Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-06-12
2001-10-23
Beausoleil, Robert (Department: 2184)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000
Reexamination Certificate
active
06308273
ABSTRACT:
FIELD OF THE INVENTION
The invention relates generally to computer systems, and more particularly to an improved security model for computer systems.
BACKGROUND OF THE INVENTION
Current computer security systems determine a user's access to network resources based on permissions granted according to the user's credentials. This user-centric model provides a great deal of flexibility for the increasingly mobile/remote user population. For example, remote access servers and Internet connectivity allow a user to transparently access corporate resources from virtually anywhere.
While this flexibility provides advantages to both the user and the owner of the network, (e.g., a corporate enterprise), such increased availability and easy connectivity inherently elevates the risk of unauthorized access. Although encrypted network communication prevents wire eavesdropping, allowing remote access to sensitive corporate resources still has an intrinsic risk. Indeed, regardless of how protected the resources (such as files) are when they are transmitted, there is still likely to be a subset of sensitive corporate resources that the company does not want authorized users to be accessing from just anywhere.
For example, a laptop-computer user may inadvertently display highly confidential corporate strategy to unintended viewers, such as when working on an airplane. New, wider-angle laptop screens make it even more difficult to prevent other passengers from peering at the monitor contents. Similarly, with the escalating population of mobile users, the theft or loss of a notebook computer increasingly threatens the security of sensitive corporate data. A user's account and password also may be stolen, particularly if maintained on a stolen laptop. As long as the user has the proper credentials, existing security mechanisms make it simple to remotely download files and perform other remote actions, thus contributing to these and other security risks.
In short, remote access servers (RAS) and Internet connectivity enable users to access corporate resources from virtually any location. However, certain locations (particularly remote locations) are less secure than others. For example, because of portability and increased access, files downloaded to a laptop computer are easier to steal than files on a desktop machine in a corporate office. Similarly, unauthorized persons may obtain user accounts and passwords, whereby it is most likely that they will attempt to access corporate resources from a remote location.
SUMMARY OF THE INVENTION
Briefly, the present invention provides an improved computer network security system and method wherein access to network resources is based on information that includes the location of the connecting user. Ordinarily, the less trusted the location of the user, the more the access rights assigned to the user are restricted. A discrimination mechanism determines the location of a user with respect to categories of a security policy, such as to distinguish local users, intranet users and dial-up users from one another. A security provider establishes the access rights of the user such as by setting up an access token for the user based on information including the location and the user's credentials. An enforcement mechanism uses the access rights set up for the user to determine whether to grant or deny accesses to resources. The location-based access rights may be restricted with respect to the user's normal access rights in accordance with the security policy. For example, the processes of a local user may not be restricted beyond the user-based security information in the user's normal access token, while the same user connecting via a dial-up connection will have restricted processes. Preferable, restricted tokens are used to implement the location-based discrimination by restricting the access of users connecting from less trusted locations.
Other objects and advantages will become apparent from the following detailed description when taken in conjunction with the drawings, in which:
REFERENCES:
patent: 4962449 (1990-10-01), Schlesinger
patent: 5138712 (1992-08-01), Corbin
patent: 5276901 (1994-01-01), Howell et al.
patent: 5321841 (1994-06-01), East et al.
patent: 5390247 (1995-02-01), Fischer
patent: 5412717 (1995-05-01), Fischer
patent: 5506961 (1996-04-01), Carlson et al.
patent: 5542046 (1996-07-01), Carlson et al.
patent: 5638448 (1997-06-01), Nguyen
patent: 5649099 (1997-07-01), Theimer et al.
patent: 5675782 (1997-10-01), Montague et al.
patent: 5678041 (1997-10-01), Baker et al.
patent: 5680461 (1997-10-01), McManis
patent: 5682478 (1997-10-01), Watson et al.
patent: 5745676 (1998-04-01), Hobson et al.
patent: 5757916 (1998-05-01), MacDoran
patent: 5761669 (1998-06-01), Montague et al.
patent: 5812784 (1998-09-01), Watson et al.
patent: 5826029 (1998-10-01), Gore et al.
patent: 5845067 (1998-12-01), Porter et al.
patent: 5922073 (1999-07-01), Shimada
patent: 5925109 (1999-07-01), Bartz
patent: 5940591 (1999-08-01), Boyle
patent: 5941947 (1999-08-01), Brown et al.
patent: 5949882 (1999-09-01), Angelo
patent: 5983270 (1999-11-01), Abraham
patent: 5983350 (1999-11-01), Minear
patent: 6081807 (2000-06-01), Story et al.
patent: 6105132 (2000-08-01), Fritch
patent: 0 398 645 (1990-11-01), None
patent: 0 465 016 (1992-01-01), None
patent: 0 588 415 (1994-03-01), None
patent: 0 697 662 (1996-02-01), None
patent: 0 813 133 (1997-12-01), None
patent: WO 96/05549 (1996-02-01), None
patent: WO 96/13113 (1996-05-01), None
patent: WO 97/15008 (1997-04-01), None
patent: WO 97/26734 (1997-07-01), None
Anonymous, “Apache suEXEC Support,” (describes the Apache HTTP Server Version 1.3 dating from Jun. 5, 1998 as documented in Written Opinion for PCT Application No. PCT/US99/12912), http://www.apache.org/docs/suexec.html printed Jul. 24, 2000.
Anonymous, “Apache Virtual Host documentation,” (describes the Apache HTTP Server Version 1.3 dating from Jun. 5, 1998 as documented in Written Opinion for PCT Application No. PCT/US99/12912), http://www.apache.org/docs/vhosts/index.html, printed Jul. 24, 2000.
Bell Telephone Laboratories Incorporated, UNIX™ Time-Sharing System:UNIX Programmer's Manual,7th Edition, vol. 1, Chmod(1), Su(1), Exec(2) (Jan. 1979).
“Java Security Model: Java Protection Domains,” http://java.sun.com/security/handout.html, printed Nov. 11, 1999.
Anon, “Privilege Control Mechanism for UNIX Systems,”IBM Technical Disclosure Bulletin,vol. 34, No. 7b pp. 477-479, Dec. 1991.
Erdos et al., “Security Reference Model for the Java Developer's Kit 1.0.2,”Java Security Reference Model,Nov. 13, 1996, http://www.javasoft.com/security/SRM.html printed Jul. 14, 1999.
Fritzinger et al., “Java Security,” 1996, http://java.sun.com/security/whitepaper.txt.
Fritzinger et al., “Java Security,” 1996, http://java.sun.com/security/whitepaper.ps.
Goldberg et al., “A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker,”Sixt USENIX Security Symposium,Jul. 22-25, 1996, http://www.usenix.org/publications/library/proceedings/sec9.
Goldstein, Ted, “The Gateway Security Model in the Java Commerce Client,”The Source for Java ™Technology,1997, http://www.java.sun,com/products/commerce/docs/whitepapers/security/JCC_gateway,html printed Jul. 14, 1999.
Mazieres, David and M. Frans Kaashoek, “Secure Applications Need Flexible Operating Systems,” 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), May 5-6, 1997, http://www.eecs.harvard.edu/hotos/.
Neuman et al., “Kerberos: An Authentication Service for Computer Networks,”IEEE Communicaitons Magazine,pp. 33-38, Sep. 1, 1994.
Copy of International Search Report in Corresponding PCT Application No. PCT/US99/12913.
Soshi et al.,The Saga Security System: A Security Architecture for Open Distributed Systems, IEEE, pp. 53-58 (1997).
Asche, Ruediger R., “The Guts of Security”, pp. 1-19 (May 9, 1995),http://msdn.microsoft.com/library/techart/medn secguts.htm, printed May 28, 2001.
Asche, Ruediger R., “Windows Security in Theory and Practice”, pp. 1-10 (May 9, 1995),http://msd
Garg Praerit
Goertzel Mario C.
Shah Bharat
Strom Susi E.
Beausoleil Robert
Bonzo Bryce P.
Michalik & Wylie PLLC
Microsoft Corporation
LandOfFree
Method and system of security location discrimination does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system of security location discrimination, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system of security location discrimination will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2556784