (en) Computer network graded authentication system and method
US6920558B2 (en) Method and apparatus for securely and dynamically modifying security policy configurations in a distributed system
US7398308B2 (en) Distributed policy model for access control
US5544322A (en) System and method for policy-based inter-realm authentication within a distributed processing system
Tari et al. A role-based access control for intranet security
US7827598B2 (en) Grouped access control list actions
US7397922B2 (en) Group security
WO1998040992A3 (en) Methods and apparatus for controlling access to information
US20030070089A1 (en) Method and apparatus to facilitate cross-domain push deployment of software in an enterprise environment
WO2002014988A2 (en) A method and an apparatus for a security policy
US20020138738A1 (en) Method and apparatus for securely and dynamically managing user attributes in a distributed system
ATE519323T1 (en) SECURING LDAP (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL) TRAFFIC
US20100050246A1 (en) Trusting security attribute authorities that are both cooperative and competitive
US20050198330A1 (en) Data management server, data management method and computer program
JP2000047924A (en) System and method for restricting database access to managed object information using permission table that specifies access right corresponding to user access right to managed object
CN109413080B (en) Cross-domain dynamic authority control method and system
CN100586123C (en) A safe audit method based on role management and system thereof
JP2004530230A (en) How to manage access and use of resources by checking conditions and conditions used with them
Spreitzer et al. Dealing with server corruption in weakly consistent, replicated data systems
Li et al. Access control for the services oriented architecture
MXPA04007410A (en) Moving principals across security boundaries without service interruption.
Chadwick et al. Using SAML to link the GLOBUS toolkit to the PERMIS authorisation infrastructure
Kahan A capability-based authorization model for the world-wide web

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AU JP SG US

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 1999931983

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 48386/99

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 09720277

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 1999931983

Country of ref document: EP

WWG Wipo information: grant in national office

Ref document number: 48386/99

Country of ref document: AU

WWW Wipo information: withdrawn in national office

Ref document number: 1999931983

Country of ref document: EP