WO2005067260A1 - Method and system for delegating access to computer network resources - Google Patents

Method and system for delegating access to computer network resources Download PDF

Info

Publication number
WO2005067260A1
WO2005067260A1 PCT/US2004/043406 US2004043406W WO2005067260A1 WO 2005067260 A1 WO2005067260 A1 WO 2005067260A1 US 2004043406 W US2004043406 W US 2004043406W WO 2005067260 A1 WO2005067260 A1 WO 2005067260A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
users
network resources
access
gateway
Prior art date
Application number
PCT/US2004/043406
Other languages
French (fr)
Inventor
Dennis Vance Pollutro
Andrew A. Almquist
Original Assignee
Applied Identity
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Applied Identity filed Critical Applied Identity
Publication of WO2005067260A1 publication Critical patent/WO2005067260A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Definitions

  • network segments are completely unconnected to any other network segment in order to provide improved security Moreover, security may be compromised for network segments that grant access to users that are on another network segment.
  • network segments are typically connected to other network segments through physical gateways such as routers, switches and firewalls.
  • a user's access to a given network segment depends upon their physical connection point to the network.
  • this subdivision of the network is related to the physical placement of the network wiring and the physical gateway components. Designing a network subdivision scheme separating each network segment using a physical gateway component can involve a substantial amount of planning and financial resources, as well as significant physical set-up time.
  • FIG. 1 is a block diagram illustration of a typical network subdivision scheme 100.
  • each of users 102, 104 and 106 are separated from server segment 114 by network gateway 108.
  • the entire network is connected to a public network (including users 102, 104 and 106) through network gateway 108.
  • Server segment 114 is separated from server segment 116 by network gateways 108 and 110 and server segment 114 is separated from server segment 118 by network gateway 112. There is no direct connection between server segment 116 and server segment 118.
  • server segment 114 If one of users 102, 104, and 106 is granted access through network gateway 108, that user can access any server in server segment 114. If it is further desired to grant the user access to server segment 116 but not server segment 118, the user would be granted access through network gateway 110 but not network gateway 112; however, the user would have access to all servers on the entire server segment 116.
  • a method of delegating access rights users for a plurality of network resources includes inserting a single physical gateway between users and a plurality of network resources such that access to any of the network resources is through the physical gateway.
  • the method also includes restricting access of users to a respective, selected one or respective, selected ones of the network resources based on a logical division within the network related to the identities of the users.
  • a method includes controlling a respective users ability to view a selected one or respective selected ones of the network resources and ability to communicate with the respective, selected one or respective, selected ones of the network resources using a gateway device operationally interposed between the users and the plurality of network resources such that the respective user has access to only a portion of the network resources of the network.
  • a method includes establishing a logical division of a network to control communications between respective users and respective network resources through a single physical gateway, and restricting access of each respective user to a respective, selected one or respective, selected ones of the network resources based on the established logical division related to identities of the users.
  • a gateway device for controlling access to users for a plurality of network resources of a network.
  • the gateway device includes a gateway controller disposed at a single physical connection point between the users and the plural ity of network resources such that access to any of the network resources is through the gateway controller to restrict access of the users to a respective, selected one or respective selected ones of the network resources based on a logical division within the network.
  • a computer system is provided.
  • the computer system may be a single physical gateway.
  • the computer system includes a microprocessor and a computer readable medium.
  • the computer readable medium includes computer program instructions which causes the computer system to implement a method of delegating access rights users for a plurality of network resources.
  • the method includes receiving requests from users for access to network resources through a single physical gateway.
  • the method also includes restricting access of users to a respective, selected one or respective, selected ones of the network resources based on a logical division within the network related to identities of the users.
  • a computer readable carrier including computer program instructions is provided.
  • the computer program instructions cause a single physical gateway to implement a method of delegating access rights to network resources.
  • the method includes receiving requests from users for access to network resources through a single physical gateway.
  • the method also includes restricting access of users to a respective, selected one or respective, selected ones of the network resources based on a logical division within the network related to identities of the users.
  • Figure 1 is a block diagram illustrating a conventional network subdivision scheme
  • Figure 2A is a block diagram illustrating a network segment including 3 servers that are accessible through a single network gateway in accordance with an exemplary embodiment of the present invention
  • Figure 2B is a block diagram illustrating a network gateway of Figure 2B
  • Figure 3 is a block diagram illustrating a delegation of access rights to certain network resources provided to a single user in accordance with an exemplary embodiment of the present invention
  • Figure 4 is a block diagram illustrating another delegation of access rights to certain network resources provided to a single user in accordance with another exemplary embodiment of the present invention
  • Figure 5 is a block diagram illustrating another delegation of access rights to certain network resources provided to a single user in accordance with yet
  • SYNC-101WO also relates to computer system security, and is also incorporated by reference herein in its entirety.
  • the present invention relates to a security system that allows or rejects network communications to simulate a physically subdivided network behind that security system.
  • users going through i.e., communicating through
  • a single physical gateway i.e., the security system
  • a security system for information is provided.
  • methods of providing access to information, and restricting access to information, using the security system are also disclosed.
  • the disclosed invention is particularly suited to the security of remotely accessed network environments through a network connection though other applications are contemplated as well.
  • a method of simultaneously creating a desired number of effective network segments using a single network gateway is provided.
  • Such network segments may optionally be created without physical changes in the network segment (e.g., wiring changes, etc.) and without installation of additional network gateways.
  • Such methods optionally utilize a pattern of allowed communication pathways (i.e., delegations) between a user and the network resources (i.e., applications, servers and ports) on the physical network segment.
  • a pattern of allowed communication pathways i.e., delegations
  • communication between the user and the network resources on the physical network segment may be restricted according to the pattern of allowed communications pathways (i.e., as delegations may stored in a permission table in a delegation database) for that user.
  • the methods and systems disclosed herein allow or reject communications from users with network resources through the gateway, thereby simulating a physically subdivided network behind the single physical gateway.
  • access to a network service is provided to an authorized user, and the network service is not exposed to unauthorized users.
  • a communications packet is sent to a single physical gateway from an external source (e.g., a user).
  • a determination is made as to whether the communications packet originated from a session owned by an authenticated user. If the user is authenticated to access the network resources, the communications packet is passed through the single physical gateway. If the user is not authenticated to access the network resources, the communications packet is rejected.
  • the time elapsed after receiving a communications packet from a user during the session is optionally calculated.
  • the session is optionally terminated upon the calculated time exceeding a predetermined value.
  • the single physical gateway controls the visibility of network resources to remote users of the network resources.
  • the single physical gateway acts as an umbrella over the network resources.
  • all connectivity to the network resources must pass through the single physical gateway, though embodiments are also contemplated in which connectivity to the network resources need not pass through a single physical gateway.
  • the single physical gateway simulates network subdivisions by connecting or rejecting communications to the network resources on a user by user basis.
  • the single physical gateway utilized in accordance with the present invention may include a number of features to ensure that once a user (i.e., the person accessing a network resource) is logged in, the user only has access to what he/she has been granted access to.
  • the single physical gateway controls access to network resources based on information related to user identity, group identity, permissions (i.e., rules permitting access to perform a specific action on an object), and objects (i.e., an entity that can have actions performed on it by a user).
  • Permissions to access objects are assigned to a user or to a group for an object relating the user, group, and object together.
  • a record giving a user access to an object may include, for example, a permission ID, a user ID (i.e., a unique identifier representing a single user), and/or an object ID (i.e., a unique identifier representing any object which can have permissions associated with it).
  • the record may contain the permission ID, the group ID (i.e., a unique identifier representing a single group of users), and/or the object ID.
  • the group ID i.e., a unique identifier representing a single group of users
  • the object ID i.e., a unique identifier representing a single group of users
  • a record exists that relates a user ID to a group ID. This allows permission to access an object to be granted to a group or to a user, while at the same time requiring permission to be granted in order for the access to be permitted.
  • a protected object e.g., a protected network resource
  • a number of actions optionally take place to determine what the user is permitted to do to an object.
  • the system may first check to determine the group that the current user belongs to, and the relationship of the group to the permissions required to perform the desired action. If this check is not successful (i.e., the user does not belong to any groups having permission to perform the desired action), the system may continue to determine if the user is related to the permission required to perform the action. If neither of the above cases is true (i.e., the user does not belong to any groups having permission to perform the desired action and the user does not have permission to perform the desired action), the user is denied access. If one of both cases is true, the action is performed. For example, the action could include viewing an object, modifying the content of an object, approving an object, creating an object, deleting an object, or any other appropriate action.
  • a timeout feature may also be provided whereby the expiration of a predetermined period of inactivity is used to determine when a session (and the session ID) between the user and a network resource should be terminated.
  • the inactivity/timeout period is continually updated.
  • the timeout period is set by resources in the network and if the user does not perform an action/interaction within the predetermined timeout period (i.e., a period set by the network resources), the session is terminated by deleting it from those same resources in the network. This allows a high level of security because no meaningful information is stored on the user's computer.
  • any information that might be stored in a file, for example, a cookie on the user's computer is no longer valid.
  • a number of checks may take place each time the user moves within the system in order to determine what resources the user can access.
  • the single physical gateway determines the identity of the user accessing the system.
  • the session may be validated by checking the user ID against a database of user IDs on the network. If a session ID does not exist, the session is invalid, and the user is forced to log in before accessing the system.
  • the single physical gateway retrieves the associated user ID and continues to perform whatever actions are necessary to finish displaying the approved information (e.g., network resources information residing behind the single physical gateway that is approved for use by the user).
  • the process of accessing a network resource begins with the user logging into the single physical gateway (e.g., logging in using a single sign on software that logs the user directly into the single physical gateway). Once logged in, the user can access network resources that connect to applications hosted on an application server and view objects if the client applications have been pre-configured with the addresses of the application servers.
  • the user can be provided with a unique token that provides a single use link to the application server.
  • the token either contains the information required to connect to the application server or retrieves the information required to connect to the application server.
  • the client application then connects to the application server, and the application server then displays all objects and applications approved for the user.
  • the figures described herein illustrate a method and system whose architecture may utilize common programming languages. This method and system contemplate the desire to provide secure access to all remote applications, software, and content.
  • the single physical gateway architecture can provide an efficient and meaningful security solution without the overhead of extra or robust hardware.
  • the single physical gateway architecture can operate with any number of application services or terminal services installed either on the local physical server, or in a configuration utilizing outside objects from remote servers or locations. By aggregating these objects, the end user is provided with desirable services defined by their current role in one location with a reduced investment in hardware.
  • This architecture allows for different and interchangeable service delivery options.
  • the system provides the end user with access to the services for which they have been granted access. As such, a more productive end user specific service is provided that, while unique to each and every user, also contemplates and mitigates the security risks associated with remote access to a multiple user network (e.g., a corporate network).
  • the method and system of the present invention may be implemented in a number of mediums.
  • the system can be installed on an existing computer system/server as software or may be provided as a single physical gateway. Further, the system can operate on a stand alone computer system (e.g., a security server) that is installed between another computer system (e.g., an application server) and an access point to another computer system. Further still, the system may operate from a computer readable carrier (e.g., solid state memory, optical disk, magnetic disk, radio frequency carrier wave, audio frequency carrier wave, etc.) that includes computer instructions (e.g., computer program instructions) related to the security system.
  • a computer readable carrier e.g., solid state memory, optical disk, magnetic disk, radio frequency carrier wave, audio frequency carrier wave, etc.
  • the present invention relates to the selective approval or rejection of communication through a single network gateway to the servers and/or network resources behind that gateway.
  • Figure 2A illustrates a delegation scheme 200 related to a single network segment placed behind (i.e., logically/operationally behind) a single network gateway 210 according to an exemplary embodiment of the invention.
  • Figure 2B illustrates a network gateway 210 of Figure 2A
  • Figures 3-5 illustrate various exemplary combinations of communication approvals and rejections that effectively result in different network subdivisions (e.g., representing different predetermined delegation schemes, i.e., logical division within the network that relates to user's identity) without the need to change the physical layout of the network (i.e., logically/operationally producing different network subdivisions using a single network gateway 210).
  • different predetermined delegation schemes i.e., logical division within the network that relates to user's identity
  • Figure 2A is a block diagram illustrating a delegation scheme 200 including network gateway 210 placed between a network segment including server 212, server 214, and server 216.
  • Figure 2B is a block diagram of a network gateway 210 of Figure 2A.
  • Figure 2A illustrates users 202, 204, and 206 (i.e., clients 202, 204, and 206) connected to network gateway 210 through cloud 208.
  • Cloud 208 represents any of a number of connections (e.g., a direct connection, an Internet based connection, etc.) between a client and network gateway 210.
  • Clients 202, 204, and 206 desire to retrieve applications/resources operating on one of servers 212, 214, and 216.
  • network gateway 210 is desirably the only connection (i.e., at a single physical connection point) between the illustrated user network segment and the illustrated server network segment, all communications pass through network gateway 210.
  • the network gateway 210 may include a gateway controller 225 and a storage unit 220 for storing a delegation database 230. That is, the gateway controller 225 may be disposed at a single physical connection point between the users and the plurality of network resources. Access to any of the network resources may be through the gateway controller 225 to restrict user access to a respective, selected one or respective, selected ones of the network resources based on a predetermined delegation scheme.
  • Network resources refers to applications residing on a server 212, 214 and 216 of the network, a server 212, 214 and 216 of the network, or a port of the network gateway 210 or server 212, 214 and 216 of the network.
  • the delegation database 230 may store records in a permission table 240, as delegations, which correspond to patterns of allow communication pathways according to identities of users.
  • the gateway controller 225 may control communications through the single physical connection point so as to allow access to a delegated subdivision of the network according to the delegations stored in the permission table 240 of the delegation database 230.
  • the network gateway 210 may be a single physical gateway and may include a number of features to ensure that once a user (i.e., the person accessing a network resource) is logged in, the user only has access to what he/she has been granted access to.
  • the single physical gateway 210 may control access to network resources based on information related to user identity, group identity, permissions (i.e., rules permitting access to perform a specific action on an object), and objects (i.e., an entity that can have actions performed on it by a user). Users may belong to a group, and users and groups are given permissions to access objects. Further, a page, application, web service, or document may be used to accomplish a delegation of access privileges.
  • Permissions to access objects may be assigned to a user or to a group for an object relating the user, group, and object together.
  • the record giving a user access to an object may include, for example, a permission ID, a user ID (i.e., a unique identifier representing a single user), and/or an object ID (i.e., a unique identifier representing any object which can have permissions associated with it).
  • the record may contain the permission ID, the group ID (i.e., a unique identifier representing a single group of users), and/or the object ID.
  • a record exists that relates a user ID to a group ID.
  • a protected object e.g., a protected network resource
  • a number of actions optionally take place to determine what the user is permitted to do to an object.
  • the system may first check to determine the group that the current user belongs to, and the relationship of the group to the permissions required to perform the desired action. If this check is not successful (i.e., the user does not belong to any groups having permission to perform the desired action), the system may continue to determine if the user is related to the permission required to perform the action.
  • FIG. 3 is a block diagram illustrating an exemplary embodiment where network gateway 210 has been configured to allow communication between user 202 and servers 212 and 214, but not between user 202 and server 216.
  • FIG. 4 is a block diagram illustrating the case where network gateway 210 has been configured to allow communication between user 204 and servers 212 and 216, but not between user 204 and server 214. As shown in the right hand side of the "equals sign” in Figure 4, this is functionally equivalent to subdividing the server network segment into two segments: one segment with servers 212 and 216, and one segment with server 214 (accessed through imaginary network gateway 400).
  • FIG. 5 is a block diagram illustrating the case where network gateway 210 has been configured to allow communication between user 206 and servers 214 and 216, but not between user 206 and server 212. As shown in the right hand side of the "equals sign" in Figure 5, this is functionally equivalent to subdividing the server network segment into two segments : one segment with server 212 (accessed through imaginary network gateway 500), and one segment with servers 214 and 216. That is, the user 206 cannot view or communicate with server 212. By altering the communication pathways allowed through the network gateway, arbitrary network subdivisions may be virtually generated. This configuration is functionally equivalent to having a separate network segment and network gateway for each server or network resource.
  • Virtual network segments can be created and changed without changing the physical layout of the network and without the need for additional network gateways.
  • multiple virtual network segments can be created and presented to different users simultaneously.
  • the pattern of communications pathways allowed can be determined on a user-by-user basis and may be implemented on a port-by-port basis. This pattern can be stored in and retrieved from a database or directory.
  • the security system and the method for creating virtual network subdivisions disclosed herein have diverse applicability in a range of markets including financial services, horizontal wireless LAN (e.g., wireless sales force automation and contractor services), and government regulated markets such as banking and healthcare.
  • the present invention is not limited thereto.
  • the present invention has been described primarily in terms of a client desiring to access a server through a single physical gateway, it is not limited thereto.
  • the client may desire to access any of a number of network resources (e.g., a server, a port and an application, etc.) through the single physical gateway.
  • network resources e.g., a server, a port and an application, etc.
  • multiple physical gateways is also contemplated.
  • the present invention has been largely described in terms of a user attempting to connect to a server/resource/application through a network gateway, it is not limited thereto.
  • the present invention may be embodied in softwa re, in a machine (e.g., a computer system, a network gateway, etc.) that includes software in memory, or in a computer readable carrier configured to carry out the delegation method (e.g., in a self contained silicon device, a solid state memory, an optical disk, a magnetic disk, a radio frequency carrier wave, and audio frequency carrier wave, etc.).
  • a machine e.g., a computer system, a network gateway, etc.
  • a computer readable carrier configured to carry out the delegation method (e.g., in a self contained silicon device, a solid state memory, an optical disk, a magnetic disk, a radio frequency carrier wave, and audio frequency carrier wave, etc.).

Abstract

A gateway device for controlling access rights and method of delegating access rights to users for network resources are provided. The method includes inserting a single physical gateway (210) between the users (202, 204, and 206) and the plurality of network resources (212, 214 and 216) such that access to any of the network resources is through the physical gateway (210). The method also includes restricting access of the users to a respective, selected one or respective selected ones of the network resources (212, 214, and 216) based on a logical division within the network related to identities of the users. The gateway device includes a gateway controller (250) disposed at a single physical connection point between the users and the plurality of network resources (212, 214, and 216) such that access to any of the network resources (212, 214, and 216) is through the gateway controller (250) to restrict access of the users (202, 204, and 206) to a respective, selected one or respective selected ones of the network resources (212, 214, and 216) based on the predetermined delegation scheme.

Description

METHOD AND SYSTEM FOR DELEGATING ACCESS TO COMPUTER NETWORK RESOURCES
CROSS REFERENCE TO RELATED CASES This PCT application claims the benefit of U.S. Provisional Application
60/533,768 filed in the U.S. Patent and Trademark Office on December 31, 2003, the contents of which are herein incorporated by reference. FIELD OF THE INVENTION This invention relates to computer system security, and more particularly, to a method and system for delegating access to computer network resources based on an identity of a user of the network resources. BACKGROUND OF THE INVENTION It is often desirable to control the accessibility of computer system resources that are accessible through networks such as LANs, WANs, and the Internet. Recently, security and access concerns have grown as malicious trespasses have increased the desirability to have improved access control. Further, the heightened state of awareness related to threats of cyber terrorism make the desire to reduce existing vulnerabilities greater than ever before. To restrict access to network resources, conventional networks may be physically subdivided. In certain configurations, network segments are completely unconnected to any other network segment in order to provide improved security Moreover, security may be compromised for network segments that grant access to users that are on another network segment. Thus, network segments are typically connected to other network segments through physical gateways such as routers, switches and firewalls. A user's access to a given network segment depends upon their physical connection point to the network. Unfortunately, this subdivision of the network is related to the physical placement of the network wiring and the physical gateway components. Designing a network subdivision scheme separating each network segment using a physical gateway component can involve a substantial amount of planning and financial resources, as well as significant physical set-up time. Further, modifying such a network subdivision scheme may involve a significant amount of time to plan and physically configure the network subdivisions. Thus, this type of network subdivision is undesirably inflexible. Figure 1 is a block diagram illustration of a typical network subdivision scheme 100. In this scheme, each of users 102, 104 and 106 are separated from server segment 114 by network gateway 108. The entire network is connected to a public network (including users 102, 104 and 106) through network gateway 108. Server segment 114 is separated from server segment 116 by network gateways 108 and 110 and server segment 114 is separated from server segment 118 by network gateway 112. There is no direct connection between server segment 116 and server segment 118. If one of users 102, 104, and 106 is granted access through network gateway 108, that user can access any server in server segment 114. If it is further desired to grant the user access to server segment 116 but not server segment 118, the user would be granted access through network gateway 110 but not network gateway 112; however, the user would have access to all servers on the entire server segment 116.
To alter the user's access to individual servers within a server segment would involve moving those servers physically from one network segment to another and possibly subdividing the network further by adding more network gateways. Thus, according to exemplary conventional network subdivision schemes, the ability to grant user access on a server by server basis involves a separate network segment and network gateway for each server. Such a network is typically prohibitively expensive, and is also complex to create and manage. As such, it would be desirable to create a network scheme that could be configured to allow user access on a server by server basis (or a port by port basis) that overcomes one or more of the above-cited deficiencies of existing network subdivision schemes. SUMMARY OF THE INVENTION According to an exemplary embodiment of the present invention, a method of delegating access rights users for a plurality of network resources is provided. The method includes inserting a single physical gateway between users and a plurality of network resources such that access to any of the network resources is through the physical gateway. The method also includes restricting access of users to a respective, selected one or respective, selected ones of the network resources based on a logical division within the network related to the identities of the users. In yet another exemplary embodiment of the present invention, a method includes controlling a respective users ability to view a selected one or respective selected ones of the network resources and ability to communicate with the respective, selected one or respective, selected ones of the network resources using a gateway device operationally interposed between the users and the plurality of network resources such that the respective user has access to only a portion of the network resources of the network. In yet another exemplary embodiment of the present invention, a method includes establishing a logical division of a network to control communications between respective users and respective network resources through a single physical gateway, and restricting access of each respective user to a respective, selected one or respective, selected ones of the network resources based on the established logical division related to identities of the users. In yet another exemplary embodiment of the present invention, a gateway device for controlling access to users for a plurality of network resources of a network is provided. The gateway device includes a gateway controller disposed at a single physical connection point between the users and the plural ity of network resources such that access to any of the network resources is through the gateway controller to restrict access of the users to a respective, selected one or respective selected ones of the network resources based on a logical division within the network. In yet another exemplary embodiment of the present invention, a computer system is provided. For example, the computer system may be a single physical gateway. The computer system includes a microprocessor and a computer readable medium. The computer readable medium includes computer program instructions which causes the computer system to implement a method of delegating access rights users for a plurality of network resources. The method includes receiving requests from users for access to network resources through a single physical gateway. The method also includes restricting access of users to a respective, selected one or respective, selected ones of the network resources based on a logical division within the network related to identities of the users. In yet another exemplary embodiment of the present invention, a computer readable carrier including computer program instructions is provided. The computer program instructions cause a single physical gateway to implement a method of delegating access rights to network resources. The method includes receiving requests from users for access to network resources through a single physical gateway. The method also includes restricting access of users to a respective, selected one or respective, selected ones of the network resources based on a logical division within the network related to identities of the users. BRIEF DESCRIPTION OF THE DRAWINGS Exemplary embodiments of the invention will be described with reference to the drawings, of which: Figure 1 is a block diagram illustrating a conventional network subdivision scheme; Figure 2A is a block diagram illustrating a network segment including 3 servers that are accessible through a single network gateway in accordance with an exemplary embodiment of the present invention; Figure 2B is a block diagram illustrating a network gateway of Figure 2B; Figure 3 is a block diagram illustrating a delegation of access rights to certain network resources provided to a single user in accordance with an exemplary embodiment of the present invention; Figure 4 is a block diagram illustrating another delegation of access rights to certain network resources provided to a single user in accordance with another exemplary embodiment of the present invention; and Figure 5 is a block diagram illustrating another delegation of access rights to certain network resources provided to a single user in accordance with yet another exemplary embodiment of the present invention. DETAILED DESCRIPTION OF THE INVENTION Preferred features of selected embodiments of this invention will now be described with reference to the figures. It will be appreciated that the spirit and scope of the invention is not limited to the embodiments selected for illustration. It is contemplated that any of the embodiments described hereafter can be modified within the scope of this invention. The present invention relates to computer system security. U.S. patent application 10/423,444, filed April 25, 2003, entitled "COMPUTER SECURITY SYSTEM," also relates to computer system security, and is incorporated by reference herein in its entirety. PCT International Patent Application filed on December 15, 2004 and entitled "COMPUTER SECURITY SYSTEM" (Attorney Docket No. SYNC-101WO) also relates to computer system security, and is also incorporated by reference herein in its entirety. Generally, the present invention relates to a security system that allows or rejects network communications to simulate a physically subdivided network behind that security system. Thus, users going through (i.e., communicating through) a single physical gateway (i.e., the security system) are preferably presented with an arbitrary view of the network behind the gateway. Through the various exemplary embodiments disclosed herein, a security system for information is provided. Additionally, methods of providing access to information, and restricting access to information, using the security system, are also disclosed. The disclosed invention is particularly suited to the security of remotely accessed network environments through a network connection though other applications are contemplated as well. Through various exemplary embodiments of the present invention, a method of simultaneously creating a desired number of effective network segments using a single network gateway is provided. Such network segments may optionally be created without physical changes in the network segment (e.g., wiring changes, etc.) and without installation of additional network gateways. Such methods optionally utilize a pattern of allowed communication pathways (i.e., delegations) between a user and the network resources (i.e., applications, servers and ports) on the physical network segment. By determining the identity of a user, communication between the user and the network resources on the physical network segment may be restricted according to the pattern of allowed communications pathways (i.e., as delegations may stored in a permission table in a delegation database) for that user. Thus, the methods and systems disclosed herein allow or reject communications from users with network resources through the gateway, thereby simulating a physically subdivided network behind the single physical gateway. According to an exemplary embodiment of the present invention, access to a network service is provided to an authorized user, and the network service is not exposed to unauthorized users. According to certain exemplary embodiments of the present invention, a communications packet is sent to a single physical gateway from an external source (e.g., a user). A determination is made as to whether the communications packet originated from a session owned by an authenticated user. If the user is authenticated to access the network resources, the communications packet is passed through the single physical gateway. If the user is not authenticated to access the network resources, the communications packet is rejected. According to certain exemplary embodiments of the present invention, the time elapsed after receiving a communications packet from a user during the session is optionally calculated. The session is optionally terminated upon the calculated time exceeding a predetermined value. When used in conjunction with a network, the single physical gateway controls the visibility of network resources to remote users of the network resources. The single physical gateway acts as an umbrella over the network resources. According to one exemplary embodiment of the present invention, all connectivity to the network resources must pass through the single physical gateway, though embodiments are also contemplated in which connectivity to the network resources need not pass through a single physical gateway. The single physical gateway simulates network subdivisions by connecting or rejecting communications to the network resources on a user by user basis. Connections and rejections can be changed arbitrarily, thus simulating different physical network subdivisions without actual ly changing the physical network subdivisions. Additionally, this simulation does not involve the installation of additional network gateways. The single physical gateway utilized in accordance with the present invention may include a number of features to ensure that once a user (i.e., the person accessing a network resource) is logged in, the user only has access to what he/she has been granted access to. For example, in certain embodiments, the single physical gateway controls access to network resources based on information related to user identity, group identity, permissions (i.e., rules permitting access to perform a specific action on an object), and objects (i.e., an entity that can have actions performed on it by a user). Users may belong to a group, and users and groups are given permissions to access objects. Further, a page, application, web service, or document may be used to accomplish a delegation of access privileges. Permissions to access objects are assigned to a user or to a group for an object relating the user, group, and object together. A record giving a user access to an object may include, for example, a permission ID, a user ID (i.e., a unique identifier representing a single user), and/or an object ID (i.e., a unique identifier representing any object which can have permissions associated with it). Similarly, to grant a group of users the same permission, the record may contain the permission ID, the group ID (i.e., a unique identifier representing a single group of users), and/or the object ID. In the same way a user belongs to a group, a record exists that relates a user ID to a group ID. This allows permission to access an object to be granted to a group or to a user, while at the same time requiring permission to be granted in order for the access to be permitted. According to aspects of the present invention, when a user attempts to access a protected object (e.g., a protected network resource), a number of actions optionally take place to determine what the user is permitted to do to an object. On any object and for any action, the system may first check to determine the group that the current user belongs to, and the relationship of the group to the permissions required to perform the desired action. If this check is not successful (i.e., the user does not belong to any groups having permission to perform the desired action), the system may continue to determine if the user is related to the permission required to perform the action. If neither of the above cases is true (i.e., the user does not belong to any groups having permission to perform the desired action and the user does not have permission to perform the desired action), the user is denied access. If one of both cases is true, the action is performed. For example, the action could include viewing an object, modifying the content of an object, approving an object, creating an object, deleting an object, or any other appropriate action. As described above, a timeout feature may also be provided whereby the expiration of a predetermined period of inactivity is used to determine when a session (and the session ID) between the user and a network resource should be terminated. During the user's session, the inactivity/timeout period is continually updated. The timeout period is set by resources in the network and if the user does not perform an action/interaction within the predetermined timeout period (i.e., a period set by the network resources), the session is terminated by deleting it from those same resources in the network. This allows a high level of security because no meaningful information is stored on the user's computer. Further, even if someone does gain access to the user's computer, after the timeout period has expired, any information that might be stored in a file, for example, a cookie on the user's computer is no longer valid. In certain embodiments of the present invention, after the user has logged in, a number of checks may take place each time the user moves within the system in order to determine what resources the user can access. For example, the single physical gateway determines the identity of the user accessing the system. The session may be validated by checking the user ID against a database of user IDs on the network. If a session ID does not exist, the session is invalid, and the user is forced to log in before accessing the system. If the session ID does exist, the single physical gateway retrieves the associated user ID and continues to perform whatever actions are necessary to finish displaying the approved information (e.g., network resources information residing behind the single physical gateway that is approved for use by the user). Through various exemplary embodiments, the process of accessing a network resource (i.e., a server, a port and/or an application) begins with the user logging into the single physical gateway (e.g., logging in using a single sign on software that logs the user directly into the single physical gateway). Once logged in, the user can access network resources that connect to applications hosted on an application server and view objects if the client applications have been pre-configured with the addresses of the application servers. If the client applications have not been pre-configured with the addresses of the application server, the user can be provided with a unique token that provides a single use link to the application server. The token either contains the information required to connect to the application server or retrieves the information required to connect to the application server. The client application then connects to the application server, and the application server then displays all objects and applications approved for the user. The figures described herein illustrate a method and system whose architecture may utilize common programming languages. This method and system contemplate the desire to provide secure access to all remote applications, software, and content. In certain exemplary embodiments, by utilizing common industry standards, the single physical gateway architecture can provide an efficient and meaningful security solution without the overhead of extra or robust hardware. The single physical gateway architecture can operate with any number of application services or terminal services installed either on the local physical server, or in a configuration utilizing outside objects from remote servers or locations. By aggregating these objects, the end user is provided with desirable services defined by their current role in one location with a reduced investment in hardware. This architecture allows for different and interchangeable service delivery options. The system provides the end user with access to the services for which they have been granted access. As such, a more productive end user specific service is provided that, while unique to each and every user, also contemplates and mitigates the security risks associated with remote access to a multiple user network (e.g., a corporate network). The method and system of the present invention may be implemented in a number of mediums. For example, the system can be installed on an existing computer system/server as software or may be provided as a single physical gateway. Further, the system can operate on a stand alone computer system (e.g., a security server) that is installed between another computer system (e.g., an application server) and an access point to another computer system. Further still, the system may operate from a computer readable carrier (e.g., solid state memory, optical disk, magnetic disk, radio frequency carrier wave, audio frequency carrier wave, etc.) that includes computer instructions (e.g., computer program instructions) related to the security system. The present invention, according to one exemplary embodiment, relates to the selective approval or rejection of communication through a single network gateway to the servers and/or network resources behind that gateway. Figure 2A illustrates a delegation scheme 200 related to a single network segment placed behind (i.e., logically/operationally behind) a single network gateway 210 according to an exemplary embodiment of the invention. Figure 2B illustrates a network gateway 210 of Figure 2A Figures 3-5 illustrate various exemplary combinations of communication approvals and rejections that effectively result in different network subdivisions (e.g., representing different predetermined delegation schemes, i.e., logical division within the network that relates to user's identity) without the need to change the physical layout of the network (i.e., logically/operationally producing different network subdivisions using a single network gateway 210). Of course, other configurations are contemplated within the scope of the present invention. Figure 2A is a block diagram illustrating a delegation scheme 200 including network gateway 210 placed between a network segment including server 212, server 214, and server 216. Figure 2B is a block diagram of a network gateway 210 of Figure 2A. Figure 2A illustrates users 202, 204, and 206 (i.e., clients 202, 204, and 206) connected to network gateway 210 through cloud 208. Cloud 208 represents any of a number of connections (e.g., a direct connection, an Internet based connection, etc.) between a client and network gateway 210. Clients 202, 204, and 206 desire to retrieve applications/resources operating on one of servers 212, 214, and 216. Because in this exemplary embodiment network gateway 210 is desirably the only connection (i.e., at a single physical connection point) between the illustrated user network segment and the illustrated server network segment, all communications pass through network gateway 210. In Figures 2A and 2B, the network gateway 210, for example, may include a gateway controller 225 and a storage unit 220 for storing a delegation database 230. That is, the gateway controller 225 may be disposed at a single physical connection point between the users and the plurality of network resources. Access to any of the network resources may be through the gateway controller 225 to restrict user access to a respective, selected one or respective, selected ones of the network resources based on a predetermined delegation scheme. Network resources refers to applications residing on a server 212, 214 and 216 of the network, a server 212, 214 and 216 of the network, or a port of the network gateway 210 or server 212, 214 and 216 of the network. The delegation database 230 may store records in a permission table 240, as delegations, which correspond to patterns of allow communication pathways according to identities of users. The gateway controller 225 may control communications through the single physical connection point so as to allow access to a delegated subdivision of the network according to the delegations stored in the permission table 240 of the delegation database 230. The network gateway 210 may be a single physical gateway and may include a number of features to ensure that once a user (i.e., the person accessing a network resource) is logged in, the user only has access to what he/she has been granted access to. For example, the single physical gateway 210 may control access to network resources based on information related to user identity, group identity, permissions (i.e., rules permitting access to perform a specific action on an object), and objects (i.e., an entity that can have actions performed on it by a user). Users may belong to a group, and users and groups are given permissions to access objects. Further, a page, application, web service, or document may be used to accomplish a delegation of access privileges. Permissions to access objects may be assigned to a user or to a group for an object relating the user, group, and object together. The record giving a user access to an object may include, for example, a permission ID, a user ID (i.e., a unique identifier representing a single user), and/or an object ID (i.e., a unique identifier representing any object which can have permissions associated with it). Similarly, to grant a group of users the same permission, the record may contain the permission ID, the group ID (i.e., a unique identifier representing a single group of users), and/or the object ID. In the same way a user belongs to a group, a record exists that relates a user ID to a group ID. This allows permission to access an object to be granted to a group or to a user, while at the same time requiring permission to be granted in order for the access to be permitted. When a user attempts to access a protected object (e.g., a protected network resource), a number of actions optionally take place to determine what the user is permitted to do to an object. On any object and for any action, the system may first check to determine the group that the current user belongs to, and the relationship of the group to the permissions required to perform the desired action. If this check is not successful (i.e., the user does not belong to any groups having permission to perform the desired action), the system may continue to determine if the user is related to the permission required to perform the action. If neither of the above cases is true (i.e., the user does not belong to any groups having permission to perform the desired action and the user does not have permission to perform the desired action), the user may be denied access. If one of both cases is true, the action may be performed. For example, the action could include viewing an object, modifying the content of an object, approving an object, creating an object, deleting an object, or any other appropriate action. Figure 3 is a block diagram illustrating an exemplary embodiment where network gateway 210 has been configured to allow communication between user 202 and servers 212 and 214, but not between user 202 and server 216. As shown in the right hand side of the "equals sign" in Figure 3, this is functionally equivalent to subdividing the server network segment into two segments: one segment with servers 212 and 214, and one segment with server 216 (accessed through imaginary network gateway 300). That is, the user 202 cannot view or communicate with server 216. Figure 4 is a block diagram illustrating the case where network gateway 210 has been configured to allow communication between user 204 and servers 212 and 216, but not between user 204 and server 214. As shown in the right hand side of the "equals sign" in Figure 4, this is functionally equivalent to subdividing the server network segment into two segments: one segment with servers 212 and 216, and one segment with server 214 (accessed through imaginary network gateway 400). That is, the user 204 cannot view or communicate with server 214. Figure 5 is a block diagram illustrating the case where network gateway 210 has been configured to allow communication between user 206 and servers 214 and 216, but not between user 206 and server 212. As shown in the right hand side of the "equals sign" in Figure 5, this is functionally equivalent to subdividing the server network segment into two segments : one segment with server 212 (accessed through imaginary network gateway 500), and one segment with servers 214 and 216. That is, the user 206 cannot view or communicate with server 212. By altering the communication pathways allowed through the network gateway, arbitrary network subdivisions may be virtually generated. This configuration is functionally equivalent to having a separate network segment and network gateway for each server or network resource. Virtual network segments can be created and changed without changing the physical layout of the network and without the need for additional network gateways. In addition, multiple virtual network segments can be created and presented to different users simultaneously. The pattern of communications pathways allowed can be determined on a user-by-user basis and may be implemented on a port-by-port basis. This pattern can be stored in and retrieved from a database or directory. The security system and the method for creating virtual network subdivisions disclosed herein have diverse applicability in a range of markets including financial services, horizontal wireless LAN (e.g., wireless sales force automation and contractor services), and government regulated markets such as banking and healthcare.
However, these are merely exemplary applications: the present invention is not limited thereto. Although the present invention has been described primarily in terms of a client desiring to access a server through a single physical gateway, it is not limited thereto. The client may desire to access any of a number of network resources (e.g., a server, a port and an application, etc.) through the single physical gateway. Also, the use of multiple physical gateways is also contemplated. Although the present invention has been largely described in terms of a user attempting to connect to a server/resource/application through a network gateway, it is not limited thereto. As described herein, for example, the present invention may be embodied in softwa re, in a machine (e.g., a computer system, a network gateway, etc.) that includes software in memory, or in a computer readable carrier configured to carry out the delegation method (e.g., in a self contained silicon device, a solid state memory, an optical disk, a magnetic disk, a radio frequency carrier wave, and audio frequency carrier wave, etc.). Although the invention is illustrated and described herein with reference to specific embodiments, the invention is not intended to be limited to the details shown. Rather, various modifications may be made in the details within the scope and range equivalents of the claims and without departing from the invention.

Claims

What is Claimed: 1. A method of delegating access rights to users for a plurality of network resources , said method comprising the steps of: inserting a physical gateway between the users and the plurality of network resources such that access to any of the network resources is through the physical gateway; and restricting access of the users to a respective, selected one or respective selected ones of the network resources based on logical division within the network related to identities of the users.
2. The method according to claim 1, wherein the respective, selected one or respective selected ones of the network resources are a subset of the network resources.
3, The method according to claim 1, wherein the step of restricting access of the users to a respective, selected one or respective selected ones of the network resources includes restricting access of the users to at least respective, selected one or respective selected ones of the network servers, network applications and/or network ports.
4. The method according to claim 1, wherein the logical division within the network allows access to a delegated subdivision of the network according to a respective identity of each authorized user.
5. The method according to claim 1, wherein the step of inserting a physical gateway comprises the steps of: establishing a physical connection point for insertion of the physical gateway; and installing the physical gateway at the physical connection point to control all communications between users and the plurality of network resources.
6. The method according to claim 1, wherein the step of restricting access of the users to the respective, selected one or respective selected ones of the network resources comprises the steps of: establishing an identity of a respective user; and controlling communications through the physical connection point by the physical gateway so as to allow access to an authorized subdivision of the network and to restrict access to an unauthorized subdivision of the network according to the identity of the respective user, thereby simulating a physically subdivided network behind the physical gateway.
7. The method according to claim 6, wherein the step of controlling communications through the physical connection point by the physical gateway comprises the steps of: determining whether a communication packet originated from a session owned by a respective authenticated user; if the respective user is authenticated to access a selected network resource or selected network resources, the communication packet is passed through the physical gateway; and if the respective user is not authenticated to access the selected network resource or selected network resources, the communication packet is rejected and not passed through the physical gateway.
8. The method according to claim 6, wherein the step of controlling communications through the physical connection point by the physical gateway comprises the step of connecting or rejecting communications to selected network resources on a user-by-user basis.
9. A method of delegating access rights to users for a plurality of network resources, said method comprising the steps of: establishing multiple virtual network segments for different users, simultaneously; and presenting each respective user with a view of a respective virtual network segment according the an identity of the respective user.
10. The method according to claim 9, wherein the step of establishing multiple virtual network segments is applied on an application by application, server- by-server and/or port-by-port basis.
11. A method of delegating access rights to users for a plurality of network resources of a network, said method comprising the steps of: controlling a respective users ability to view a selected one or respective selected ones of the network resources and ability to communicate with the selected one or respective selected ones of the network resources using a gateway device operationally interposed between the users and the plurality of network resources such that the respective user has access to only a portion of the network resources of the network.
12. The method according to claim 11, wherein access to the network resources of the network are based on an identity of the respective user.
13. A method of delegating access rights to users for a plurality of network resources, said method comprising the steps of: establishing a logical division of a network to control communications between users and respective network resources through a physical gateway; and restricting access of each respective user to a respective, selected one or respective selected ones of the network resources based on the established logical division related to identities of the users.
14. A gateway device for controlling access rights to users for a plurality of network resources of a network, the gateway device comprising: a gateway controller disposed at a physical connection point between the users and the plurality of network resources such that access to any of the network resources is through the gateway controller to restrict access to the users for a respective, selected one or respective selected ones of the network resources based on a logical division of the network.
15. The gateway device according to claim 14, further comprising: a delegation database to store patterns of allow communication pathways according to identities of users, as delegations, wherein the gateway controller controls communications through the physical connection point so as to allow access to a delegated subdivision of the network according to the delegations stored in the delegation database.
16. The gateway device according to claim 15, wherein when modifying the delegated subdivision for which the respective user has access physical placement of network wiring and gateway device are maintained without installation of any additional gateway devices.
17. The gateway device according to claim 14, wherein the network is a remotely accessed network through the physical connection point such that the physical gateway controls visibility of network resources to remote users of the network resources.
18. The gateway device according to claim 17, wherein the physical gateway is configured to allow remote users to log into the physical gateway, to access network resources connected with applications hosted on network resources and to view objects on the network resources.
19. A computer system comprising: a microprocessor; and a computer readable medium including computer program instructions which cause the computer system to implement a method of delegating access rights to users for network resources, the method comprising the steps of: receiving requests from the users for access to the network resources through a physical gateway, and restricting access of users to a respective, selected one or respective selected ones of the network resources based on a logical division within the network related to an identity of the users.
20. A computer readable carrier including computer program instructions which cause a physical gateway to implement a method of delegating access rights to users for network resources, the method comprising the steps of: receiving requests from the users for access to the network resources through the physical gateway; and restricting access of users to a respective, selected one or respective selected ones of the network resources based on a logical division within the network related to an identity of the users.
PCT/US2004/043406 2003-12-31 2004-12-22 Method and system for delegating access to computer network resources WO2005067260A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US53376803P 2003-12-31 2003-12-31
US60/533,768 2003-12-31

Publications (1)

Publication Number Publication Date
WO2005067260A1 true WO2005067260A1 (en) 2005-07-21

Family

ID=34748956

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2004/043406 WO2005067260A1 (en) 2003-12-31 2004-12-22 Method and system for delegating access to computer network resources

Country Status (1)

Country Link
WO (1) WO2005067260A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0909074A1 (en) * 1997-09-12 1999-04-14 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with multiple domain support
WO1999048261A2 (en) * 1998-03-18 1999-09-23 Secure Computing Corporation System and method for controlling interactions between networks
WO2000078004A2 (en) * 1999-06-10 2000-12-21 Alcatel Internetworking, Inc. Policy based network architecture
US6178511B1 (en) * 1998-04-30 2001-01-23 International Business Machines Corporation Coordinating user target logons in a single sign-on (SSO) environment
US6353886B1 (en) * 1998-02-04 2002-03-05 Alcatel Canada Inc. Method and system for secure network policy implementation
US6408336B1 (en) * 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
US6539483B1 (en) * 2000-01-12 2003-03-25 International Business Machines Corporation System and method for generation VPN network policies

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6408336B1 (en) * 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
EP0909074A1 (en) * 1997-09-12 1999-04-14 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with multiple domain support
US6353886B1 (en) * 1998-02-04 2002-03-05 Alcatel Canada Inc. Method and system for secure network policy implementation
WO1999048261A2 (en) * 1998-03-18 1999-09-23 Secure Computing Corporation System and method for controlling interactions between networks
US6178511B1 (en) * 1998-04-30 2001-01-23 International Business Machines Corporation Coordinating user target logons in a single sign-on (SSO) environment
WO2000078004A2 (en) * 1999-06-10 2000-12-21 Alcatel Internetworking, Inc. Policy based network architecture
US6539483B1 (en) * 2000-01-12 2003-03-25 International Business Machines Corporation System and method for generation VPN network policies

Similar Documents

Publication Publication Date Title
US7644434B2 (en) Computer security system
US6668322B1 (en) Access management system and method employing secure credentials
US6609198B1 (en) Log-on service providing credential level change without loss of session continuity
US6691232B1 (en) Security architecture with environment sensitive credential sufficiency evaluation
US6892307B1 (en) Single sign-on framework with trust-level mapping to authentication requirements
US9781114B2 (en) Computer security system
US7603555B2 (en) Providing tokens to access extranet resources
EP2442204B1 (en) System and method for privilege delegation and control
US8973122B2 (en) Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method
US20020112186A1 (en) Authentication and authorization for access to remote production devices
Oppliger Microsoft. net passport: A security analysis
EP1672873A2 (en) Providing tokens to access federated resources
US20070300306A1 (en) Method and system for providing granular data access control for server-client applications
US20040243835A1 (en) Multilayer access control security system
CN101076033B (en) Method and system for storing authentication certificate
ES2768049T3 (en) Procedures and systems to secure and protect repositories and directories
US20100031317A1 (en) Secure access
GB2317539A (en) Firewall for interent access
US20090193127A1 (en) Systems and Methods for Establishing and Validating Secure Network Sessions
WO2005067260A1 (en) Method and system for delegating access to computer network resources
WO2009005698A1 (en) Computer security system
JP2001056795A (en) Access authentication processor, network provided with the processor, storage medium therefor and access authentication processing method
WO2005062233A2 (en) Computer security system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase