Query interface to policy server
US-9154489-B2 · Oct 6, 2015 · US
Tunneling using encryption
US9276920B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9276920-B2 |
| Application number | US-201313967205-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 14, 2013 |
| Priority date | Mar 10, 1997 |
| Publication date | Mar 1, 2016 |
| Grant date | Mar 1, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to access policies which define access in terms of the user groups and information sets. The first access filter in the path performs the access check, encrypts and authenticates the request; the other access filters in the path do not repeat the access check. The interface used by applications to determine whether a user has access to an entity is now an SQL entity. The policy server assembles the information needed for the response to the query from various information sources, including source external to the policy server.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for tunneling using encryption, the method comprising: receiving a data packet at a first access filter in a first internal network, the data packet sent from a client device in the first internal network, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address; executing instructions stored in memory of the first access filter, wherein execution of the instructions by a processor: encrypts the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted, and adds a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet; and sending the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter: verifies that the data packet is from the first access filter as indicated by the new header, and removes the new header and decrypts the data packet to obtain the original header based on the verification. 2. The method of claim 1 , wherein contents of the data packet remain encrypted while passing through the Internet. 3. The method of claim 1 , wherein the data packet is associated with one or more other IP addresses of the second internal network, and wherein the other IP addresses remain encrypted while passing through the Internet. 4. The method of claim 3 , wherein only the IP addresses of the first and second access filters are unencrypted. 5. A method for tunneling using encryption, the method comprising: receiving an encrypted data packet at a first access filter in a first internal network, the data packet sent from a second access filter in a second internal network, wherein the encrypted data packet includes a new header indicating that the second access filter is a source address and the first access filter is a destination address, wherein an original header of the encrypted data packet remains encrypted during transmission through the Internet; and executing instructions stored in memory of the first access filter, wherein execution of the instructions by a processor: analyzes identification information associated with the data packet to verify that the data packet is from the second access filter, removes the new header of the data packet and decrypts the data packet based on verification that the data packet is from the second access filter as indicated by the new header, wherein the decrypted data packet includes the original header of the data packet, wherein the original header specifies an internet protocol (IP) address in the second internal network as a destination address of the decrypted data packet; and processes the data packet based on the original header. 6. The method of claim 5 , wherein contents of the data packet remain encrypted while passing through the Internet. 7. The method of claim 5 , wherein the data packet is associated with one or more other IP addresses of the first internal network, and wherein the other IP addresses remain encrypted while passing through the Internet. 8. The method of claim 7 , wherein only the IP addresses of the first and second access filters are unencrypted. 9. A system for tunneling using encryption, the system comprising a client device in a first internal network; and a first access filter in the first internal network, the first access filter comprising: a communication interface that receives a data packet sent from the client device, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address; a processor that executes instructions stored in memory, wherein execution of the instructions by the processor: encrypts the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted, adds a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet; wherein the communication interface sends the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter: verifies that the data packet is from the first access filter as indicated by the new header, and removes the new header and decrypts the data packet to obtain the original header based on the verification. 10. The system of claim 9 , wherein contents of the data packet remain encrypted while passing through the Internet. 11. The system of claim 9 , wherein the data packet is associated with one or more other IP addresses of the first internal network, and wherein the other IP addresses remain encrypted while passing through the Internet. 12. The system of claim 9 , wherein only the IP addresses of the first and second access filters are unencrypted. 13. The system of the claim 9 , further comprising the second access filter. 14. A system for tunneling using encryption, the system comprising a first access filter in a first internal network, the first access filter comprising: a communication interface that receives an encrypted data packet sent from a second access filter in a second internal network, wherein the encrypted data packet includes a header indicating that the second access filter is a source address and the first access filter is a destination address, wherein an original header of the encrypted data packet remains encrypted during transmission through the Internet; and a processor that executes instructions stored in memory, wherein execution of the instructions by the processor: analyzes identification information associated with the data packet to verify that the data packet is from the second access filter, removes the header of the data packet and decrypts the data packet based on verification that the data packet is from the second access filter as indicated by the header, wherein the decrypted data packet includes the original header of the data packet, wherein the original header specifies an internet protocol (IP) address in the second internal network as a destination address of the decrypted data packet; and processes the data packet based on the original header. 15. The system of claim 14 , wherein contents of the data packet remain encrypted while passing through the Internet. 16. The system of claim 14 , wherein the data packet is associated with one or more other IP addresses of the second internal network, and wherein the other IP addresses remain encrypted while passing through the Internet. 17. The system of claim 14 , wherein only the IP addresses of the first and second access filters are unencrypted. 18. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for tunneling using encryption, the method
Assignees
Inventors
Classifications
- H04L63/105Primary
Multiple levels of security · CPC title
- H04L63/08Primary
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
where protection concerns the structure of data, e.g. records, types, queries · CPC title
applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9276920B2 cover?
- A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each informa…
- Who is the assignee on this patent?
- Dell Software Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/105. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 01 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).