Application network appliance with built-in virtual directory interface

Abstract

An application network appliance with a built-in virtual directory interface is described herein. According to one embodiment, a network element includes a virtual directory interface (VDI) coupled to multiple directory servers, and an authentication and authorization unit coupled to the VDI. In response to a packet of a network transaction received from a client over a first network for accessing a server of a datacenter over a second network, the authentication and authorization unit obtains user attributes from the directory servers via the VDI and performs authentication and authorization using the user attributes to determine whether a user of the client is eligible to access the server of the datacenter, where the network element operates as a security gateway to the datacenter. Other methods and apparatuses are also described.

Description

RELATED APPLICATIONS[0001]This application claims the benefit of U.S. Provisional Patent Application No. 60 / 966,649, filed Aug. 28, 2007, which is incorporated by reference herein in its entirety.FIELD OF THE INVENTION[0002]The present invention relates generally to application network appliances. More particularly, this invention relates to application network appliances with built-in virtual directory interface.BACKGROUND[0003]The ability to connect information technology infrastructure reliably, cost-effectively and securely is of high importance for today's global enterprises. To communicate with customers, clients, business partners, employees, etc., the Internet has proven to be more appropriate compared to private communication networks. However, communication via the Internet, which typically uses TCP / IP (Transmission Control Protocol / Internet Protocol), also increases the requirements for data security. Network firewalls are one of the many examples of solutions for network...

AI Technical Summary

Benefits of technology

[0013]An application network appliance with a built-in virtual directory interface is described herein. According to one embodiment, a network element includes a virtual directory interface (VDI) coupled to a plurality of directory servers, and an authentication and authorization unit coupled to the VDI. In response to a packet of a network transaction received from a client over a first network for accessing a server of a datacenter over a second network, the authentication and authorization unit is configured t

Problems solved by technology

However, communication via the Internet, which typically uses TCP/IP (Transmission Control Protocol/Internet Protocol), also increases the requirements for data security.

However, in today's business environment, enterprises no longer enjoy the same level of trust and control of their intranets, as enterprises increasingly rely on contractors, partners, consultants, vendors, and visitors on-site for daily operation.

As a result, enterprises are exposing internal resources to this wide set of clients whose roles are also frequently changing.

Enterprises are coming to terms with the fact that a hardened perimeter strategy is un-sustainable.

Traditional firewall or router access control lists cannot protect application resources from unauthorized access because network parameters such as Internet Protocol (IP) addresses and IP port numbers no longer deterministically identify resources, nor identify users, clients, or applications accessing these resources.

However, with the proliferation of mobile devices and tunneled applications, the network layer parameters are no longer useful to identify the client, the resource accessed, and the operation.

Traditional server-centric authorization solutions providing role-based authorization often require custom code de

Images