System and method for combining an access control system with a traffic management system

Information

  • Patent Grant
  • 10135831
  • Patent Number
    10,135,831
  • Date Filed
    Tuesday, June 21, 2011
    13 years ago
  • Date Issued
    Tuesday, November 20, 2018
    6 years ago
Abstract
A system and method for handling a request from a client device to access a service from a server. The method comprises receiving a request from a user using a client device to access a service from a server. The request is received by a network traffic management device having a local external access management (EAM) agent. The EAM agent directly communicates with an EAM server that provides authentication policy information of a plurality of users able to at least partially access the server. User credential information is sent from the EAM agent to the EAM server, whereby the EAM agent receives access policy information of the user from the EAM server. The system and method selectively controls access of the user's request to the server in accordance with the received access policy information at the network traffic management device.
Description
TECHNOLOGICAL FIELD

This technology generally relates to network communication security, and more particularly, to a system and method for enforcing a dynamic access policy via external access management technology.


BACKGROUND

Existing computer network systems utilize an access management system to control the access to various applications and documents. These systems include various components such as an enterprise access management (EAM) system which may store policy information. The policy information describes various security settings for applications and documents protected by the EAM system. The security settings may include authorization attributes for various users who are allowed to access the secured applications. The EAM system securely maintains and implements authentication, authorization and audit (AAA) procedures for each user in conformance with established policy configurations to ensure that only approved services from within the secured domain are provided to users who meet or have the appropriate security clearance.


In particular, existing computer network systems are set up such that requests from users are received by the application servers themselves in the secured network. The application server may contain a software-based access management server agent (EAM agent) which allows the application server to directly communicate with the EAM server, which then conducts the AAA procedure. In one instance of this deployment, for each access request sent from the user, the EAM agent of the application server will communicate the user's information to the EAM server. The EAM server will then evaluate the access policy associated with the application that the user is trying to access and will return the result of the evaluation to the application server. Based on the received result from the EAM server, the application server may allow or deny the user access to the application.


In common deployment, the EAM systems and traffic management systems are two different disparate systems and are not aware of each other. Due to load balancing and traffic handling parameters, a computer network system which contains several application servers in the secured network domain requires each application server to have an EAM agent to allow the application servers to effectively communicate with the EAM server(s). This is burdensome and expensive to administer; raises challenges with regard to interoperability and scalability; and lacks security.


What is needed is a network traffic management device that is configured to implement an EAM agent which allows the network traffic management device to communicate with the EAM server to receive policy information and have AAA functionality while effectively performing traffic management operations.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a diagram of an example system environment that includes a network traffic manager in accordance with an aspect of the present disclosure;



FIG. 2 is a block diagram of the network traffic manager shown in FIG. 1 in accordance with an aspect of the present disclosure;



FIG. 3 is an example flow chart diagram depicting portions of processes for enforcing dynamic access policy via external access management technology in accordance with an aspect of the present disclosure;



FIG. 4 is an example flow chart diagram depicting additional process steps to the general process disclosed in FIGS. 3 and/or 7 in accordance with an aspect of the present disclosure;



FIG. 5 is an example flow chart diagram depicting additional process steps to the general process disclosed in FIGS. 3 and/or 7 in accordance with an aspect of the present disclosure;



FIG. 6 is an example flow chart diagram depicting additional process steps to the general process disclosed in FIGS. 3 and/or 7 in accordance with an aspect of the present disclosure;



FIG. 7 is an example flow chart diagram depicting portions of processes for enforcing dynamic access policy via external access management technology in accordance with an aspect of the present disclosure;



FIG. 8 is an example flow chart diagram depicting additional process steps to the general process disclosed in FIG. 3 or FIG. 7 in accordance with an aspect of the present disclosure;



FIG. 9 is an example flow chart diagram depicting a general process in accordance with an aspect of the present disclosure; and



FIG. 10 is an example flow chart diagram depicting a general process in accordance with an aspect of the present disclosure.





While these examples are susceptible of embodiments in many different forms, there is shown in the drawings and will herein be described in detail preferred examples with the understanding that the present disclosure is to be considered as an exemplification and is not intended to limit the broad aspect to the embodiments illustrated.


SUMMARY

In an aspect, a method for handling a request from a client device to access a service from a server. The method comprises receiving a request from a user using a client device to access a service from a server. The request is received by a network traffic management device having a local external access management (EAM) agent. The EAM agent directly communicates with an EAM server that provides authentication policy information of a plurality of users able to at least partially access the server. User credential information is sent from the EAM agent to the EAM server, whereby the EAM agent receives access policy information of the user from the EAM server, which includes authorization and authentication information. The system and method selectively controls access of the user's request to the server in accordance with the received access policy information at the network traffic management device.


In an aspect, a non-transitory machine readable medium having stored thereon instructions for handling a request from a client device to access a service from a server, comprising machine executable code which when executed by at least one machine. The code causes the machine to receive a request from a user using a client device to access a service from a server. The machine, utilizing the machine readable medium, is configured to directly communicate with an EAM server that is configured to provide authentication policy information of a plurality of users able to at least partially access the server. The code causes the machine to send the user credential information to the EAM server and receive access policy information of the user from the EAM server. The code causes the machine to selectively control access of the user's request to the server to receive the requested resource in accordance with the received access policy information.


In an aspect, a network traffic management device for handling a request from a client device to access a service in a secured network. The network traffic management device comprises a network interface configured to receive and transmit network data packets over one or more networks and a memory storing one or more programming instructions and a local external access management (EAM) agent configured to directly communicate with an external access management (EAM) server. The network traffic management device includes a processor configured to execute the stored programming instructions and the EAM agent. The programming instructions when executed by the processor result in actions being performed that include receiving a request from a user using a client device to access a service from a server and sending, via the EAM agent, the user credential information to the EAM server. The processor capable of receiving, at EAM agent, access policy information of the user from the EAM server; and selectively controlling access of the user's request to the server to receive the requested resource in accordance with the received access policy.


DETAILED DESCRIPTION


FIG. 1 is a diagram of an example system environment that improves network performance in accordance with an aspect of the present disclosure. As shown in FIG. 1, the example system environment 100 employs a plurality of network devices such as one or more network traffic management devices 110, one or more servers 102 and one or more client devices 106. It should be noted, however, that the environment 100 could include other numbers and types of network devices in other arrangements. Within the present disclosure, if a network device is referred to in the singular (e.g. client device, network traffic management device, server), it should be noted that the more than one of that network device may be contemplated. Similarly, if a network device is referred to in the plurality (e.g. client devices, network traffic management devices, servers), it should be noted that a single network device may be contemplated.


Client devices 106 comprise network computing devices capable of sending requests to and receiving responses from other network computing devices, such as the network traffic management device 110 and/or the servers 102. Such connections are performed over wired and/or wireless networks, such as network 108, to send and receive the data. Non-limiting and non-exhausting examples of such client devices 106 include personal computers (e.g., desktops, laptops), tablet computers, smart televisions, video game consoles, mobile and/or smart phones and the like.


In an example, client devices 106 run Web browsers that may provide an interface for operators, such as human users, to interact with and for making requests for resources to different web server-based applications or Web pages via the network 108, although other server resources may be requested by clients. One or more Web-based and/or non Web-based applications may run on one or more servers 102 that provide the requested data back to one or more external network devices, such as client devices 106 and/or network traffic management device 110. It should be noted that while only two client devices 106 are shown in the environment 100 depicted in FIG. 1, other numbers and types of client devices are contemplated.


The one or more servers 102 shown in FIG. 1 comprise one or more server computing machines capable of operating one or more Web-based and/or non Web-based applications that may be accessed by other network devices in the network 108. Such servers 102 may provide data representing requested resources, such as particular Web page(s), image(s) of physical objects, and any other objects responsive to the requests. It should be noted that the servers 102 may perform other tasks and provide other types of resources. It is to be understood that the one or more servers 102 may be hardware and/or software, and/or may represent a system with multiple servers that may include internal or external networks. In this example, the servers 102 may be any version of Microsoft® IIS servers, and/or Apache® servers, although other types of servers may be used. In an aspect, one or more servers 102 utilize software to allow it run the RADIUS protocol (Remote Access Dial In User Services) to provide (AAA) services for users using dial-up PPP/IP, remotely-logged in users and/or users using Mobile IP access to access the secured network. It should be noted that while only two servers 102 are shown in the environment 100 depicted in FIG. 1, other numbers and types of servers are contemplated. It is also contemplated that one or more of the servers 102 may be a cluster of servers managed by one or more network traffic management devices 110.


Network 108 comprises a publicly accessible network, such as the Internet, which in essence utilizes one or more communication methods by which data may travel between client devices 106, servers 102, network traffic management devices 110, and the like. However, it is contemplated that the network 108 may comprise other types of private and public networks that include other devices. Communications, such as requests from client devices 106 and responses from servers 102, 112, take place over the network 108 according to standard network protocols, such as the HTTP, UDP, DNS and TCP/IP protocols in this example. However, the principles discussed herein are not limited to this example and can include other protocols. Further, it should be appreciated that the network 108 may include local area networks (LANs), wide area networks (WANs), direct connections and any combination thereof, as well as other types and numbers of network types.


LAN 104 comprises a private local area network that allows one or more network traffic management devices 110 to communicate with one or more servers 102 behind a secured network. In an aspect, the LAN 104 may comprise an interconnected set of LANs or other networks which enable messages and other data to be sent between the servers 102 and/or between the servers 102 and the one or more network traffic management devices 110. Although not shown, the LAN 104 may be comprised of differing architectures and protocols, that include one or more routers, switches, hubs, gateways, bridges, and other intermediate network devices may act as links within and between LANs and other networks. Also, communication links within and between LANs and other networks typically include twisted wire pair (e.g., Ethernet), coaxial cable, analog telephone lines, full or fractional dedicated digital lines including T1, T2, T3, and T4, Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), wireless links including satellite links and other communications links known to those skilled in the relevant arts.


Regarding the network protocols, the protocols are configured to establish and maintain connections between network devices as well as allow data to be sent and received for existing connections, and the like. In particular to an aspect, requests are sent from one or more client devices 106 over the network 108 using the TCP/IP protocol, whereby the requests are configured to access services from one or more endpoint devices, such as server 102. Similarly, responses are sent from one or more servers 102 over the network 108 using the TCP/IP protocol, whereby the responses provide the requested service to the client device 106. It should be noted that other protocols are contemplated, including, but not limited to, HTTP, UDP, and/or DNS protocols.


As shown in FIG. 1, the environment includes one or more network devices (e.g. server 112) which contains and manages defined access/identity management services. In FIG. 1, one or more external access management (EAM) servers 112 contain access policy information for individuals able to access the servers 102 in the secured network. The access policy information includes information regarding the user's identity, authentication and authorization information of the user, policy parameters for the user, as well as other information that can be used to identify the user as well as his/her access rights to services provided by the servers 102. The EAM servers 112 communicate with the network traffic management device 110 to control access to the resources in the secured network in which the network traffic management device 110 enforces restrictions on the established identities of the individuals based on defined access policy information provided by the EAM server 112. The EAM server 112 may be configured to store and modify defined user information relating to the AAA process as well as administered policy parameters for each user requesting resources from servers 102 in the secured network via LAN 104. The EAM server 112 can be configured to provide user-based identity management and access control services to the network traffic management device which enforces authentication, policy-based authorizations, and auditing with identity administration functionality such as delegated administration and workflows. In an aspect, EAM services are handled by third party providers such as Oracle™ Access Manager, CA Siteminder™ and the like.


As shown in the example environment 100 depicted in FIG. 1, one or more network traffic management devices 110 are interposed and allows communications between client devices 106 via network 108 and the one or more secured servers 102 via LAN 104. Again, the environment 100 could be arranged in other manners with other numbers and types of devices. Also, the network traffic management device 110 is coupled to network 108 by one or more network communication links and intermediate network devices (e.g. routers, switches, gateways, hubs and the like) (not shown). It should be understood that the devices and the particular configuration shown in FIG. 1 are provided for exemplary purposes only and thus are not limiting.


Generally, the network traffic management device 110 manages network communications, which include client requests and server responses via the network 108 and the LAN 104. Moreover, in an aspect shown in FIG. 1, the network traffic management device 110 communicates with the External Access Manager (EAM) server or software component 112 which allows the network traffic management 110 to enforce and manage the defined access policies based on each user request, as will be discussed in more detail below.


Generally, requests and other traffic sent over the network 108 from a user via a client device 106 to access one or more resources from one or more servers 102 in the secured network. These requests are received and handled by the network traffic management device 110 prior to being sent to the destination server 102. In determining whether the requesting user is authorized to access the resource from the server 102, the network traffic management device 110 communicates with one or more EAM servers 112 via an EAM agent 210. As stated above, the EAM server 112 communicates AAA procedures and implement user-specific policy parameters, in conformance with the implemented policy plan for the network, to the network traffic management device 110 in accordance with the processes described further below in accordance with aspects of the present disclosure.


Although an example of the Web application server 102, network traffic device 110, EAM server 112 and client devices 106 are described and illustrated herein in connection with FIGS. 1 and 2, each of the computers of the system 100 could be implemented on any suitable computer system or computing device. It is to be understood that the example devices and systems of the system 100 are for exemplary purposes, as many variations of the specific hardware and software used to implement the system 100 are possible, as will be appreciated by those skilled in the relevant art(s).



FIG. 2 is a block diagram of an example network traffic management device shown in FIG. 1 in accordance with an aspect of the present disclosure. As shown in FIG. 2, the example network traffic management device 110 includes one or more device processors 200, one or more device I/O interfaces 202, one or more network interfaces 204, one or more device memories 218, and one or more software-based EAM agent modules 210, all of which are coupled together via bus 208. It should be noted that the device 110 could include other types and numbers of components.


Device processor 200 comprises one or more microprocessors configured to execute computer/machine readable and executable instructions stored in device memory 218, and in particular the EAM agent module 210. Such instructions implement network traffic management related functions of the network traffic management device 110. In addition, the processor 200, upon executing the software instructions of the EAM agent module 210, will perform one or more portions of the processes described below in accordance with an aspect of the present disclosure.


Device I/O interfaces 202 comprise one or more user input and output device interface mechanisms. The interface may include a computer keyboard, mouse, touch screen, display device, and the corresponding physical ports and underlying supporting hardware and software to enable the network traffic management device 110 to communicate with the outside environment. Such communications may include accepting user data input and to provide user output, although other types and numbers of user input and output devices may be used. Additionally or alternatively, as will be described in connection with network interface 204 below, the network traffic management device 110 may communicate with the outside environment for certain types of operations (e.g., configuration) via a network management port.


Network interface 204 comprises one or more mechanisms that enable network traffic management device 110 to engage in network communications using one or more network protocols (e.g. HTTP) over LAN 104 and network 108. However, it is contemplated that the network interface 204 may be constructed for use with other communication protocols and types of networks. Network interface 204 is sometimes referred to as a transceiver, transceiving device, or network interface card (NIC), which transmits and receives network data packets to one or more networks, such as LAN 104 and network 108. In an example where the network traffic management device 110 includes more than one device processor 200 (or a processor 200 has more than one core), wherein each processor 200 (and/or core) may use the same single network interface 204 or a plurality of network interfaces 204. Further, the network interface 204 may include one or more physical ports, such as Ethernet ports, to couple the network traffic management device 110 with other network devices, such as servers 102. Moreover, the interface 204 may include certain physical ports dedicated to receiving and/or transmitting certain types of network data, such as device management related data for configuring the network traffic management device 110.


Bus 208 may comprise one or more internal device component communication buses, links, bridges and supporting components, such as bus controllers and/or arbiters. The bus enable the various components of the network traffic management device 110, such as the processor 200, device I/O interfaces 202, network interface 204, EAM agent module 210 and device memory 218, to communicate with one another. However, it is contemplated that the bus may enable one or more components of the network traffic management device 110 to communicate with components in other devices as well. Example buses include HyperTransport, PCI, PCI Express, InfiniBand, USB, Firewire, Serial ATA (SATA), SCSI, IDE and AGP buses. However, it is contemplated that other types and numbers of buses may be used, whereby the particular types and arrangement of buses will depend on the particular configuration of the network traffic management device 110.


Device memory 218 comprises non-transitory computer readable media, namely computer readable or processor readable storage media, which are examples of machine-readable storage media. Computer readable storage/machine-readable storage media may include volatile, nonvolatile, removable, and non-removable media implemented in any method or technology for storage of information. Examples of computer readable storage media include RAM, BIOS, ROM, EEPROM, flash/firmware memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information. Such desired information includes data and/or computer/machine-executable instructions and which can be accessed by one or more processors 200 of the network traffic management device 110.


Such storage media contains computer readable/machine-executable instructions, data structures, program modules, or other data, which may be obtained and/or executed by one or more processors, such as device processor 200. Such instructions allow the processor to perform actions, including implementing an operating system for controlling the general operation of network traffic management device 110 to manage network traffic and execute the instructions of the EAM agent module 210 in relation to the processes described in accordance with the present disclosure.


It is contemplated that the device memory 218 and EAM agent module 210 allow the storing and selective retrieval of information relating to the AAA process and/or user-specific policy parameters received from the EAM server 112. For instance, the device memory 218 may store identity based user ID based pool selection information and/or identity based service or policy information, as will be discussed in more detail below.


The network traffic management device 110, and in particular the software based EAM agent module 210, is configured to communicate with the EAM server 112, wherein the EAM server 112 provides the network traffic management device 110 with one or more AAA services in response to a user's request, sent from the client device 106, for a requested application and/or service from one or more servers 102 in the secured network.


As stated above, existing computer network architectures are configured such that the servers 102 themselves contain the EAM agent module. In these existing systems, the servers 102 themselves handle the user's requests at the application layer, whereby the server's 102 EAM agent module or a farm of EAM agent proxies will directly communicate with the EAM server 112 and have it perform the AAA services and enforce authorization and other policy parameters.


In contrast to the existing technology, the network traffic management device 110 of the present disclosure includes the EAM agent module 210 which allows the network traffic management device 110 to communicate with the EAM server 112 to have it perform the AAA services. The EAM server 112 provides the authorization and other policy parameter information to the network traffic management device 110, whereby the network traffic management device 110 dynamically enforces the access management policies based on the user's request prior to allowing the request to proceed to the servers 102. In effect, the policy enforcement point is shifted to the network traffic management device 110 in which the access policies, managed and defined by the EAM server 112, are dynamically enforced by the network traffic management device 110.


By allowing the network traffic management device 110 to enforce the access policies, EAM agents which were typically deployed among several servers 102, are centralized in the network traffic management device 110, thereby consolidating the proxy layer onto the network infrastructure. Other realized advantages of centralizing the enforcement of access policies on the network traffic management device 110 include, but are not limited to, allowing endpoint inspections, allowing scalability and high availability of requested services from the secured network, implementing web application security and acceleration (e.g. load balancing handled by the network traffic management device 110), and the like. It should be noted that although the EAM agent module 210 is depicted in FIG. 2 as being within memory 218 for exemplary purposes only; it should be appreciated the EAM agent module 210 may be alternatively located elsewhere in the network traffic management device 110.



FIG. 3 is an example flow chart diagram depicting portions of processes for enforcing dynamic access policy via external access management technology in accordance with an aspect of the present disclosure. As shown in FIG. 3, the process begins at the Start Block. As shown in FIG. 3, the network traffic management device 110 receives a request sent from a user, via a client device 106, wherein the request is an attempt to access a secured service or resource from one or more servers 102 (Block 300). In an aspect, the network traffic management device 110, upon receiving the request from the client device 106, determines whether the request is to access a service/resource that is considered protected by the EAM system as a defined access policy parameter (Block 302). In an aspect, the network traffic management device 110 may access an internal and/or external memory or cache or may communicate with the EAM server 112 via the EAM agent module 210 to determine whether the requested service/resource is considered protected in accordance with the defined access policy parameter. If the requested service/resource is not considered protected, the network traffic management device 110 will forward the request to the appropriate server 102 (Block 316), whereby the process proceeds to Block A.


In contrast, if it is determined that at least a portion of the requested service/resource is considered protected per the access policy parameters, the network traffic management device 110 may be configured to detect whether an SSO token or cookie is present in the request sent from the client device 106 (Block 303). If an SSO token is detected by the network traffic management device 110, the network traffic management device 110 will proxy the SSO token and transmit the user's credentials to the EAM server 112 (Block 308).


Referring back to Block 303, if the request from the client device 106 does not include an SSO token, the network traffic management device 110 will send a request back to the client device 106 asking for the user's credentials (Block 304). Upon receiving the user's credentials from the client device 106 (Block 306), the network traffic management device 110 will transmit that user's credentials to the EAM server 112 (Block 308).


The EAM server 112 will retrieve access and other policy information for the user, based on the user's credentials provided by the network traffic management device 110, and provide that information to the network traffic management device 110 (Block 310). Upon receiving the access policy information from the EAM server 112, the EAM agent 210 of the network traffic management device 110 will process the policy information and determine whether the policy information allows the user to access the requested service (Block 312). In other words, the network traffic management device 112 enforces the policy information for the user based on the user's actual request.


If the EAM agent 210 of the network traffic management device 110 determines that the user is allowed to access the requested service (Block 316), the process proceeds to Block A. In contrast, if the EAM agent 210 determines that the user is not allowed to access the requested service, the network traffic management device 110 will forward a message to the user's client device 106 informing the user that access to the requested service has been denied (Block 314).



FIG. 4 is an example flow chart diagram depicting additional process steps to the general process in accordance with an aspect of the present disclosure. It should be noted that the steps discussed in FIG. 4 are optional and are not required to be performed by the network traffic management device 110. As illustrated in FIG. 3, after the network traffic management device 110 concludes that the user can access the requested resource/service from the appropriate server 102, the process proceeds to Block A. Thereafter, as shown in the example in FIG. 4, the network traffic management device 110 may be configured to modify the user's request, such as modifying the request header and/or the payload data, in accordance with policy parameters provided by the EAM server 112, whereby the network traffic management device 110 then forwards the modified request to the appropriate server 102 (Block 418).


As shown in FIG. 4, the network traffic management device 110 also creates a SSO token that contains access policy parameter information for the user in accordance with defined access policies received from the EAM server (Block 420). The access policy parameter information is stored in a cache or memory in the network traffic management device 110 after it has been received from the EAM server 112. Upon the network traffic management device 110 receiving the response from the server 102, the network traffic management device 110 inserts the SSO token into the response to modify the response (Block 422). It should be noted that other parts of the response, such as the response header and payload, can be modified in addition to the insertion of the SSO token, as governed by the EAM policies. The network traffic management device 110 then sends the modified response back to the client device (Block 424). The client device 106 will then store the SSO token in its local memory, whereby all subsequent requests from the user's client device 106 will include the SSO token. This SSO token will allow the user to subsequently access the requested service from the server for the set amount of time and/or for the rest of the session.



FIG. 5 is an example flow chart diagram depicting additional process steps to the general process in accordance with an aspect of the present disclosure. It should be noted that the steps discussed in FIG. 5 are optional and are not required to be performed by the network traffic management device 110. As discussed in relation to FIG. 3, after the network traffic management device 110 concludes that the user can access the requested resource/service from the appropriate server 102, the process proceeds to Block A. As shown in FIG. 5, the process continues from Block A, whereby the network traffic management device 110 is configured to modify the client device's request in accordance with access policy parameters provided by the EAM server 112 (Block 518).


In an aspect, the user's identity information can indicate traffic handling priority information for the user, whereby the network traffic management device 110 may use the user's identity information along with other policy information received from EAM server 112 to perform additional traffic handling and priority functionalities including, but not limited to, bandwidth management, acceleration performance, quality of service adjustment, selecting an appropriate server 102 where the request is to be sent and the like. (Block 520). Other traffic management functionalities may include, but not limited to, doing bandwidth management based on the user's identity, content acceleration, prioritized processing, providing different quality of service, and/or selecting a specific network segment. For example, the access policy information received from the EAM server 112 may indicate that the user is a VIP user, whereby the request is sent to a selected server having higher bandwidth, quicker processing capabilities, and the like.


As shown in FIG. 5, the network traffic management device 110 will also create a SSO token that contains access policy parameter information for the user (Block 522). Upon the network traffic management device 110 receiving the response from the server 102, the network traffic management device 110, in an aspect, inserts the SSO token into the response to modify the response (Block 524). It is contemplated that the network traffic management device 110 may additionally or alternatively modify the request header and/or payload data, as governed by the EAM policy information. The network traffic management device 110 then sends the modified response back to the client device (Block 526). The client device 106 will then store the SSO token in its local memory, whereby all subsequent requests from the user will include the SSO token which will allow the user to subsequently access the requested service from the server for the set amount of time and/or for the rest of the session.



FIG. 6 is an example flow chart diagram depicting additional process steps to the general process in accordance with an aspect of the present disclosure. It should be noted that the steps discussed in FIG. 6 are optional and are not required to be performed by the network traffic management device 110. As discussed in relation to FIG. 3, after the network traffic management device 110 concludes that the user can access the requested resource/service from the appropriate server 102, the process proceeds to Block A. In an aspect, the network traffic management device 110 is able to execute request processing events that allow a network administrator to insert custom processing logic to modify the default request processing. In an instance, the custom processing logic can be written in tool command language code that is executed when that particular event occurs. In an example, a request processing event called RESOURCE_PROTECTED may be raised when it is found the requested resource is protected. Similarly, a request processing event ACCESS_ALLOWED can be raised when it is found that the user is authorized to access the requested service. In contrast, a request processing event ACCESS_DENIED can be raised when it is found that the user is not authorized to access the requested service. The network administrator can provide custom processing logic to be executed when these events are raised. For example, in one instance, the network administrator can provide custom processing to modify request headers for the requests which are authorized in an ACCESS_ALLOWED event. In another instance, the network administrator can access user's identity information in the ACCESS_ALLOWED event which then selects a specific server 102 to forward the request to. This results in the combination of the network administrator's custom traffic management policy and the user's identity. Thereafter, in accordance with the process in FIG. 6, the network traffic management device 110 allows a network administrator to use the user's identity information retrieved from EAM server 112 to establish and execute the event declarations (Block 620). Thereafter, the network traffic management device 110 executes the administrator's instructions along with the processing events (Block 622).



FIG. 7 is an example flow chart diagram depicting portions of processes for enforcing dynamic access policy via external access management technology in accordance with an aspect of the present disclosure. As shown in FIG. 7, the network traffic management device 110 intercepts a user's request via a client device 106, wherein the request is an attempt to access a secured service/resource from one or more servers 102 (Block 700). In accordance with the process in FIG. 7, the network traffic management device 110 is configured to retrieve access policy information for the user from a local memory 218 (Block 702). In an aspect, the locally stored access policy information may include additional security checks like end point inspection, additional two factor authentications or other enhanced security checks (for example geo location based access control). In an aspect, the locally stored access policy information may have been previously provided by the EAM server 112. In an aspect, the access policy information may be directly stored in the local memory of the network traffic management device 110 by an administrator, whereby the network traffic management device 110 does not need to communicate with an EAM server to receive the access policy information. In an aspect the combined result of local access policy and EAM policy may determine the final outcome of request processing.


The network traffic management device 110 compares the user's authorization information with the retrieved policy information to determine whether the user is authorized to access the requested service (Block 704). If the network traffic management device 110 determines that the user's request is not authorized, the network traffic management device 110 will deny the user's request by sending a message to the user's client device 106 (Block 714).


In contrast, if the network traffic management device 110 determines that the user is authorized to access the requested service, the network traffic management device 110 may determine whether the request from the client device 106 is to access information which is considered protected by the EAM server 112 (Block 706). In an aspect, the network traffic management device 110 may access an internal and/or external memory or cache or may communicate with the EAM server 112 to determine whether the service/information is protected. If the requested service/information is not considered protected, the network traffic management device 110 will forward the request to the appropriate server 102 (Block 720), whereby the process proceeds to Block B.


If the network traffic management device 110 determines that at least a portion of the requested service/information is protected by the access policy parameters, the network traffic management device 110 will determine if the request contains an SSO cookie or token. If so, the network traffic management device 110 will proxy the EAM server 112 and transmit the SSO cookie or token to the EAM server 112 (Block 712).


However, if the network traffic management device 110 determines that the request does not contain an SSO cookie or token, the network traffic management device 110 will sends a request back to the client device 106 asking for the user's credentials (Block 708). Upon receiving the user's credentials (Block 710), the network traffic management device 110 will proxy the EAM server 112 and transmit that user's credentials to the EAM server 112 (Block 712).


Thereafter, the network traffic management device 110 receives a response from the EAM server 112 (Block 716). The network traffic management device 110 thereafter processes the access policy information received from the EAM server 112 to determine if the user is allowed to access the requested service (Block 718). If not, the network traffic management device 110 will enforce the policy and forward a message to the client device 106 indicating that access to the requested service has been denied (Block 714). However, if the response from the EAM server 112 indicates that the user is allowed to receive the requested service, the network traffic management device 110 will enforce the policy and forward the request to a selected server 102 (Block 720).



FIG. 8 is an example flow chart diagram depicting additional process steps to the general process in accordance with an aspect of the present disclosure. It should be noted that the steps discussed in FIG. 8 are optional and are not required to be performed by the network traffic management device 110. As illustrated in FIG. 8, the process proceeds from either Block A (FIG. 3) or Block B (FIG. 7), after the network traffic management device 110 has concluded that the user is authorized to access the requested service/resource from the server 102.


As shown in FIG. 8, prior to forwarding the user's request to the appropriate server 102, the network traffic management device 110 may access a local memory 218 or cache if the requested service was previously accessed by the user and if the response received from the server 102 is available in the cache memory 218 of the network traffic management device 110 (Block 818). In an aspect the cache may also be stored in a file system. This step is applicable when the requested resource contains static web objects that the user is authorized to receive from the server 102. If so, the network traffic management device 110 will retrieve the stored web objects from memory 218 (Block 824). The network traffic management device 110 will then forward a response with the cached web objects back to the client device 106 (Block 828).


In contrast, if the network traffic management device 110 determines that the requested web objects are not stored in the memory 218, the network traffic management device 110 will modify the user's request in accordance with the EAM policy information (Block 820). The network traffic management device 110 will then forward the modified request to the server 102 (Block 822). Once the network traffic management device 110 receives the response from the server 102, the network traffic management device 110 will cache the web objects in the response its local memory 218 (Block 826) before sending the response to the client device 106 (Block 828).


Although not shown, it is contemplated that the network traffic management device 110 may generate and insert a SSO cookie or token into the response received from the server 102, whereby the modified response is sent to the client device 106. The client device 106 will store the SSO token in its internal memory in which subsequent requests will contain the SSO token, as discussed above.



FIG. 9 is an example flow chart diagram depicting a general process in accordance with an aspect of the present disclosure. As shown in FIG. 9, upon receiving the user's request via the client device 106 (Block 900), the network traffic management device 110 will determine if the request can be processed in an expedited fast path manner based upon the request's uniform resource identifier (URI) which is specified by a network administrator and stored in the memory 218 (Block 902). If the request can be processed in the fast path manner, the network traffic management device 110 will not communicate with the EAM server 112 and will instead process the request in the fast path manner. The processing may result in forwarding the service request directly to the server 102 (Block 904) or denying the service request. The client device 106 will then receive the requested service from the server 102 (Block 906). In contrast, if the network traffic management device 110 determines that the request cannot be processed in the fast path manner, the network traffic management device 110 will proceed with performing the steps from Start Block A (FIG. 3) or Start Block B (FIG. 7). The processes following Start Block A and Start Block B are not reproduced herein for brevity.



FIG. 10 is an example flow chart diagram depicting a general process in accordance with an aspect of the present disclosure. Upon the network traffic management device 110 receiving the service request from the client device 106 (Block 1000), the network traffic management device 110 checks its local memory 218 to determine if the user has issued the identical service request previously and if the result of user's previous attempt is available in the memory 218. In an aspect, the result may include the user's authorization information, various modifications to be applied to user's request and response and other information. (Block 1002). If the network traffic management device 110 is able to retrieve the various authorization information from the local memory 218, the network traffic management device 110 inspects it to determine whether the request was previously accepted or denied (Block 1002).


If the retrieved request was previously not accepted, the network traffic management device 110 will deny the user from receiving the requested service (Block 1010). If the retrieved request was previously accepted, the network traffic management device 110 will modify the request in accordance with access policy parameters provided by the EAM server 112 and forward the modified request to the server 102 (Block 1004). The network traffic management device 110 may also create and insert a SSO token in the response that is sent back to the client device 106 that allows the user to access the requested service without having to again be authenticated (Block 1006). The client device 106 will then store the SSO token in its local memory (Block 1008).


In contrast, if the network traffic management device 110 determines that no previous request is stored in the memory 218, the network traffic management device 110 will proceed with the process described above in FIGS. 3 and/or 7 (Block 1014). Thereafter, the network traffic management device 110 will store the result for that user's service request in the local memory 218 with a specified time-to-live parameter for the stored service request. The time to live parameter allows the network administrator to specify how long the network traffic management gateway can cache the authorization information. The valid values can range from milliseconds to days.


Having thus described the basic concepts, it will be rather apparent to those skilled in the art that the foregoing detailed disclosure is intended to be presented by way of example only, and is not limiting. Various alterations, improvements, and modifications will occur and are intended to those skilled in the art, though not expressly stated herein. These alterations, improvements, and modifications are intended to be suggested hereby, and are within the spirit and scope of the examples. Additionally, the recited order of processing elements or sequences, or the use of numbers, letters, or other designations therefore, is not intended to limit the claimed processes to any order except as may be specified in the claims. Accordingly, the invention is limited only by the following claims and equivalents thereto.

Claims
  • 1. A method of providing access control, the method comprising: receiving, by a local external access management (EAM) agent of a network traffic management device, a request from a client device for a user to access a service or resource accessible to one or more servers;sending, by the EAM agent of the network traffic management device, credential information for the user to an EAM server, wherein the network traffic management device and the local EAM agent are remote from the servers and the EAM server;receiving, by the EAM agent of the network traffic management device, access policy information for the user from the EAM server in response to sending the credential information, the access policy information indicating whether the user is authorized to access the service or resource; andenforcing, by the EAM agent of the network traffic management device, the access policy information comprising sending another request on behalf of the client device to access the service or resource accessible to servers based on traffic handling priority information for the user corresponding to identity information included in the access policy information, when the access policy information indicates that the user is authorized to access the service or resource.
  • 2. The method of claim 1, obtaining, by the EAM agent of the network traffic management device, the credential information for the user comprising at least one of receiving the credential information in response to a request for the credential information sent to the client device or retrieving the credential information from a single sign on (SSO) cookie included in the received request to access the service or resource.
  • 3. The method of claim 1, further comprising: generating by the EAM agent of the network traffic management device, and inserting into a received response from one or more of the servers, a single sign on (SSO) cookie for the user, wherein the SSO cookie contains the credential information and at least a portion of the access policy information for the user received from the EAM server; andsending, by the EAM agent of the network traffic management device, the response with the inserted SSO cookie to the client device.
  • 4. The method of claim 1, further comprising: modifying, by the EAM agent of the network traffic management device, the request to include the credential information in accordance with the access policy information; andsending by the EAM agent of the network traffic management device, the modified request to one or more of the servers.
  • 5. The method of claim 1, further comprising: applying, by the EAM agent of the network traffic management device, a local access policy for the user prior to sending the credential information to the EAM server.
  • 6. The method of claim 1, further comprising: determining, by the EAM agent of the network traffic management device, when at least a portion of a previous server response to the request is stored in a memory;retrieving, by the EAM agent of the network traffic management device, the at least a portion of the previous server response from the memory, when the determining indicates that the at least a portion of the previous server response is stored in the memory; andsending, by the EAM agent of the network traffic management device, the retrieved at least a portion of the previous server response to the client device.
  • 7. The method of claim 1, further comprising: determining, by the EAM agent of the network traffic management device, when the request can be processed in an expedited manner based on a uniform resource identifier of the request; andforwarding, by the EAM agent of the network traffic management device, the request directly to one or more of the servers without communicating with the EAM server, when the determining indicates that the request is eligible to be processed in the expedited manner.
  • 8. The method of claim 1, further comprising: determining, by the EAM agent of the network traffic management device, when a prior determination that the user is authorized to access the service or resource is stored in a memory; andforwarding, by the EAM agent of the network traffic management device, the request to one or more of the servers, when the determining indicates that the prior determination that the user is authorized to access the service or resource is stored in the memory.
  • 9. The method of claim 1, further comprising: executing, by the EAM agent of the network traffic management device, one or more request processing events, wherein the one or more request processing events are configured to allow insertion of custom processing logic to modify default request processing of the event.
  • 10. A non-transitory machine readable medium having stored thereon instructions for providing access control, comprising machine executable code which when executed by at least one machine, causes the machine to: receive a request from a client device for a user to access a service or resource accessible to one or more remotely located servers;send credential information for the user to an external access management (EAM) server;receive access policy information for the user from the EAM server in response to sending the credential information, the access policy information indicating whether the user is authorized to access the service or resource; andenforce the access policy information and send another request on behalf of the client device to access the service or resource accessible to the servers based on traffic handling priority information for the user corresponding to identity information included in the access policy information, when the access policy information indicates that the user is authorized to access the service or resource.
  • 11. The machine readable medium of claim 10, wherein the machine executable code when executed by the at least one machine further causes the machine to obtain the credential information for the user comprising at least one of receiving the credential information in response to a request for the credential information sent to the client device or retrieving the credential information from a single sign on (SSO) cookie included in the received request to access the service or resource.
  • 12. The machine readable medium of claim 10, wherein the machine executable code when executed by the at least one machine further causes the machine to: generate, and insert into a received response from one or more of the servers, a single sign on (SSO) cookie for the user, wherein the SSO cookie contains the credential information and at least a portion of the access policy information for the user received from the EAM server; andsend the response with the inserted SSO cookie to the client device.
  • 13. The machine readable medium of claim 10, wherein the machine executable code when executed by the at least one machine further causes the machine to: modify the request to include the credential information in accordance with the access policy information; andsend the modified request to one or more of the servers.
  • 14. The machine readable medium of claim 10, wherein the machine executable code when executed by the at least one machine further causes the machine to: apply a previously stored local access policy for the user prior to sending the credential information to the EAM server.
  • 15. The machine readable medium of claim 10, wherein the machine executable code when executed by the at least one machine further causes the machine to: determine when at least a portion of a previous server response to the request is stored in a memory;retrieve the at least a portion of the previous server response from the memory when the determining indicates that the at least a portion of the previous server response is stored in the memory; andsend the retrieved at least a portion of the previous server response to the client device.
  • 16. The machine readable medium of claim 10, wherein the machine executable code when executed by the at least one machine further causes the machine to: determine when the request can be processed in an expedited manner based on a uniform resource identifier of the request; andforward the request directly to one or more of the servers without communicating with the EAM server, when the determining indicates that the request is eligible to be processed in the expedited manner.
  • 17. The machine readable medium of claim 10, wherein the machine executable code when executed by the at least one machine further causes the machine to: determine when a prior determination that the user is authorized to access the service or resource is stored in a memory; andforward the request to one or more of the servers, when the determining indicates that the prior determination that the user is authorized to access the service or resource is stored in the memory.
  • 18. The machine readable medium of claim 10, wherein the machine executable code when executed by the at least one machine further causes the machine to execute one or more request processing events, wherein the one or more request processing events are configured to allow insertion of custom processing logic to modify default request processing of the event.
  • 19. A network traffic management device comprising: a memory comprising programmed instructions stored in the memory for a local external access management (EAM) agent; anda processor coupled to the memory and configured to be capable of executing the programmed instructions stored in the memory to: receive a request from a client device for a user to access a service or resource accessible to one or more servers;send credential information for the user to an EAM server, wherein the network traffic management device and the local EAM agent are remote from the servers and the EAM server;receive access policy information for the user from the EAM server in response to sending the credential information, the access policy information indicating whether the user is authorized to access the service or resource; andenforce the access policy information and;sending another request on behalf of the client device to access the service or resource accessible to the servers based on traffic handling priority information for the user corresponding to identity information included in the access policy information, when the access policy information indicates that the user is authorized to access the service or resource.
  • 20. The network traffic management device of claim 19, wherein the processor is further configured to be capable of executing the programmed instructions stored in the memory to obtain the credential information for the user comprising at least one of receive the credential information in response to a request for the credential information sent to the client device or retrieve the credential information from a single sign on (SSO) cookie included in the received request to access the service or resource.
  • 21. The network traffic management device of claim 19, wherein the processor is further configured to be capable of executing the programmed instructions stored in the memory to: generate, and insert into a received response from one or more of the servers, a single sign on (SSO) cookie for the user, wherein the SSO cookie contains the credential information and at least a portion of the access policy information for the user received from the EAM server; andsend the response with the inserted SSO cookie to the client device.
  • 22. The network traffic management device of claim 19, wherein the processor is further configured to be capable of executing the programmed instructions stored in the memory to: modify the request to include the credential information in accordance with the access policy information; andsend the modified request to one or more of the servers.
  • 23. The network traffic management device of claim 19, wherein the processor is further configured to be capable of executing the programmed instructions stored in the memory to apply a previously stored local access policy for the user prior to sending the credential information to the EAM server.
  • 24. The network traffic management device of claim 19, wherein the processor is further configured to be capable of executing the programmed instructions stored in the memory to: determine when at least a portion of a previous server response to the request is stored in the memory;retrieve the at least a portion of the previous server response from the memory when the determining indicates that the at least a portion of the previous server response is stored in the memory; andsend the retrieved at least a portion of the previous server response to the client device.
  • 25. The network traffic management device of claim 19, wherein the processor is further configured to be capable of executing the programmed instructions stored in the memory to: determine when the request can be processed in an expedited manner based on a uniform resource identifier of the request; andforward the request directly to one or more of the servers without communicating with the EAM server, when the determining indicates that the request is eligible to be processed in the expedited manner.
  • 26. The network traffic management device of claim 19, wherein the processor is further configured to be capable of executing the programmed instructions stored in the memory to: determine when a prior determination that the user is authorized to access the service or resource is stored in the memory; andforward the request to one or more of the servers, when the determining indicates that the prior determination that the user is authorized to access the service or resource is stored in the memory.
  • 27. The network traffic management device of claim 19, wherein the processor is further configured to be capable of executing the programmed instructions stored in the memory to execute one or more request processing events, wherein the one or more request processing events are configured to allow insertion of custom processing logic to modify default request processing of the event.
  • 28. A method of providing access control, the method comprising: intercepting, by a network traffic management device, a request from a client device for a user to access a service or resource accessible by one or more servers;sending, by the network traffic management device, credential information for the user to an external access management (EAM) server, wherein the network traffic management device is remote from the servers and the EAM server;receiving, by the network traffic management device, access policy information for the user from the EAM server in response to sending the credential information, the access policy information indicating whether the user is authorized to access the requested service or resource; andenforcing, by the network traffic management device, the access policy information comprising sending another request on behalf of the client device to access the service or resource to one or more of the servers, when the access policy information indicates that the user is authorized to access the requested service or resource, and including a single sign on (SSO) cookie or token containing at least a portion of the credential information and at least a portion of the access policy information received from the EAM server for the user in a response to the other request on behalf of the client device, which is then returned by the client device in a subsequent request relating to the service or resource accessible by the servers.
  • 29. A non-transitory machine readable medium having stored thereon machine executable code containing instructions for providing access control, which when executed by at least one machine, causes the machine to: intercept a request from a client device for a user to access a service or resource accessible by one or more remotely located servers;send credential information for the user to an external access management (EAM) server;receive access policy information for the user from the EAM server in response to sending the credential information, the access policy information indicating whether the user is authorized to access the requested service or resource; andenforce the access policy information comprising sending another request on behalf of the client device to access the service or resource to one or more of the servers, when the access policy information indicates that the user is authorized to access the requested service or resource, and include a single sign on (SSO) cookie or token containing at least a portion of the credential information and at least a portion of the access policy information received from the EAM server for the user in a response to the other request on behalf of the client device, which is then returned by the client device in a subsequent request relating to the service or resource accessible by the servers.
  • 30. A network traffic management device comprising: a memory comprising programmed instructions stored thereon for a local external access management (EAM) agent; anda processor coupled to the memory and configured to be capable of executing the stored programmed instructions to: intercept a request from a client device for a user to access a service or resource accessible by one or more servers;send credential information for the user to an EAM server, wherein the network traffic management device is remote from the servers and the EAM server;receive access policy information for the user from the EAM server in response to sending the credential information, the access policy information indicating whether the user is authorized to access the requested service or resource; andenforce the access policy information comprising sending another request on behalf of the client device to access the service or resource to one or more of the servers, when the access policy information indicates that the user is authorized to access the requested service or resource, and include a single sign on (SSO) cookie or token containing at least a portion of the credential information and at least a portion of the access policy information received from the EAM server for the user in a response to the other request on behalf of the client device, which is then returned by the client device in a subsequent request relating to the service or resource accessible by the servers.
STATEMENT OF RELATED APPLICATION

The present application claims the benefit of priority based on U.S. Provisional Patent Application Ser. No. 61/437,063, filed on Jan. 28, 2011, in the names of Dennis Zhou and Amit Jain, entitled “Systems and Method for Combining an Access Control System with a Traffic Management System”, all commonly owned herewith.

US Referenced Citations (588)
Number Name Date Kind
3115802 Sweeny Dec 1963 A
3950735 Patel Apr 1976 A
4644532 George et al. Feb 1987 A
4897781 Chang et al. Jan 1990 A
4965772 Daniel et al. Oct 1990 A
5023826 Patel Jun 1991 A
5053953 Patel Oct 1991 A
5167024 Smith et al. Nov 1992 A
5299312 Rocco, Jr. Mar 1994 A
5327529 Fults et al. Jul 1994 A
5329508 Matsueda Jul 1994 A
5367635 Bauer et al. Nov 1994 A
5371852 Attanasio et al. Dec 1994 A
5388237 Sodos Feb 1995 A
5406502 Haramaty et al. Apr 1995 A
5475857 Dally Dec 1995 A
5517617 Sathaye et al. May 1996 A
5519694 Brewer et al. May 1996 A
5519778 Leighton et al. May 1996 A
5521591 Arora et al. May 1996 A
5528701 Aref Jun 1996 A
5581764 Fitzgerald et al. Dec 1996 A
5596742 Agarwal et al. Jan 1997 A
5606665 Yang et al. Feb 1997 A
5611049 Pitts Mar 1997 A
5663018 Cummings et al. Sep 1997 A
5742765 Wong et al. Apr 1998 A
5752023 Choucri et al. May 1998 A
5761484 Agarwal et al. Jun 1998 A
5761534 Lundberg et al. Jun 1998 A
5768423 Aref et al. Jun 1998 A
5774660 Brendel et al. Jun 1998 A
5790554 Pitcher et al. Aug 1998 A
5797033 Ecclesine Aug 1998 A
5802052 Venkataraman Sep 1998 A
5812550 Sohn et al. Sep 1998 A
5825772 Dobbins et al. Oct 1998 A
5828835 Isfeld et al. Oct 1998 A
5832283 Chou et al. Nov 1998 A
5875296 Shi et al. Feb 1999 A
5892914 Pitts Apr 1999 A
5892932 Kim Apr 1999 A
5919247 Van Hoff et al. Jul 1999 A
5936939 Des Jardins et al. Aug 1999 A
5941988 Bhagwat et al. Aug 1999 A
5946690 Pitts Aug 1999 A
5949885 Leighton Sep 1999 A
5951694 Choquier et al. Sep 1999 A
5959990 Frantz et al. Sep 1999 A
5974460 Maddalozzo, Jr. et al. Oct 1999 A
5983281 Ogle et al. Nov 1999 A
5988847 McLaughlin et al. Nov 1999 A
6006260 Barrick, Jr. Dec 1999 A
6006264 Colby et al. Dec 1999 A
6026443 Oskouy et al. Feb 2000 A
6026452 Pitts Feb 2000 A
6028857 Poor Feb 2000 A
6051169 Brown et al. Apr 2000 A
6078956 Bryant et al. Jun 2000 A
6085234 Pitts et al. Jul 2000 A
6092196 Reiche Jul 2000 A
6108703 Leighton et al. Aug 2000 A
6111876 Frantz et al. Aug 2000 A
6115802 Tock et al. Sep 2000 A
6128279 O'Neil et al. Oct 2000 A
6128657 Okanoya et al. Oct 2000 A
6160874 Dickerman et al. Dec 2000 A
6170022 Linville et al. Jan 2001 B1
6178423 Douceur et al. Jan 2001 B1
6182139 Brendel Jan 2001 B1
6192051 Lipman et al. Feb 2001 B1
6233612 Fruchtman et al. May 2001 B1
6246684 Chapman et al. Jun 2001 B1
6253226 Chidambaran et al. Jun 2001 B1
6253230 Couland et al. Jun 2001 B1
6263368 Martin Jul 2001 B1
6289012 Harrington et al. Sep 2001 B1
6298380 Coile et al. Oct 2001 B1
6314408 Salas et al. Nov 2001 B1
6327622 Jindal et al. Dec 2001 B1
6343324 Hubis et al. Jan 2002 B1
6347339 Morris et al. Feb 2002 B1
6360270 Cherkasova et al. Mar 2002 B1
6374300 Masters Apr 2002 B2
6396833 Zhang et al. May 2002 B1
6430562 Kardos et al. Aug 2002 B1
6434081 Johnson et al. Aug 2002 B1
6480476 Willars Nov 2002 B1
6484261 Wiegel Nov 2002 B1
6490624 Sampson et al. Dec 2002 B1
6510135 Almulhem et al. Jan 2003 B1
6510458 Berstis et al. Jan 2003 B1
6519643 Foulkes et al. Feb 2003 B1
6529508 Li et al. Mar 2003 B1
6601084 Bhaskaran et al. Jul 2003 B1
6614957 Wyeth et al. Sep 2003 B2
6636503 Shiran et al. Oct 2003 B1
6636894 Short et al. Oct 2003 B1
6650640 Muller et al. Nov 2003 B1
6650641 Albert et al. Nov 2003 B1
6654701 Hatley Nov 2003 B2
6661802 Homberg et al. Dec 2003 B1
6683873 Kwok et al. Jan 2004 B1
6691165 Bruck et al. Feb 2004 B1
6694517 James et al. Feb 2004 B1
6700871 Harper et al. Mar 2004 B1
6708187 Shanumgam et al. Mar 2004 B1
6718380 Mohaban et al. Apr 2004 B1
6742045 Albert et al. May 2004 B1
6748457 Fallon et al. Jun 2004 B2
6751663 Farrell et al. Jun 2004 B1
6754228 Ludwig Jun 2004 B1
6760775 Anerousis et al. Jul 2004 B1
6772219 Shobatake Aug 2004 B1
6779039 Bommareddy et al. Aug 2004 B1
6781986 Sabaa et al. Aug 2004 B1
6781990 Puri et al. Aug 2004 B1
6798777 Ferguson et al. Sep 2004 B1
6804542 Haartsen Oct 2004 B1
6816901 Sitaraman et al. Nov 2004 B1
6816977 Brakmo et al. Nov 2004 B2
6820133 Grove et al. Nov 2004 B1
6826698 Minkin et al. Nov 2004 B1
6829238 Tokuyo et al. Dec 2004 B2
6868082 Allen, Jr. et al. Mar 2005 B1
6876629 Beshai et al. Apr 2005 B2
6876654 Hedge Apr 2005 B1
6904040 Salapura et al. Apr 2005 B2
6888836 Cherkasova May 2005 B1
6928082 Liu et al. Aug 2005 B2
6947985 Hegli et al. Sep 2005 B2
6950434 Viswanath et al. Sep 2005 B1
6954780 Susai et al. Oct 2005 B2
6957272 Tallegas et al. Oct 2005 B2
6959394 Brickell et al. Oct 2005 B1
6975592 Seddigh et al. Dec 2005 B1
6986040 Kramer et al. Jan 2006 B1
6987763 Rochberger et al. Jan 2006 B2
6999457 Shinohara Feb 2006 B2
7007092 Peiffer Feb 2006 B2
7058633 Gnagy et al. Jun 2006 B1
7065630 Ledebohm et al. Jun 2006 B1
7107348 Shimada et al. Sep 2006 B2
7113993 Cappiello et al. Sep 2006 B1
7117308 Mitten et al. Oct 2006 B1
7133944 Song et al. Nov 2006 B2
7139792 Mishra et al. Nov 2006 B1
7142540 Hendel et al. Nov 2006 B2
7174393 Boucher et al. Feb 2007 B2
7185359 Schmidt et al. Feb 2007 B2
7228422 Morioka et al. Jun 2007 B2
7236491 Tsao et al. Jun 2007 B2
7272150 Bly et al. Sep 2007 B2
7281030 Davis Oct 2007 B1
7283470 Sindhu et al. Oct 2007 B1
7295827 Liu et al. Nov 2007 B2
7308703 Wright et al. Dec 2007 B2
7308709 Brezak et al. Dec 2007 B1
7310339 Powers et al. Dec 2007 B1
7319696 Inoue et al. Jan 2008 B2
7321926 Zhang et al. Jan 2008 B1
7324525 Fuhs et al. Jan 2008 B2
7343413 Gilde et al. Mar 2008 B2
7349391 Ben-Dor et al. Mar 2008 B2
7353326 Cho et al. Apr 2008 B2
7355977 Li Apr 2008 B1
7415034 Muller et al. Apr 2008 B2
7376772 Fallon May 2008 B2
7383570 Pinkas et al. Jun 2008 B2
7398552 Pardee et al. Jul 2008 B2
7403542 Thompson Jul 2008 B1
7411957 Stacy et al. Aug 2008 B2
7420931 Nanda et al. Sep 2008 B2
7433962 Janssen et al. Oct 2008 B2
7437478 Yokota et al. Oct 2008 B2
7454480 Labio et al. Nov 2008 B2
7457313 Patrick Nov 2008 B2
7333999 Njemanze Dec 2008 B1
7475122 Azpitarte Jan 2009 B2
7478186 Onufryk et al. Jan 2009 B1
7490162 Masters Feb 2009 B1
7496689 Sharp et al. Feb 2009 B2
7496695 Go et al. Feb 2009 B2
7500028 Yamagishi Mar 2009 B2
7500243 Huetsch et al. Mar 2009 B2
7500269 Huotari et al. Mar 2009 B2
7505795 Lim et al. Mar 2009 B1
7512078 Swain Mar 2009 B2
7512721 Olson Mar 2009 B1
7516492 Nisbet et al. Apr 2009 B1
7522581 Acharya et al. Apr 2009 B2
7526541 Roese et al. Apr 2009 B2
7533197 Leonard et al. May 2009 B2
7552232 Helmer, Jr. et al. Jun 2009 B2
7558197 Sindhu et al. Jul 2009 B1
7558910 Alverson et al. Jul 2009 B2
7571180 Minyailov Aug 2009 B2
7571299 Loeb Aug 2009 B2
7580971 Gollapudi et al. Aug 2009 B1
7590732 Rune Sep 2009 B2
7590753 Wolde et al. Sep 2009 B2
7620046 Ronciak et al. Nov 2009 B2
7620071 Makineni et al. Nov 2009 B2
7621162 Bartky Nov 2009 B2
7624424 Morita et al. Nov 2009 B2
7644137 Bozak et al. Jan 2010 B2
7647416 Chiang et al. Jan 2010 B2
7657659 Lambeth et al. Feb 2010 B1
7660916 Moskalev et al. Feb 2010 B2
7668166 Rekhter et al. Feb 2010 B1
7668727 Mitchell et al. Feb 2010 B2
7668851 Triplett Feb 2010 B2
7689710 Tang et al. Mar 2010 B2
7706261 Sun et al. Apr 2010 B2
7710989 Chew May 2010 B2
7724657 Rao et al. May 2010 B2
7725093 Sengupta et al. May 2010 B2
7729239 Aronov et al. Jun 2010 B1
7734809 Joshi et al. Jun 2010 B2
7735099 Micalizzi, Jr. Jun 2010 B1
7742412 Medina Jun 2010 B1
7778187 Chaturvedi et al. Aug 2010 B2
7784093 Deng et al. Aug 2010 B2
7808913 Ansari et al. Oct 2010 B2
7813277 Okholm et al. Oct 2010 B2
7826487 Mukerji et al. Nov 2010 B1
7831662 Clark et al. Nov 2010 B2
7840841 Huang et al. Nov 2010 B2
7876677 Cheshire Jan 2011 B2
7877524 Annem et al. Jan 2011 B1
7908314 Yamaguchi et al. Mar 2011 B2
7916728 Mimms Mar 2011 B1
7925908 Kim Apr 2011 B2
7930365 Dixit et al. Apr 2011 B2
7933496 Livshits et al. Apr 2011 B2
7936772 Kashyap May 2011 B2
7945908 Waldspurger et al. May 2011 B1
7984141 Gupta et al. Jul 2011 B2
7991918 Uha et al. Aug 2011 B2
7996569 Aloni et al. Aug 2011 B2
8006016 Muller et al. Aug 2011 B2
8041022 Andreasen Oct 2011 B1
8077620 Solomon et al. Dec 2011 B2
8099528 Millet et al. Jan 2012 B2
8103781 Wu et al. Jan 2012 B1
8103809 Michels et al. Jan 2012 B1
8112491 Michels et al. Feb 2012 B1
8112594 Giacomoni et al. Feb 2012 B2
8130650 Allen, Jr. et al. Mar 2012 B2
8149819 Kobayashi et al. Apr 2012 B2
8185475 Hug May 2012 B2
8189567 Kavanagh et al. May 2012 B2
8199757 Pani et al. Jun 2012 B2
8205246 Shatzkamer et al. Jun 2012 B2
8219609 Bhattacharjee et al. Jul 2012 B1
8233380 Subramanian et al. Jul 2012 B2
8239954 Wobber et al. Aug 2012 B2
8274895 Rahman et al. Sep 2012 B2
8279865 Giacomoni et al. Oct 2012 B2
8302169 Presoto et al. Oct 2012 B1
8306036 Bollay et al. Nov 2012 B1
8321908 Gai et al. Nov 2012 B2
8346993 Michels et al. Jan 2013 B2
8351333 Rao et al. Jan 2013 B2
8380854 Szabo Feb 2013 B2
8417817 Jacobs Apr 2013 B1
8447871 Szabo May 2013 B1
8447884 Baumann May 2013 B1
8447970 Klein et al. May 2013 B2
8448234 Mondaeev et al. May 2013 B2
8452876 Williams et al. May 2013 B1
8464265 Worley Jun 2013 B2
8468247 Richardson et al. Jun 2013 B1
8468267 Yigang Jun 2013 B2
8521851 Richardson et al. Aug 2013 B1
8521880 Richardson et al. Aug 2013 B1
8359224 Henderson et al. Sep 2013 B2
8527758 Mansour Sep 2013 B2
8566474 Kanode et al. Oct 2013 B2
8578050 Craig et al. Nov 2013 B2
8606921 Vasquez et al. Dec 2013 B2
8615022 Harrison et al. Dec 2013 B2
8646067 Agarwal et al. Feb 2014 B2
8665868 Kay Mar 2014 B2
8701179 Penno et al. Apr 2014 B1
8725836 Lowery et al. May 2014 B2
8726338 Narayanaswamy et al. May 2014 B2
8737304 Karuturi et al. May 2014 B2
8778665 Glide et al. Jul 2014 B2
8799403 Chan et al. Aug 2014 B2
8804504 Chen Aug 2014 B1
8819109 Krishnamurthy et al. Aug 2014 B1
8819419 Carlson et al. Aug 2014 B2
8819768 Koeten et al. Aug 2014 B1
8830874 Cho et al. Sep 2014 B2
8848715 Izenberg et al. Sep 2014 B2
8873753 Parker Oct 2014 B2
8875274 Montemurro et al. Oct 2014 B2
8880632 Michels et al. Nov 2014 B1
8880696 Michels et al. Nov 2014 B1
8886981 Baumann et al. Nov 2014 B1
8908545 Chen et al. Dec 2014 B1
8954080 Janakiraman et al. Feb 2015 B2
8984178 Michels et al. Mar 2015 B2
9032113 Conroy et al. May 2015 B2
9036529 Erickson May 2015 B2
9037166 de Wit et al. May 2015 B2
9047259 Ho et al. Jun 2015 B1
9077554 Szabo Jul 2015 B1
9083760 Hughes et al. Jul 2015 B1
9114326 Johnson et al. Aug 2015 B2
9172753 Jiang et al. Oct 2015 B1
9246819 Thirasuttakorn Jan 2016 B1
9505712 Van Den Tillaart et al. Nov 2016 B2
9589114 Strom et al. May 2017 B2
9709805 Weindorf et al. Jul 2017 B2
9745800 Poteet, III Aug 2017 B2
9905829 Masuda Feb 2018 B2
9906913 Ding et al. Feb 2018 B2
9910858 Fermum et al. Mar 2018 B2
9939373 Salemo et al. Apr 2018 B2
9964967 Zheng et al. May 2018 B2
20010009554 Katseff et al. Jul 2001 A1
20010023442 Masters Sep 2001 A1
20020010783 Primak et al. Jan 2002 A1
20020032777 Kawata et al. Mar 2002 A1
20020046291 O'Callaghan et al. Apr 2002 A1
20020049842 Huetsch et al. Apr 2002 A1
20020059428 Susai et al. May 2002 A1
20020083067 Tamayo et al. Jun 2002 A1
20020095498 Chanda et al. Jul 2002 A1
20020112061 Shih et al. Aug 2002 A1
20020138615 Schmelling Sep 2002 A1
20020156927 Boucher et al. Oct 2002 A1
20020161913 Gonzalez et al. Oct 2002 A1
20020194342 Lu et al. Dec 2002 A1
20020198993 Cudd et al. Dec 2002 A1
20030037070 Marston Feb 2003 A1
20030046291 Fascenda Mar 2003 A1
20030065653 Overton et al. Apr 2003 A1
20030065951 Igeta et al. Apr 2003 A1
20030067930 Salapura et al. Apr 2003 A1
20030069918 Lu et al. Apr 2003 A1
20030069974 Lu et al. Apr 2003 A1
20030070069 Belapurkar et al. Apr 2003 A1
20030086415 Bernhard et al. May 2003 A1
20030105807 Thompson et al. Jun 2003 A1
20030105983 Brakmo et al. Jun 2003 A1
20030108052 Inoue et al. Jun 2003 A1
20030120948 Schmidt et al. Jun 2003 A1
20030128708 Inoue et al. Jul 2003 A1
20030145062 Sharma et al. Jul 2003 A1
20030145233 Poletto et al. Jul 2003 A1
20030163576 Janssen et al. Aug 2003 A1
20030188193 Vishwanath Oct 2003 A1
20030204636 Greenblat et al. Oct 2003 A1
20030208596 Carolan et al. Nov 2003 A1
20030225485 Fritz et al. Dec 2003 A1
20040003287 Zissimopoulos et al. Jan 2004 A1
20040072569 Omae et al. Apr 2004 A1
20040103283 Hornak May 2004 A1
20040111523 Hall et al. Jun 2004 A1
20040111621 Himberger et al. Jun 2004 A1
20040117493 Bazot et al. Jun 2004 A1
20040151186 Akama Aug 2004 A1
20040192312 Li et al. Sep 2004 A1
20040199762 Carlson et al. Oct 2004 A1
20040202161 Stachura et al. Oct 2004 A1
20040210663 Phillips et al. Oct 2004 A1
20040243808 Ishiguro Dec 2004 A1
20040249881 Uha et al. Dec 2004 A1
20040249948 Sethi et al. Dec 2004 A1
20040255000 Simionescu et al. Dec 2004 A1
20040264472 Oliver et al. Dec 2004 A1
20040264481 Darling et al. Dec 2004 A1
20040267897 Hill et al. Dec 2004 A1
20040267920 Hydrie et al. Dec 2004 A1
20040267948 Oliver et al. Dec 2004 A1
20040268358 Darling et al. Dec 2004 A1
20050004887 Igakura et al. Jan 2005 A1
20050005133 Xia et al. Jan 2005 A1
20050007991 Ton et al. Jan 2005 A1
20050021736 Carusi et al. Jan 2005 A1
20050027869 Johnson Feb 2005 A1
20050044213 Kobayashi et al. Feb 2005 A1
20050052440 Kim et al. Mar 2005 A1
20050055435 Gbadegesin et al. Mar 2005 A1
20050071283 Randle et al. Mar 2005 A1
20050078604 Yim Apr 2005 A1
20050083952 Swain Apr 2005 A1
20050114559 Miller May 2005 A1
20050122942 Rhee et al. Jun 2005 A1
20050122977 Lieberman Jun 2005 A1
20050154837 Keohane et al. Jul 2005 A1
20050175014 Patrick Aug 2005 A1
20050187866 Lee Aug 2005 A1
20050188220 Nilsson et al. Aug 2005 A1
20050198310 Kim et al. Sep 2005 A1
20050213570 Stacy et al. Sep 2005 A1
20050262238 Reeves et al. Nov 2005 A1
20050288939 Peled et al. Dec 2005 A1
20060007928 Sangillo Jan 2006 A1
20060031520 Bedekar et al. Feb 2006 A1
20060036764 Yokota et al. Feb 2006 A1
20060059267 Cugi et al. Mar 2006 A1
20060067349 Ronciak et al. Mar 2006 A1
20060077902 Kannan et al. Apr 2006 A1
20060077986 Rune Apr 2006 A1
20060083205 Buddhikot et al. Apr 2006 A1
20060095573 Carle et al. May 2006 A1
20060104303 Makineni et al. May 2006 A1
20060106802 Giblin et al. May 2006 A1
20060112176 Liu et al. May 2006 A1
20060112272 Morioka et al. May 2006 A1
20060129684 Datta Jun 2006 A1
20060135198 Lee Jun 2006 A1
20060156416 Huotari et al. Jul 2006 A1
20060161577 Kulkarni et al. Jul 2006 A1
20060168070 Thompson et al. Jul 2006 A1
20060171365 Borella Aug 2006 A1
20060179153 Lee et al. Aug 2006 A1
20060182103 Martini et al. Aug 2006 A1
20060184647 Dixit et al. Aug 2006 A1
20060209853 Hidaka et al. Sep 2006 A1
20060221832 Muller et al. Oct 2006 A1
20060221835 Sweeney Oct 2006 A1
20060230148 Forecast et al. Oct 2006 A1
20060233106 Achlioptas et al. Oct 2006 A1
20060235996 Wolde et al. Oct 2006 A1
20060242300 Yumoto et al. Oct 2006 A1
20060253583 Dixon Nov 2006 A1
20060268704 Ansari et al. Nov 2006 A1
20060288128 Moskalev et al. Dec 2006 A1
20060291483 Sela Dec 2006 A1
20060294054 Kudo et al. Dec 2006 A1
20070006293 Balakrishnan et al. Jan 2007 A1
20070016662 Desai et al. Jan 2007 A1
20070019658 Park et al. Jan 2007 A1
20070297410 Yoon et al. Feb 2007 A1
20070050843 Manville et al. Mar 2007 A1
20070058670 Konduru et al. Mar 2007 A1
20070064661 Sood et al. Mar 2007 A1
20070083646 Miller et al. Apr 2007 A1
20070087756 Hoffberg Apr 2007 A1
20070088822 Coile et al. Apr 2007 A1
20070106796 Kudo et al. May 2007 A1
20070107048 Halls et al. May 2007 A1
20070118879 Yeun May 2007 A1
20070174491 Still et al. Jul 2007 A1
20070219917 Liu et al. Sep 2007 A1
20070220598 Salowey et al. Sep 2007 A1
20070233809 Brownell et al. Oct 2007 A1
20070258451 Bouat Nov 2007 A1
20070297551 Choi Dec 2007 A1
20080008202 Terrell et al. Jan 2008 A1
20080010207 Yanagihara et al. Jan 2008 A1
20080025297 Kashyap Jan 2008 A1
20080031258 Acharya et al. Feb 2008 A1
20080034136 Ulenas Feb 2008 A1
20080059797 Tokuno et al. Mar 2008 A1
20080072303 Syed Mar 2008 A1
20080101596 Cerruti et al. May 2008 A1
20080120370 Chan et al. May 2008 A1
20080126509 Subramanian et al. May 2008 A1
20080133518 Kapoor et al. Jun 2008 A1
20080134311 Medvinsky et al. Jun 2008 A1
20080148340 Powell et al. Jun 2008 A1
20080159145 Muthukrishnan et al. Jul 2008 A1
20080165801 Sheppard Jul 2008 A1
20080177994 Mayer Jul 2008 A1
20080178278 Grinstein et al. Jul 2008 A1
20080184248 Barua et al. Jul 2008 A1
20080201599 Ferraiolo et al. Aug 2008 A1
20080205613 Lopez Aug 2008 A1
20080219279 Chew Sep 2008 A1
20080222646 Sigal et al. Sep 2008 A1
20080225710 Raja et al. Sep 2008 A1
20080229415 Kapoor et al. Sep 2008 A1
20080235508 Ran et al. Sep 2008 A1
20080239986 Xu et al. Oct 2008 A1
20080253395 Pandya Oct 2008 A1
20080256224 Kaji et al. Oct 2008 A1
20080279200 Shatzkamer et al. Nov 2008 A1
20080282354 Wobber et al. Nov 2008 A1
20080288661 Galles Nov 2008 A1
20080301760 Lim Dec 2008 A1
20080316922 Riddle et al. Dec 2008 A1
20090003204 Okholm et al. Jan 2009 A1
20090016217 Kashyap Jan 2009 A1
20090028337 Balabine et al. Jan 2009 A1
20090049230 Pandya Feb 2009 A1
20090070617 Arimilli et al. Mar 2009 A1
20090077619 Boyce Mar 2009 A1
20090089619 Huang et al. Apr 2009 A1
20090094610 Sukirya Apr 2009 A1
20090119504 van Os et al. May 2009 A1
20090125496 Wexler et al. May 2009 A1
20090125532 Wexler et al. May 2009 A1
20090125625 Shim et al. May 2009 A1
20090138749 Moll et al. May 2009 A1
20090141891 Boyen et al. Jun 2009 A1
20090157678 Turk Jun 2009 A1
20090193126 Agarwal et al. Jul 2009 A1
20090193513 Agarwal et al. Jul 2009 A1
20090196282 Fellman et al. Aug 2009 A1
20090222598 Hayden Sep 2009 A1
20090228956 He et al. Sep 2009 A1
20090248893 Richardson et al. Oct 2009 A1
20090248911 Conroy et al. Oct 2009 A1
20090287935 Aull et al. Nov 2009 A1
20090296624 Ryu et al. Dec 2009 A1
20090300407 Kamath et al. Dec 2009 A1
20100011434 Kay Jan 2010 A1
20100017846 Huang et al. Jan 2010 A1
20100071048 Novak et al. Mar 2010 A1
20100082849 Millet et al. Apr 2010 A1
20100094945 Chan et al. Apr 2010 A1
20100115236 Bataineh et al. May 2010 A1
20100122091 Huang et al. May 2010 A1
20100017627 Princen et al. Jun 2010 A1
20100150154 Viger et al. Jun 2010 A1
20100154031 Montemurro et al. Jun 2010 A1
20100191974 Dubhashi et al. Jun 2010 A1
20100165877 Shukla et al. Jul 2010 A1
20100188976 Rahman et al. Jul 2010 A1
20100189052 Kavanagh Jul 2010 A1
20100242092 Harris et al. Sep 2010 A1
20100251330 Kroeselberg et al. Sep 2010 A1
20100279733 Karsten et al. Nov 2010 A1
20100299451 Yigang et al. Nov 2010 A1
20100322250 Shetty et al. Dec 2010 A1
20100325277 Muthiah et al. Dec 2010 A1
20110040889 Garrett et al. Feb 2011 A1
20110047620 Mahaffey et al. Feb 2011 A1
20110087888 Rennie Apr 2011 A1
20110090541 Harper Apr 2011 A1
20110107077 Henderson et al. May 2011 A1
20110153822 Rajan et al. Jun 2011 A1
20110154443 Thakur et al. Jun 2011 A1
20110173295 Bakke et al. Jul 2011 A1
20110184733 Yu et al. Jul 2011 A1
20110197059 Klein et al. Aug 2011 A1
20110202676 Craig et al. Aug 2011 A1
20110246800 Accpadi et al. Oct 2011 A1
20110273984 Hsu et al. Nov 2011 A1
20110277016 Hockings Nov 2011 A1
20110282997 Prince et al. Nov 2011 A1
20110314178 Kanode et al. Dec 2011 A1
20110321122 Mwangi et al. Dec 2011 A1
20120016994 Nakamura et al. Jan 2012 A1
20120030341 Jensen et al. Feb 2012 A1
20120039341 Latif et al. Feb 2012 A1
20120041965 Vasquez et al. Feb 2012 A1
20120063314 Pignataro et al. Mar 2012 A1
20120066489 Ozaki et al. Mar 2012 A1
20120079055 Robinson Mar 2012 A1
20120101952 Raleigh et al. Apr 2012 A1
20120124372 Dilley et al. May 2012 A1
20120191800 Michels et al. Jul 2012 A1
20120191847 Nas et al. Jul 2012 A1
20120198043 Hesketh et al. Aug 2012 A1
20120224531 Karuturi et al. Sep 2012 A1
20120311153 Morgan Dec 2012 A1
20120317266 Abbott Dec 2012 A1
20130003106 Lowery et al. Jan 2013 A1
20130029726 Berionne et al. Jan 2013 A1
20130031060 Lowery et al. Jan 2013 A1
20130054433 Giard Feb 2013 A1
20130055367 Kshirsagar Feb 2013 A1
20130067546 Thavasi Mar 2013 A1
20130091002 Christie et al. Apr 2013 A1
20130163758 Swaminathan et al. Jun 2013 A1
20130198322 Oran et al. Aug 2013 A1
20130205361 Narayanaswamy et al. Aug 2013 A1
20130262873 Read Oct 2013 A1
20130282589 Shoup Oct 2013 A1
20130336122 Baruah et al. Dec 2013 A1
20140032695 Michels et al. Jan 2014 A1
20140040478 Hsu et al. Feb 2014 A1
20140059678 Parker Feb 2014 A1
20140095661 Knowles et al. Apr 2014 A1
20140162705 de Wit et al. Jun 2014 A1
20140171089 Janakiraman et al. Jun 2014 A1
20140185422 Newman et al. Jul 2014 A1
20140250535 Qu et al. Sep 2014 A1
20140269484 Dankberg et al. Sep 2014 A1
20140301207 Durand et al. Oct 2014 A1
20140317404 Carlson et al. Oct 2014 A1
Foreign Referenced Citations (20)
Number Date Country
0 744 850 Nov 1996 EP
0744850 Nov 1996 EP
1813084 Aug 2007 EP
9114326 Sep 1991 WO
9505712 Feb 1995 WO
9905829 Feb 1997 WO
9709805 Mar 1997 WO
9745800 Dec 1997 WO
9906913 Feb 1999 WO
9910858 Mar 1999 WO
9939373 Aug 1999 WO
9964967 Dec 1999 WO
0004422 Jan 2000 WO
0004458 Jan 2000 WO
WO 0004422 Jan 2000 WO
WO 0004458 Jan 2000 WO
WO 2004079930 Sep 2004 WO
WO 2006055494 May 2006 WO
WO 2007040858 Apr 2007 WO
WO 2009158680 Dec 2009 WO
Non-Patent Literature Citations (64)
Entry
International Search Report and Opinion, PCT/US2012/022996, dated May 30, 2012.
Crescendo Networks, “Application Layer Processing (ALP),” 2003-2009, pp. 168-186, Chapter 9, CN-5000E/5500E, Foxit Software Company.
F5 Networks, Inc., “BIG-IP Controller with Exclusive OneConnect Content Switching Feature Provides a Breakthrough System for Maximizing Server and Network Performance,” Press Release, May 8, 2001, 2 pages, Las Vegas, Nevada.
Abad, C., et al., “An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks”, IEEE, Computer Society, 27th International Conference on Distributed Computing Systems Workshops (ICDCSW'07), 2007, pp. 1-8.
OWASP, “Testing for Cross site scripting”, OWASP Testing Guide v2, Table of Contents, Feb. 24, 2011, pp. 1-5, (www.owasp.org/index.php/Testing_for_Cross_site_scripting).
International Search Report for International Patent Application No. PCT/US2013/026615 (dated Jul. 4, 2013).
U.S. Appl. No. 13/164,672 to Nat Thirasuttakorn, filed Jun. 20, 2011.
U.S. Appl. No. 13/234,042 to Baumann et al., filed Sep. 15, 2011.
U.S. Appl. No. 13/234,047 to Wojcik et al., filed Sep. 15, 2011.
U.S. Appl. No. 12/822,146 to Jeff Costlow, filed Jun. 23, 2010.
U.S. Appl. No. 13/235,276 to Hawthorne et al., filed Sep. 16, 2011.
U.S. Appl. No. 13/234,031 to Baumann et al., filed Sep. 15, 2011.
U.S. Appl. No. 13/400,398 to Jiang et al., filed Feb. 20, 2012.
International Search Report and the Written Opinion, for International Patent Application No. PCT/US2011/058469, dated Mar. 10, 2015.
“A Process for Selective Routing of Servlet Content to Transcoding Modules,” Research Disclosure 422124, Jun. 1999, pp. 889-890, IBM Corporation.
“Chapter 15, Memory Mapping and DMA,” Memory Management in Linux, ch15.13676, accessed on Jan. 25, 2005, pp. 412-463.
“Plan 9 kernel history: overview/file list/diff list,” http://switch.com/cgi-bin/plan9history.cgi?f=2001/0126/pc/etherga620.com, accessed Oct. 22, 2007, pp. 1-16.
“Servlet/Applet/HTML Authentication Process With Single Sign-On,” Research Disclosure 429128, Jan. 2000, pp. 163-164, IBM Corporation.
“Traffic Surges; Surge Queue; Netscaler Defense,” 2005, PowerPoint Presentation, slides 1-12, Citrix Systems, Inc.
Abad, C., et al., “An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks”, IEEE, Computer Society, 27th International Conference on Distributed Computing Systems Workshops (ICDCSW'07), 2007, pp. 1-8.
Alteon Websystems Inc., “Gigabit Ethernet/PCI Network Interface Card; Host/NIC Software Interface Definition,” Jul. 1999, pp. 1-80, Revision Dec. 4, 2013, P/N 020001, San Jose, California.
Bell Laboratories Lucent Technologies, “Layer 4/7 Switching and Other Custom IP Traffic Processing using the NEPPI API,” Bell Laboratories, Lucent Technologies, pp. 1-11, Murray Hill, NJ.
Cavium Networks, “Cavium Networks Product Selector Guide—Single & Multi-Core MIPS Processors, Security Processors and Accelerator Boards,” 2008, pp. 1-44, Mountain View, CA, US.
Cavium Networks, “NITROX™ XL Security Acceleration Modules PCI 3V or 3V/5V-Universal Boards for SSL and IPSec,” at http://www.Caviumnetworks.com, 2002, p. 1, Mountain View, CA USA.
Cavium Networks, “PCI, PCI-X” at (http://www.cavium.com/acceleration_boards_PCI_PCI-X.htm (Downloaded Oct. 2008), Cavium Networks—Products>Acceleration Boards>PCI,PCI-X).
Chong et al, “Two-Factor Face Authentication: Topographic Independent Component Analysis (TICA) and Multispace Random Projection (MRP)”, International Conference of Soft Computing and Pattern Recognition, 2009, http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=5368670.
Comtech AHA Corporation, “Comtech Aha Announces 3.0 Gbps GZIP Compression/Decompression Accelerator AHA362-PCIX offers high-speed GZIP compression and decompression,” www.aha.com, Apr. 20, 2005, pp. 1-2, Moscow, ID, USA.
Comtech AHA Corporation, “Comtech AHA Announces GZIP Compression/Decompression IC offers the highest-speed and compression ration performance in hardware on the market,” www.aha.com, Jun. 26, 2007, pp. 1-2, Moscow, ID, USA.
Crescendo Networks, “Application Layer Processing (ALP)”, 2003-2009, pp. 168-186, Chapter 9, CN-5000E/5500E, Foxit Software Company.
EventHelix, “DMA and Interrupt Handling,” http://eventhelix.com/RealtimeMantra/FaultHandling/dma_interrupt_handling.htm, Jan. 29, 2010, pp. 1-4, EventHelix.com.
EventHelix, “TCP—Transmission Control Protocol (TCP Fast Retransmit and Recovery),” Mar. 28, 2002, pp. 105, EventHelix.com.
F5 Networks Inc., “BIG-IP® Access Policy Manager® Application Access Guide,” Aug. 17, 2011, pp. 1-24, Version 11.0, F5 Networks, Inc.
F5 Networks Inc., “BIG-IP® Access Policy Manager® Network Access Configuration Guide,” Nov. 15, 2011, pp. 1-58, Version 11.1, F5 Networks, Inc.
F5 Networks Inc., “BIG-IP® Access Policy Manager® Portal Access Guide,” Nov. 15, 2011, pp. 1-38, Version 11.1, F5 Networks, Inc.
F5 Networks Inc., “BIG-IP® Access Policy Manager® Single Sign-On Configuration Guide,” Nov. 15, 2011, pp. 1-38, Version 11.1, F5 Networks, Inc.
F5 Networks Inc., “BIG-IP® Access Policy Manager®, Authentication Configuration Guide,” Nov. 15, 2011, pp. 1-68, Version 11.1, F5 Networks, Inc.
F5 Networks Inc., “Configuration Guide for BIG-IP® Access Policy Manager®”, Oct. 14, 2013, pp. 1-436, Version 11.1, F5 Networks, Inc.
F5 Networks Inc., “Configuration Guide for Local Traffic Management,” F5 Networks Inc., Jan. 2006, version 9.2.2, 406 pgs.
F5 Networks, Inc., “BIP-IP Controller with Exclusive OneConnect Content Switching Feature Provides a Breakthrough System for Maximizing Server and Network Performance,” Press Release, May 8, 2001, 2 ages, Las Vegas, Nevada.
F5 Networks, Inc., “SOL11199: Creating a High Availability LDAP Authentication Configuration,” pp. 1-3, retrieved from http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11199.print.html on Feb. 27, 2014.
Fielding et al., “Hypertext Transfer Protocol—HTTP/1.1,” Network Working Group, RFC: 2068, Jan. 1997, pp. 1-162.
Fielding et al., “Hypertext Transfer Protocol—HTTP/1.1,” Network Working Group, RFC: 2616, Jun. 1999, pp. 1-176.
Floyd et al., “Random Early Detection Gateways for Congestion Avoidance,” Aug. 1993, pp. 1-22, IEEE/ACM Transactions on Networking, California.
Harvey et al., “DMA Fundamentals on Various PC Platforms,” Application Note 011, Apr. 1991, pp. 1-20, National Instruments Corporation.
Hazelwood et al., “Improved Grid Security Posture through Multi-factor Authentication”, 12th IEEE/ACM International Conference on Grid Computing (GRID), 2011, http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6076505.
Hochmuth, Phil, “F5, CacheFlow pump up content-delivery lines,” Network World Fusion, May 4, 2001, 1 page, Las Vegas, Nevada.
International Search Report and Written Opinion, for PCT/US2011/058469 (dated May 30, 2012) 10 pages.
International Search Report and Written Opinion for PCT/US2012/022996 (dated May 30, 2012) 12 pages.
International Search Report and Written Opinion for PCT/US2013/026615 (dated Jul. 4, 2013) 10 pages.
Macvittie, Lori, “Message-Based Load Balancing,” Technical Brief, Jan. 2010, pp. 1-9, F5 Networks, Inc.
Mangino, John, “Using DMA with High Performance Peripherals to Maximize System Performance,” WW TMS470 Catalog Applications, SPNA105 Jan. 2007, pp. 1-23.
Mogul, Jeffrey C., “The Case for Persistent-Connection HTTP,” SIGCOMM '95, Digital Equipment Corporation Western Research Laboratory, 1995, pp. 1-15, Cambridge, Maine.
Mohammed et al., “A Multi-Level of Multi Factors Authentication Model for Online Banking Services,” 2013 International Conference on Computing, Electrical and Electronics Engineering (ICCEEE), http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=56633936.
Owasp, “Testing for Cross Site Scripting”, Owasp Testing Guide v2, Table of Contents, Feb. 24, 2011, pp. 1-5, (www.owasp.org/index.php/Testing_for_Cross_site)scripting).
Rabinovich et al., “DHTTP: An Efficient and Cache-Friendly Transfer Protocol for the Web,” IEEE/ACM Transactions on Networking, Dec. 2004, pp. 107-1020, vol. 12, No. 6.
Salchow, Jr., KJ, “Clustered Multiprocessing: Changing the Rules of the Performance Game,” F5 White Paper, Jan. 2008, pp. 1-11, F5 Networks, Inc.
Stevens, W., “TCP Slow Start, Congestion Avoidance, Fast Retransmit, and Fast Recovery Algorithms,” Network Working Group, RFC 2001, Jan. 1997, pp. 1-6.
Traore et al., “Combining Mouse and Keystroke Dynamics Biometrics for Risk-Based/Authentication in Web Environments”, 2012 Fourth International Conference on Digital Home (ICDH), http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6376399.
Wadge, Wallace, “Achieving Gigabit Performance on Programmable Ethernet Network Interface Cards,” May 29, 2001, pp. 1-9.
Welch, Von, “A User's Guide to TCP Windows,” http://www.vonwelch.com/reports/tcp_windows, updated 1996, last accessed Jan. 29, 2010, pp. 1-5.
Wikipedia, “Direct memory access,” http://en.wikipedia.org/wiki/Direct_memory_access, accessed Jan. 29, 2010, pp. 1-6.
Wikipedia, “Nagle's algorithm,” http://en.wikipedia.org/wiki/Nagle%27s_algorithm>, 2 pages.
Bell Laboratories, “Layer 4/7 Switching and Other Custom IP Traffic Processing Using the NEPPI API,” Bell Laboratones, Lucent Technologies, Murray Hill, NJ 07974 USA, pp. 1-11 (2000).
Wikipedia, “Nagle's algorithm,” https://en.wikipedia.org/wiki/Nagle%27s_algoiithm 2 Pages. Dec. 14, 2014.
Related Publications (1)
Number Date Country
20120198512 A1 Aug 2012 US
Provisional Applications (1)
Number Date Country
61437063 Jan 2011 US