Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1999-05-19
2004-10-19
Luther, William (Department: 2664)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S901000, C709S203000, C719S315000, C713S182000
Reexamination Certificate
active
06807181
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates, in general, to enterprise computing systems and methods, and, more particularly, to a method and system which provides secure client/server interactions in a distributed computing environment.
2. Relevant Background
Computer systems including business systems, entertainment systems, and personal communication systems are increasingly implemented as distributed software systems. These systems are alternatively referred to as “enterprise networks” and “enterprise computing systems”. These systems include application code and data that are distributed among a variety of data structures, data processor systems, storage devices and physical locations. They are intended to serve a geographically diverse and mobile set of users. This environment is complicated because system users move about the distributed system, using different software applications to access and process data, different hardware to perform their work, and often different physical locations to work from. These trends create a difficult problem in providing a secure yet consistent environment for the users.
In general, distributed computing systems must scale well. This means that the system architecture desirably adapts to more users, more applications, more data, and more geographical distribution of the users, applications, and data. The cost in money and time to switch over a network architecture that is adapted to a smaller business to one suited for a larger business is often prohibitive.
A conventional computing system uses a client/server model implemented on a local area network (LAN). In such systems powerful server computers (e.g., application servers and file servers) are used to process and access data. The requested data is then transmitted to the client computer for further processing. To scale to larger networks, multiple LANs may be internetworked using, for example, leased data lines to create a wide area network (WAN). The equipment required to implement a WAN is expensive and difficult to administer. Also, as networks become larger to include multiple LANs and multiple servers on each LAN it becomes increasingly difficult to find resources (i.e., files, applications, and users) on any one of the LANs.
Moreover, conventional network solutions do not scale well because as the network becomes larger, it becomes increasingly difficult to identify and locate resources needed by the various network clients. Enterprise networks typically utilize directory and meta-directory services to maintain resources. Directories are data structures that hold information such as mail address book information, printer locations, public key infrastructure (PKI) information, and the like. Because of the range of functions and different needs of driving applications, most organizations end up with many different, disparate directories. Each directory mechanism and each type of information maintained by a directory may require different information from the user in order to operate effectively. For example, a name and address directory may only require the user's ID to verify access permissions for read operations, but may require authentication information, such as a signature, for write/modify operations. As the number and variety of directories increases, it becomes increasingly difficult to manage these varying demands.
Meta-directories are a solution that provides directory integration to unify and centrally manage disparate directories within an enterprise. A meta-directory product is intended to provide seamless integration of the multiple disparate directories. However, because meta-directories involve a wider range of data types than individual directory mechanisms, the difficulty in managing user-specific information required by the individual directories is even more complex. Also, a meta-directory product must be aware of the user information required by each of the data structures that is supposed to integrate. This required knowledge makes meta-directories difficult to maintain in a computing environment that is rapidly changing. As a result, meta-directory solutions are not sufficiently extensible to account for the wide variety of resources available on a distributed network. In the past, meta-directory technology has not been used to catalog meta-data of sufficiently general nature to meet the needs of a dynamically growing and changing distributed computing environment.
Another complicating influence is that networks are becoming increasingly heterogeneous on many fronts. Network users, software, hardware, and geographic boundaries are continuously changing and becoming more varied. For example, a single computer may have multiple users, each of which work more efficiently if the computer is configured to meet their needs. Conversely, a single user may access a network using multiple devices such as a workstation, a mobile computer, a handheld computer, or a data appliance such as a cellular phone or the like. A user may, for example, use a full featured e-mail application to access e-mail while working from a workstation but prefer a more compact application to access the same data when using a handheld computer or cellular phone. In each case, the network desirably adapts to the changed conditions with minimal user intervention.
In order to support mobile users, a conventional network had to provide a gateway for remote access. Typically this was provided by a remote access server coupled to a modem. Remote users would dial up the modem, comply with authorization and/or authentication procedures enforced by the server, then gain access to the network. In operation the mobile user's machine becomes like a “dumb terminal” that displays information provided to it over the dial-up connection, but does not itself process data. For example, a word processing program is actually executing on the remote access server, and the remote user's machine merely displays a copy of the graphical user interface to the remote user. A remote user would establish a session, perhaps a secure session if authorization and authentication procedures were used, and all communication after session establishment would be considered authentic. Both the client and server had to maintain state information to track the session state. The reliance on state information and session methodology remains difficult to implement on insecure, “best efforts” type networks such as the Internet. A “best efforts” type network is one in which data packets may be dropped if they are undeliverable. When packets can be lost, state synchronization is interrupted and non-recoverable errors may result in transaction processing.
There is increasing interest in remote access systems that enable a user to access a LAN/WAN using public, generally insecure, “best efforts” type communication channels such as the Internet. Further, there is interest in enabling LANs to be internetworked using public communication channels. This is desirable because the network administrator can provide a single high speed gateway to the Internet rather than a remote server/modem combination for each user and expensive WAN communication lines. The Internet gateway can use leased lines to access the Internet rather than more costly business phone lines. Also, the Internet gateway can be shared among a variety of applications and so the cost is not dedicated solely to providing remote access or wide area networking. The reduction in hardware cost and recurrent phone line charges would be significant if remote users could access the LAN/WAN in this manner.
As used herein, the term “control data” refers to any data associated with a client request that is used to effect the response as distinguished from the actual request or response data. Systems which permit access of their internal network from a remote site through outside unsecured network connections like the Internet greatly increase the risk of an unauthorized network intrusion. A network intruder may potentially read, modi
Hogan & Hartson LLP
Kubida William J.
Langley Stuart T.
Luther William
Sun Microsystems Inc.
LandOfFree
Context based control data does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Context based control data, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Context based control data will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3279766