Serene H Fan

US Patent:

6463474, Oct 8, 2002

Filed:

Jul 2, 1999

Appl. No.:

09/347433

Inventors:

Serene H. Fan - Palo Alto CA
Diheng Qu - Santa Clara CA

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

G06F 15173

US Classification:

709225, 709229, 709232, 713201

Abstract:

A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally.

US Patent:

6609154, Aug 19, 2003

Filed:

Oct 3, 2002

Appl. No.:

10/264655

Inventors:

Serene H. Fan - Palo Alto CA
Diheng Qu - Santa Clara CA

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

G06F 15173

US Classification:

709225

Abstract:

A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally.

US Patent:

7506054, Mar 17, 2009

Filed:

Jun 30, 2003

Appl. No.:

10/611460

Inventors:

Serene H. Fan - Palo Alto CA, US
Diheng Qu - Santa Clara CA, US

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

G06F 15/173

US Classification:

709225

Abstract:

A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally.

US Patent:

62197061, Apr 17, 2001

Filed:

Oct 16, 1998

Appl. No.:

9/174200

Inventors:

Serene Fan - Palo Alto CA
Steve Truong - Saratoga CA

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

G06F 15173

US Classification:

709225

Abstract:

An access control system (a firewall) controls traffic to and from a local network. The system is implemented on a dedicated network device such as a router positioned between a local network and an external network, usually the Internet, or between one or more local networks. In this procedure, access control items are dynamically generated and removed based upon the context of an application conversation. Specifically, the system dynamically allocates channels through the firewall based upon its knowledge of the type of applications and protocol (context) employed in the conversation involving a node on the local network. Further, the system may selectively examine packet payloads to determine when new channels are about to be opened. In one example, the firewall employs different rules for handling SMTP (e-mail using a single channel having a well-known port number) sessions, FTP sessions (file transfer using a single control channel having a well known port number and using one or more data channels having arbitrary port numbers), and H. 323 (video conferencing using multiple control channels and multiple data channels, which use arbitrary port numbers) sessions.

US Patent:

58058192, Sep 8, 1998

Filed:

Sep 16, 1997

Appl. No.:

8/931587

Inventors:

Jeffrey A. Chin - Belmont CA
Frank S. Lee - Santa Clara CA
Leon Y. K. Leong - Palo Alto CA
Serene H. Fan - San Jose CA

Assignee:

Bay Networks, Inc. - Santa Clara CA

International Classification:

H04L 1224

US Classification:

39520054

Abstract:

A method and apparatus are provided for grouping the network entities that belong to a network system into logical groups, and generating a display of the network based on the logical groups. In the highest level display, a single visual indicator, such as an icon, is used to represent each logical group. Thus, a display of the entire network system need only contain as many visual indicators as there are logical groups. Typically, the number of logical groups will be significantly less than the number of actual network resources. Consequently, entire large network systems may be displayed without crowding the display screen with small, difficult to read icons. The logical groups are formed based on the type of connections that exist between the various logical entities in the network. Site groups are formed by combining all local area network connections that connection common network entities. Region groups are formed by combining all wide area network connections that connect common network entities.