U.S. patent application number 14/923264 was filed with the patent office on 2016-10-06 for dynamically configured client access control network.
The applicant listed for this patent is Aunigma. Invention is credited to Karl E. Elliott, Kenneth W. Garrard, Peter Gratzer, Andy Huang.
Application Number | 20160294623 14/923264 |
Document ID | / |
Family ID | 57017582 |
Filed Date | 2016-10-06 |
United States Patent
Application |
20160294623 |
Kind Code |
A1 |
Elliott; Karl E. ; et
al. |
October 6, 2016 |
DYNAMICALLY CONFIGURED CLIENT ACCESS CONTROL NETWORK
Abstract
A dynamically configured access control network is disclosed.
Any given node on such a network can function as a client, a
controller, an agent, an access control component, a server, and/or
any other component to enable the network. That is, the given node
can be configured to function as a first combination of the
above-mentioned components at a first point of time to enable the
network and can function as a second combination of the
above-mentioned components at a second point of time to enable the
network. In some examples, the configuration of the given node can
be determined based one or more predetermined rules. In some
examples, the configuration of the given node can be determined by
an administrator via a monitoring system included in or coupled to
the network.
Inventors: |
Elliott; Karl E.;
(Copeville, TX) ; Garrard; Kenneth W.; (Atlanta,
GA) ; Huang; Andy; (Richmond, CA) ; Gratzer;
Peter; (Broomfield, CO) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Aunigma |
Atlanta |
GA |
US |
|
|
Family ID: |
57017582 |
Appl. No.: |
14/923264 |
Filed: |
October 26, 2015 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
62142457 |
Apr 2, 2015 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
H04L 69/16 20130101;
H04L 41/046 20130101; H04L 67/141 20130101; H04L 41/22 20130101;
H04L 63/105 20130101; H04L 41/0813 20130101; H04L 61/6063 20130101;
H04L 63/02 20130101; H04L 41/0823 20130101; H04L 12/2809
20130101 |
International
Class: |
H04L 12/24 20060101
H04L012/24 |
Claims
1. A system configured to enable a client access control network,
the system comprising: one or more physical processors configured
by machine-readable instructions to: facilitate configuration of
one or more computing platforms to enable the client access control
network such that configuration of a first computing platform as a
controller, an agent, an access control component, and/or a server
in the client access control network is facilitated, wherein when
configured as a controller in the client access control network,
the first computing platform is adapted to authenticate one or more
client devices operatively connected to the first computing
platform and to instruct one or more agents to administer access by
the one or more client devices to one or more servers in the client
access control network, when configured as an agent in the client
access control network, the first computing platform is adapted to
generate instructions for one or more access control components in
the client access control network to administer access by client
devices to one or more servers controlled by the access control
components in response to the instructions received from one or
more controllers operatively connected to the first computing
platform, when configured as a access control component in the
client access control network, the first computing platform is
adapted to grant or remove access by one or more client devices to
one or more servers controlled by the access control component in
response to instructions received from one or more agents
operatively connected to the first computing platform, and when
configured as a sever in the client access control network, the
first computing platform is adapted to provide one or more data
services for access by one or more client devices operatively
connected to the first computing platform; and determine
information for presenting, on a terminal display, a graphical
representation of the client access control network, the graphical
representation illustrating one or more connections between
controllers and agents in the client access control network, one or
more connections between agents and access control components in
the client access control network, one or more connections between
access control components and servers in the client access control
network, and/or one or more connections between agents and servers
in the client access control network.
2. The system of claim 1, wherein facilitating configuring one or
more computing platforms to enable the client access control
network includes facilitating configuration of a second computing
platform as a controller, an agent, a access control component,
and/or a server in the client access control network.
3. The system of claim 1, wherein the configuration of the first
computing platform as a controller, an agent, a access control
component, and/or a server in the client access control network is
based on one or more predetermined rules.
4. The system of claim 3, wherein the rules include a rule
specifying that the first client computing platform is available
for access only by one or more specific client devices when the
first computing platform is configured as a controller.
5. The system of claim 3, wherein the rules include a rule
specifying that the first client computing platform can administer
access to one or more specific servers when the first computing
platform is configured as an agent.
6. The system of claim 3, wherein the rules include a rule
specifying that the first client computing platform provides data
services to one or more specific client devices when the first
computing platform is configured as a server.
7. The system of claim 1, wherein the graphical representation of
the client access control network reflects a state of the client
access control network at a given time.
8. The system of claim 1, wherein the configuration of the one or
more computing platforms to enable the client access control
network is facilitated through a graphical user interface in which
the graphical representation of the client access control network
is presented.
9. The system of claim 1, wherein facilitating the configuration of
the one or more computing platforms to enable the client access
control network includes generating information for implementing a
graphical user interface on the terminal display such that the
graphical user interface includes actionable objects representing
the one or more computing platforms, wherein upon user interaction
with the individual actionable objects in the graphical user
interface, the configuration of the one or more computing platforms
is facilitated.
10. A method for enabling a client access control network, the
method comprising: facilitating configuration of one or more
computing platforms to enable the client access control network
such that configuration of a first computing platform as a
controller, an agent, an access control component, and/or a server
in the client access control network is facilitated, wherein when
configured as a controller in the client access control network,
the first computing platform is adapted to authenticate one or more
client devices operatively connected to the first computing
platform and to instruct one or more agents to administer access by
the one or more client devices to one or more servers in the client
access control network, when configured as an agent in the client
access control network, the first computing platform is adapted to
generate instructions for one or more access control components in
the client access control network to administer access by client
devices to one or more servers controlled by the access control
components in response to the instructions received from one or
more controllers operatively connected to the first computing
platform, when configured as a access control component in the
client access control network, the first computing platform is
adapted to grant or remove access by one or more client devices to
one or more servers controlled by the access control component in
response to instructions received from one or more agents
operatively connected to the first computing platform, and when
configured as a sever in the client access control network, the
first computing platform is adapted to provide one or more data
services for access by one or more client devices operatively
connected to the first computing platform; and determining
information for presenting, on a terminal display, a graphical
representation of the client access control network, the graphical
representation illustrating one or more connections between
controllers and agents in the client access control network, one or
more connections between agents and access control components in
the client access control network, one or more connections between
access control components and servers in the client access control
network, and/or one or more connections between agents and servers
in the client access control network.
11. The method of claim 10, wherein facilitating configuring one or
more computing platforms to enable the client access control
network includes facilitating configuration of a second computing
platform as a controller, an agent, a access control component,
and/or a server in the client access control network.
12. The method of claim 10, wherein the configuration of the first
computing platform as a controller, an agent, a access control
component, and/or a server in the client access control network is
based on one or more predetermined rules.
13. The method of claim 12, wherein the rules include a rule
specifying that the first client computing platform is available
for access only by one or more specific client devices when the
first computing platform is configured as a controller.
14. The method of claim 13, wherein the rules include a rule
specifying that the first client computing platform can administer
access to one or more specific servers when the first computing
platform is configured as an agent.
15. The method of claim 13, wherein the rules include a rule
specifying that the first client computing platform provides data
services to one or more specific client devices when the first
computing platform is configured as a server.
16. The method of claim 10, wherein the graphical representation of
the client access control network reflects a state of the client
access control network at a given time.
17. The method of claim 10, wherein the configuration of the one or
more computing platforms to enable the client access control
network is facilitated through a graphical user interface in which
the graphical representation of the client access control network
is presented.
18. The method of claim 10, wherein facilitating the configuration
of the one or more computing platforms to enable the client access
control network includes generating information for implementing a
graphical user interface on the terminal display such that the
graphical user interface includes actionable objects representing
the one or more computing platforms, wherein upon user interaction
with the individual actionable objects in the graphical user
interface, the configuration of the one or more computing platforms
is facilitated.
Description
RELATED APPLICATION
[0001] This application relates to U.S. application Ser. No.
62/142,457, entitled "Real Time Dynamic Client Access Control",
filed Apr. 2, 2015, which is incorporated by reference herein in
its entirety.
FIELD OF THE INVENTION
[0002] The invention generally relates to dynamic configuration of
client access control network, which, in particular, may comprise
one or more controller, agent, access control and/or server
components.
BACKGROUND OF THE INVENTION
[0003] Client-server architecture (client/server) is a network
architecture in which a device or process on the network is either
a client or a server. In the client-server architecture, a server
provides one or more services, which may be defined by the
provider(s), to a client device. For example, an appliance with
network capability, such as a smart refrigerator, may provide
various services to a client device, such as a smartphone. For
instance, the smart refrigerator may allow the smartphone to
remotely read and/or control the temperature of the smart
refrigerator via a wireless network. In that context, the smart
refrigerator is a server. As another example, a networked computer
may provide a data service to a client device such that the client
device may send and/or receive data to and/or from a data store,
such as file storage, coupled to the networked computer. In that
context, the networked computer is a server. To facilitate a user
to use the services provided by the server in the client-server
architecture, the client device typically provides an interface to
allow a user to request the services provided by the server and to
display the results the server returns. The server typically waits
for requests to arrive from client device and then responds to
them.
[0004] Peer to peer (P2P) network is a network architecture in
which a node on the network may simultaneously function as both
"clients" and "servers" to the other nodes (peers). A P2P network
typically does not impose a particular structure as to what roles
each individual nodes should serve at any given point of time, but
rather are formed by nodes that randomly (from a topology point of
view) establish connections to each other. For example, a client
computer may initially join the P2P network as a client node to
receive P2P services from other server nodes in the P2P network and
later may become a server node that provides P2P services to other
client nodes.
SUMMARY OF THE INVENTION
[0005] In accordance with one aspect of the disclosure, system and
method for facilitating configuration of dynamic client access
control network are disclosed. In U.S. patent application Ser. No.
62/142,457, entitled "Real Time Dynamic Client Access Control", a
client access control network comprising one or more client
devices, controllers, agents, access control components and servers
are disclosed. The present disclosure discloses mechanism and
exemplary implementations for dynamically configuring the client
access control network disclosed in U.S. patent application Ser.
No. 62/142,457, entitled "Real Time Dynamic Client Access Control".
In a client access control network in accordance with the present
disclosure, a given client computing platform (node) may be
configured to function as a client, a controller, an agent, an
access control component, and/or a server. That is, the given node
may be configured to serve as a combination of the above-mentioned
elements on the client access control network in accordance with
the present disclosure at any given point of time. In some
implementations, the configuration of the given node may be
facilitated by an administration/monitoring system included in or
operatively coupled to the client access control network. In some
implementations, the configuration of the given node may be
dynamically and automatically facilitated in accordance with one or
more predetermined rules. In some implementations, the
configuration of the given node may be performed by a user.
[0006] In accordance with another aspect of the disclosure, a
dynamically configured client access control network in accordance
with the disclosure may comprise one or more client devices, one or
more controllers, one or more agents, one or more access control
components, and/or one or more servers is disclosed. A given
controller in such a network may be adapted to connect to one or
more client devices and one or more agents. For example, the given
controller may be configured to connect to a first client device
and a first agent; to authenticate the first client device upon an
request to access a first service provided by a first server being
received by the first controller; and to generate an instruction to
the first agent to facilitate the access as requested by the first
client device. In that example, the first service may be provided
by a first server whose secured access is controlled by the first
agent directly or via a first access control component. As another
example, the given controller may be configured to connect to the
first client device and a second agent; to authenticate the first
client device upon an request to access a second service provided
by a second server being received by the first controller; and to
generate an instruction to the second agent to facilitate the
access as requested by the first client device. In those
implementations, the second service may be provided by the second
server whose secured access is controlled by the second agent
directly or via a second access control component. Still as another
example, the given controller may be configured to connected a
second client and the first agent; to authenticate the second
client device upon an request to access the first service being
received by the first controller; and to generate an instruction to
the first agent to facilitate the access as requested by the second
client device
[0007] A given agent in such a network may be adapted to connect to
one or more controllers, one or more access control components
and/or one or more servers. The given agent may be configured such
that it is capable of dynamically configuring the access control
components or the servers to administer client access to the
servers. For example, the given agent may be configured to connect
to a first controller and a first access control component
associated with the first server; to receive an instruction from
the first controller to administer access to the first server by
the first client device; and to configure the first access control
component accordingly upon the instruction from the first
controller being received by the first agent. As another example,
the given agent may be configured to connect to a first controller
and a second access control component associated with the second
server; to receive an instruction from the first controller to
administer access to the second server by the first client device;
and to configure the second access control component accordingly
upon the instruction from the first controller being received by
the first agent. Still as another example, the given agent may be
configured to connect to a second controller and the first access
control component associated with the first server; to receive an
instruction from the first controller to administer access to the
first server by the second client device; and to configure the
first access control component accordingly upon the instruction
from the first controller being received by the first agent.
[0008] In some implementations, a given node on the access control
network in accordance with the present disclosure may be configured
to function as a client device, a controller, an access control
component and/or a server at any given point of time. For example,
at a first point of time T, the given client computing platform may
be configured to function as a client device receiving a service
from a server via an access control network in accordance with the
present disclosure. Still in that example, at a second point of
time T+1, the given client computing platform may be configured to
function as the client device, and as well as to function as a
controller connected to one or more client devices and agents to
facilitate client access to one or more servers. Still in that
example, at a third point of time T+2, the given client computing
platform may be configured to function as the controller only.
Still in that example, at a fourth point of time T+3, the given
client computing platform may be configured to function as the
controller and an access control component connected to one or more
servers, and so on.
[0009] In some implementations, the configuration of a given node
on an client access control network in accordance with the present
disclosure may be facilitated by an administration/monitoring
system, which may comprise one or more monitoring displays, one or
more administration servers, user database, data storage, policy
servers, and/or any other elements. In those implementations, an
interface may be implemented and provided to a user (e.g., an
administrator of an access control network in accordance with the
present disclosure) on a given monitoring system (e.g., a client
computer) for configuring the client computing platform. The
interface may enable the user to configure the client computing
platform as a client device, a controller, an agent, an access
control component, and/or a server.
[0010] In some implementations, a given administration server
included in the administration system may be configured to manage
an access matrix indicating a state of connections among particular
client devices, controllers, agents, access control components,
and/or servers on an access control network in accordance with the
present disclosure. In those implementation, such an access matrix
may be displayed to the user (e.g., an administrator of the access
control network) to provide a snapshot or a dynamic view of a state
(e.g., topology) of the access control network in real time. This
may enable the user to determine desired configuration of one or
more client computing platforms (nodes) on the access control
network.
[0011] In some implementations, a given rule server include in the
administration system may be configured to manage a set of one or
more predetermined rules that specify certain requirements of the
configuration of access control network. For example, the rules may
specify that a first set of one or more particular client computing
platforms may never be configured to function as a controller; may
specify that a second set of one or more particular client
computing platforms may only be configured to function as a
controller and/or a client device; may specify that a third set of
one or more particular client computing platforms may be configured
to function as access control components that controls client
access for a particular server; and/or any other policies. In some
examples, such policies may be employed to facilitate workload
management or network expansion such that one or more client
devices may be additionally configured to function as controllers,
agents, access control components, and/or servers. In some
examples, such policies may be enforced to facilitate consistency
and/or predetermined network characteristics as desired by the
provider, administrator, and/or any other entities related to the
access control network.
[0012] Other objects and advantages of the invention will be
apparent to those skilled in the art based on the following
drawings and detailed description.
BRIEF DESCRIPTION OF THE DRAWINGS
[0013] FIG. 1A illustrates a configuration of the access control
network 100 at a time point T.
[0014] FIG. 1B illustrates the access control network dynamically
configured at a time point T+1.
[0015] FIG. 2 illustrates dynamic configuration of a node shown in
FIGS. 1A-B to function as a controller in accordance with the
disclosure.
[0016] FIG. 3 illustrates dynamical configuration of a node shown
in FIGS. 1A-B to function as an agent in accordance with the
disclosure.
[0017] FIG. 4 illustrates an example state of the access control
network shown in FIG. 1 at a given point of time.
[0018] FIG. 5 illustrates exemplary tables that may be used to
track components provided by nodes on the access control network at
a given time.
[0019] FIG. 6 illustrates an exemplary interface provided by a
monitoring/administration system 600 configured to manage the
access control network.
[0020] FIG. 7 illustrates an exemplary interface for configuring a
given controller provided by a node.
[0021] FIG. 8 illustrates an exemplary interface for configuring an
agent provided by a node.
[0022] FIG. 9 is a flow diagram showing an exemplary method for
facilitating a user to configure a controller in accordance with
disclosure.
[0023] FIG. 10 is a flow diagram showing an exemplary method for
configuring a node as a client, a controller, an agent, and/or a
server in accordance with disclosure.
DETAILED DESCRIPTION
[0024] FIG. 1A-B illustrates one example of a dynamically
configured access control network 100 comprising several member
nodes 102 in accordance with the disclosure. FIG. 1A illustrates a
configuration of the access control network 100 at a time point T.
FIG. 1B illustrate a configuration of the access control network
100 at a time point T+1. The individual nodes shown in FIGS. 1A-B,
i.e., nodes 102a-d, may include individual client computing
platforms that are separate and independent from other nodes. A
given node 102 on the access control network 100, such as the node
102a, may include a server system comprising one or more servers
and/or data store, a desktop computer, a laptop computer, a tablet,
a smart device such as a smartphone or a smart appliance (e.g., a
smart refrigerator), a printer, a media console, and/or any other
type of client computing platform. As shown, a given node 102 may
comprise a constituent processor 104 configured to execute computer
program components.
[0025] In U.S. application Ser. No. 62/142,457, entitled "Real Time
Dynamic Client Access Control", components facilitating
client/server access mechanism of the access control network 100
are described in detail. As described and illustrated therein, such
components may include client 106, controller 108, agent 110,
access control component 112, and/or server 114, for example such
as those illustrated in FIGS. 1A-1B. Briefly, a client 106 on the
access control network 100 may request access to one or more
services, such as web services, file services, media services,
remote control services, and/or any other type of services; a
controller 108 on the access control network 100 may authenticate a
client 102 connected to the controller 108, receive or intercept
the service access request from the client 106, and generate and
forward an instruction to the agent 110 for the agent 110 to
administer (e.g., grant) access to the client 106 in accordance
with the service access request; the agent 110 on the access
control network 100 may generate and forward an instruction to the
access control component 112 for the access control component 112
to execute one or more access administration commands as instructed
by the controller 110; and the server 114 may contact the client
102 and initiate the provision of the services to the client 102 as
requested by the client 102.
[0026] In the present disclosure, mechanism facilitating dynamic
configuration and formation of the access control network 100 is
disclosed. Essential to the dynamic configuration and formation of
the access control network 100 in accordance with the present
disclosure is that any given node 102 on the access control network
100 shown in FIG. 1 may be configured to function as one or more of
a client 106, a controller 108, an agent 110, an access control
component 112, and a server 114, as however desired by the
administrator, provider, moderator, user of the access control
network 100 and/or any other entities related to the access control
network 100. That is, the processor 104 included in the given node
102, for example the processor 104a included in the node 102a, may
be configured to execute computer program components including a
client 106, a controller 108, an agent 110, an access control
component 112, a server 114, and/or other components.
[0027] As can be seen in FIG. 1A, on the access control network
100, at time T, node 102a is configured to function as a client
106b and a controller 108a. As indicated by the dotted line 116a,
client 106b may be connected to the controller 108b, which is
provided by node 102c. As also can be seen, node 102c in this
example is configured to function as the controller 108b only. As
mentioned above, node 102c is, however, capable of being configured
to function as a client 106, an agent 110, an access control
component 112, and/or a server 114 as however desired by the
administrator, provider, user of the access control network 100
and/or other entities related to access control network 100. As
also indicated by the dotted line 116, the controller 108b provided
by the node 102c may be connected to the client 106c on the node
102b. That is, controller 118b in this example is configured to be
discoverable by client 106b and client 106c. In this example, node
102b is also configured to function as the client 106c, agent 110a,
access control component 112a, and the server 114b. As indicated by
the dotted line 116b, the controller 108b may be connected to agent
110b provided by node 102e; and as indicated by the dotted line
116c, agent 110b may be connected to access control component 112b,
which administers client access to server 114d. In this example,
node 102f is configured to provide access control component 112b
and server 114d. The access control component 112, such as the
access control component 112b, may include a firewall, a hardware
switch, an access filter, and/or any other type of access control
component that may be used to control the client access to server
114d. In other words, the access request by the client 106b to the
server 114d may be facilitated through the dotted lines 116 shown
in FIG. 1A.
[0028] As still can be seen in FIG. 1A, node 102d in this example
is configured to function as a client 106a and a server 114a. As
indicated by the dotted line 118a, the client 106a may be connected
to the controller 108a provided by node 102a. The controller 108a
in this example, as indicated by the dotted line 118b, may be
connected to the agent 110a. The agent 110a in this example is
configured to issue instruction(s) to access control component
112a, which controls client access to the server 114b. In other
words, the access request by the client 116a to the server 114b may
be facilitated through the dotted lines 118 shown in FIG. 1A.
[0029] FIG. 1B illustrates the access control network 100
dynamically configured at a time point T+1. It will be described
with reference to FIG. 1A. As shown, at time T+1, compared with
that in FIG. 1A, node 102a is configured to function as an agent
110c in addition the client 106b and controller 108a provided by
node 102a; and agent 110a and server 114b are disabled (or removed)
from node 102b. Also compared with FIG. 1A, the controller 108a on
the node 102a is configured to connect to agent 110c, which may be
connected to the access control component 112a provided by node
102b. Still compared with FIG. 1A, the access control component
112a is configured in FIG. 1B to connect to control server 114a
provided by node 102d. In this way, as shown in FIG. 1B, client
access by client 106 to the server 114a may be facilitated by node
102a and node 102b.
[0030] FIG. 2 illustrates dynamic configuration of a node 102 to
function as a controller in accordance with the disclosure. In
FIGS. 1A-1B, the nodes 102 illustrated therein are shown to be
dynamically configurable to function as one or more of a client
106, a controller 108, an agent 110, an access control component
112, and a server 114. In FIG. 2, it is shown that a given
controller 108 provided by a given node 102 on the access control
network 100 may be dynamically configured to connect to one or more
clients 106, and may be dynamically configured to connect to one or
more agents 110, as however desired by the administrator, provider,
user, manufacturer, moderator of the access control network 100,
and/or any other entities related to the access control network
100. As illustration, at time T, controller 108 on node 102 as
shown in FIG. 2 may be configured to connect to client #1 and agent
#1 such that an access request from client #1 for a service
provided by a server whose client access is administered by agent
#1 may be received or intercepted by controller 108, and the
controller 108 may generate and forward an instruction to agent #1
to administer the access by client #1 as requested. Still as
illustration, at time T, controller 108 on node 102 shown in FIG. 2
may be configured to connect to client #2 and agent #2 such that an
access request from client #2 for a service provided by a server
whose client access is administered by agent #2 may be received or
intercepted by controller 108, and the controller 108 may generate
and forward an instruction to agent #2 to administer the access by
client #2 as requested. Still as illustration, at the time point
T+1, the controller 108 may be configured to connect to client #1
and client #2, and agent #1 such that an access request for a
service provided by a server whose client access is administered by
agent #1 may be received or intercepted by controller 108 from
client #1 or client #2, and the controller 108 may generate and
forward an instruction to agent #1 to administer the access by
client #1 as requested.
[0031] FIG. 3 illustrates dynamical configuration of a node 102 to
function as an agent in accordance with the disclosure. As shown in
FIG. 3, a given controller 108 provided by a given node 102 on the
access control network 100 may be dynamically configured to connect
to one or more controllers 108, and may be dynamically configured
to connect to one or more access control components 112 and/or one
or more servers 114, as however desired by the administrator,
provider, user, manufacturer, moderator of the access control
network 100, and/or any other entities related to the access
control network 100. As illustration, at time point T, agent 110 on
node 102 shown in FIG. 3 may be configured to connect to controller
#1, and access control component #1 and/or server #1 such that the
agent 110 may issue an instruction to the access control component
#1 and/or server #1 to administer client access in accordance with
the instruction received from controller #1. Still as illustration,
at time T, agent 110 on node 102 shown in FIG. 3 may be configured
to connect to controller #2, and access control component #2 and/or
server #2 such that the agent 110 may issue an instruction to the
access control component #2 and/or server #2 to administer client
access in accordance with the instruction received from controller
#2. Still as illustration, at the time point T+1, agent 110 on node
102 shown in FIG. 3 may be configured to connect to controller #1
and controller #2, and access control component #1 and/or server #1
such that the agent 110 may issue an instruction to the access
control component #1 and/or server #1 to administer client access
in accordance with the instruction received from controller #1 or
controller #2.
[0032] FIG. 4 illustrates an example state of the access control
network 100 at a given point of time. As shown, in some
implementations, table 400 may be used to keep track of connections
among the clients, controllers, agents, access control components,
and servers on the access control network 100. In this example, the
content of table 400 represents a snapshot view of the connections
in the access control network 100 at the given point of time. For
example, as shown by row 402a of table 400, at the given time,
client #1 is connected to controller #1, which is connected to
agent #3, which is connected to access control component #1, which
is connected to server #2 that provides a service to client #1. As
illustration, client #1 may be a media player on a client computing
platform (i.e., a node 102) on the access control network 100 and
server #2 may be a media server that provides streaming service to
client #1. As another example, as shown by row 402b of table 4000,
at the given time, client #2 is also connected to controller #1 and
is receiving the service from server #2 similarly to client #1. For
instance, client #2 may be another media player on a client
computing platform separate and independent from the client
computing platform client #1 is on. In contrast, as indicated by
row 402c, client #3 is connected to controller #3, which is
connected to agent #1 for a service provided by server #1 whose
access is controlled by the access control component #2. Other rows
of table 400, such as rows 402d and 402e are self-explanatory.
[0033] FIG. 5 illustrates exemplary tables 502 that may be used to
track components provided by nodes on the access control network
100 at a given time. As shown, a table 502a may be used to record
client computing platforms that are functioning as the controllers
on the access control network 100 at the given time. As also shown,
a table 502b may be used to record client computing platforms that
are functioning as the agents on the access control network 100 at
the given time. As still shown, table 502c may be used to record
client computing platform that are functioning as access control
components for corresponding servers at the given time. For
example, as shown, at the given time, client computing platform #8
is functioning as a firewall for server #1, client computing
platform #2 is functioning as a firewall for server #2, client
computing platform #6 is functioning as a secured switch for server
#3 and so on. As yet shown, table 502d may be used to record client
computing platforms that are functioning as servers providing
corresponding services.
[0034] In some implementations, the configuration of a node on the
client access control network 100 in accordance with the present
disclosure may be facilitated by an administration/monitoring
system, which may comprise one or more monitoring systems, one or
more administration servers, user database, data storage, policy
servers, and/or any other elements. In those implementations, the
administration system may be configured to store information
regarding network connection state at any given point of time,
status of individual nodes on the access control network 100, error
logs, and/or any other status information regarding the access
control network 100. In some implementations, a given
administration server included in the administration/monitoring
system may be configured to manage an access matrix indicating a
state of connections among particular client devices, controllers,
agents, access control components, and/or servers on an access
control network in accordance with the present disclosure. In those
implementations, such an access matrix may be displayed to the user
(e.g., an administrator of the access control network) to provide a
snapshot or a dynamic view of a state (e.g., topology) of the
access control network in real time. This may enable the user to
determine desired configuration of one or more client computing
platforms (nodes) on the access control network.
[0035] In some implementations, a given rule server include in the
administration/monitoring system may be configured to manage a set
of one or more predetermined rules that specify certain
requirements of the configuration of access control network. For
example, the rules may specify that a first set of one or more
particular client computing platforms may never be configured to
function as a controller; may specify that a second set of one or
more particular client computing platforms may only be configured
to function as a controller and/or a client device; may specify
that a third set of one or more particular client computing
platforms may be configured to function as access control
components that controls client access for a particular server;
and/or any other policies. In some examples, such policies may be
employed to facilitate workload management or network expansion
such that one or more client devices may be additionally configured
to function as controllers, agents, access control components,
and/or servers. In some examples, such policies may be enforced to
facilitate consistency and/or predetermined network characteristics
as desired by the provider, administrator, and/or any other
entities related to the access control network.
[0036] FIG. 6 illustrates an exemplary interface 604 provided by a
monitoring or administration system 600 configured to manage the
access control network 100. As shown, the interface 604 may present
graphical information indicating a state of connections among
individual nodes on the access control network 100 at any given
point of time. As also show, the interface 604 provided by the
monitoring or administration system may also indicate configuration
of individual nodes 102, i.e., corresponding components on the
access control network 100 provided by the individual nodes 102.
The interface 604 may enable an administrator or a provider of the
access control network 100 to acquire information regarding
topology and configuration of the access control network 100 at any
given point of time.
[0037] FIG. 7 illustrates an exemplary interface 702 for
configuring a given controller provided by a node. As already shown
in FIG. 2, a controller may be configured to connect to a plurality
of clients and a plurality of agents. In some implementations, the
interface 702 shown in FIG. 2 may be provided by the
monitoring/administration system 602 to facilitate the
configuration of the controller. For example, the interface 702 may
be used to facilitate a user, e.g., an administrator of the access
control network 100, to remove an agent already connected to the
controller. As shown in this example, a list of agents 703 that are
already connected to the controller may be shown in the interface.
As also shown, field controls 704 may be presented in the interface
702 corresponding to a connected agent to facilitate the user to
remove the corresponding agent; and field controls 706 may be
presented in the interface 702 to facilitate the user to initiate a
request to configure the corresponding agent. After a removal of an
agent is effectuated through the interface 702 via the field
controls 704, the removed agent may be prevented from communicating
with the given controller. After a request is effectuated through
the interface 702 via the field controls 706, an interface that
facilitates the user to configure the corresponding agent may be
shown. An example of such an interface is shown in FIG. 8.
[0038] As also shown, field controls may be presented in the
interface 702 to facilitate the user, to add an agent. That is,
through the interface 702, the user may configure the given
controller to be discoverable by an agent by adding the agent to
the controller. As shown, a list 710 of one or more agents that may
be added to the controller may be presented in a pull down list.
Field control 708 may be presented in the interface 702 so that the
user may add a corresponding agent to the controller. After a
connection between the controller and the agent is added through
interface 702, the controller may communicate with the added agent
in manners consistent with the network access control mechanism
disclosed herein.
[0039] In some examples, the interface 702 may be used to remove or
configure one or more clients already connected to the given
controller. As shown in this example, a list 712 of clients already
connected to the controller may be presented in the interface 702.
As shown, similar field controls to 704 and 706 may be provided in
the interface 702 to facilitate the user to remove or configure an
already connected client. After a client is removed through the
interface 702, the removed client is prevented from communicating
with the controller. That is, the controller may not be discovered
by the removed client and/or may deny a request from the removed
client to access a service administered by the controller.
[0040] As also shown, a list 714 of one or more clients may be
presented in the interface 702 to facilitate the user to select and
add a client to the controller. That is, the user may be enabled to
select a client from the list 714 to be connected to the
controller. After the user adds the client, for example client #N
as shown in this example, the added client may communicate with the
controller to request access to a service administered by the
controller in accordance with the access control mechanism
described herein.
[0041] FIG. 8 illustrates an exemplary interface 802 for
configuring an agent provided by a node. As already shown in FIG.
3, a given agent in accordance with the present disclosure may be
configured to connect to a plurality of access control
components/servers and a plurality of controllers. In some
implementations, the interface 802 as shown in FIG. 8 may be
provided by the monitoring/administration system 602 to facilitate
the configuration of the given agent. For example, the interface
802 may be used to facilitate a user, e.g., an administrator of the
access control network 100, to remove an access component already
connected to the given agent. In this example, the access control
components are firewall components on corresponding servers. As
shown, a list of firewall/servers 803 that are already connected to
the agent may be shown in the interface 802. As also shown, field
controls 804 may be presented in the interface 802 corresponding to
a connected firewall/server to facilitate the user to remove the
corresponding firewall/agent; and field controls 806 may be
presented in the interface 802 to facilitate the user to initiate a
request to configure the corresponding firewall/server. After a
removal of a firewall/server is effectuated through the interface
802 via the field controls 804, the given agent may be prevented
from communicating with the removed firewall/server. After a
request is effectuated through the interface 802 via the field
controls 806, an interface that facilitates the user to configure
the corresponding firewall/server may be shown.
[0042] As also shown, field controls may be presented in the
interface 802 to facilitate the user, to add a firewall/server.
That is, through the interface 802, the user may configure the
corresponding firewall/server to communicate with the given agent
in accordance the access control mechanism described herein. As
shown, a list 810 of one or more firewalls/severs that may be added
to the given agent may be presented in a pull down list. Field
control 808 may be presented in the interface 802 so that the user
may add a corresponding firewall/server to the given agent. After a
connection between the controller and the given agent is added
through interface 802, the given agent may communicate with the
added firewall/server the access control mechanism described
herein.
[0043] In some examples, the interface 802 may be used to remove or
configure one or more controller already connected to the given
agent. As shown in this example, a list 812 of controllers already
connected to the given agent may be presented in the interface 802.
As shown, similar field controls to 804 and 806 may be provided in
the interface 802 to facilitate the user to remove or configure an
already connected controller. After a controller is removed through
the interface 802, the removed controller is prevented from
communicating with the given agent. That is, the given agent may
not be discovered by the removed controller and/or may deny a
request from the removed controller for a service whose access is
controlled by the given agent.
[0044] As also shown, a list 814 of one or more clients may be
presented in the interface 802 to facilitate the user to select and
add a controller to the given agent. That is, the user may be
enabled to select a controller from the list 814 to be connected to
the given agent. After the user adds the controller, for example
controller #N as shown in this example, the added controller may
communicate with the given agent for a service whose access is
controlled by the given agent in accordance with the access control
mechanism described herein.
[0045] In some examples, the configuration of a given controller, a
given agent, a given access control component, and/or a given
server in the client access control network, as described and
illustrated herein, may be effectuated using on one or more
predetermined rules managed by one or more rules server included in
the administration/monitoring system 602. For example, the
predetermined rules may include a rule specifying that the given
controller is available for access only by one or more specific
clients. For instance, without limitation, a predetermined rule may
be configured into the administration/monitoring system 602 such
that the given controller may only facilitate service access
requests from a clients within a specified intranet. In
implementations, the given controller may be configured by the
administration/monitoring system 602 to listen to access request by
clients from the specified intranet only such that any request from
a client outside the specified intranet is denied. As illustration,
at a first time point, the given controller may be provided by a
first node, which may be configured by the
administration/monitoring server 602 to receive client access
requests from the specified intranet; and at a second time point
after the first time point, the given controller might migrate to a
second node in accordance with the present disclosure, and the
administration/monitoring system 602 may nevertheless configure the
given controller to receive client access request from the
specified intranet in accordance with the afore-discussed
predetermined rule.
[0046] As another example, a predetermined rule may managed by the
administration/monitoring system 602 may specify the given agent
may be configured to control access to services provided by one or
more specified servers. For example, the given agent may be
configured to control access to a first server. At a first time
point, the first server may provide a data service, at a second
time point after the first time point, the first server may provide
a web service instead of the data service, and at a third time
point after the second time point, the first server may provide
both the data service and the web service. In that example. The
administrator/monitoring system 602 may dynamically configure the
given agent to control the different services provided by the first
server at those time points.
[0047] In some examples, a predetermined rule managed by the
administration/monitoring system 602 may specify how a given node
may be configured in the access control network 100. For example,
the predetermined rule may be workload based such that various
thresholds may be specified for configuring the given node. For
instance, without limitation, the predetermined rule may specify
that when the given node's CPU usage is more than 80%, the given
node may not be configured as controller; when the given node's CPU
usage is more than 50%, the given node may not be configured as a
server; and when the give node's CPU usage is more than 85%, the
given node may not be configured as an agent. As another example,
the predetermined rule may be time based such that various time
periods may be specified for configuring the given node. For
instance, without limitation, the predetermined rule may specify
that the given node may not be configured as a server in a first
time period; may not be configured as a controller in a second time
period; may be configured only as an agent in a third time period;
and so on.
[0048] FIG. 9 is a flow diagram showing an exemplary method 900 for
facilitating a user to configure a controller in accordance with
disclosure. The operations of method 900 presented below are
intended to be illustrative. In some embodiments, method 900 may be
accomplished with one or more additional operations not described
and/or without one or more of the operations discussed.
Additionally, the order in which the operations of method 900 are
illustrated in FIG. 9 and described below is not intended to be
limiting.
[0049] In some embodiments, method 900 may be implemented in one or
more processing devices (e.g., a digital processor, an analog
processor, a digital circuit designed to process information, an
analog circuit designed to process information, a state machine,
and/or other mechanisms for electronically processing information).
The one or more processing devices may include one or more devices
executing some or all of the operations of method 900 in response
to instructions stored electronically on an electronic storage
medium. The one or more processing devices may include one or more
devices configured through hardware, firmware, and/or software to
be specifically designed for execution of one or more of the
operations of method 900.
[0050] At an operation 902, a request to configure a controller in
a access control network may be received. For example, the request
may be received at the administration/monitoring system 602. In
some implementations, the request may include information
indicating a specific controller provided by a specific node on the
access control network.
[0051] At an operation 904, a state of the access control network
may be obtained. For example, as illustrated in FIGS. 4-5, the
state of the access control network may be captured in forms
described therein. At operation 904, the state of the access
control network may be obtained, for example, by selecting the
specific node from the tables shown in FIG. 5.
[0052] At an operation 906, one or more clients that are already
connected to the controller may be identified. In implementations,
the one or more clients may be identified from the table shown in
FIG. 4. In FIG. 7, the one or more clients identified at operation
906 are shown in the list 714.
[0053] At an operation 908, one or more clients that may be
connected to the controller may be identified. In implementations,
the identification at operation 908 may be performed using a
predetermined rule that specifies a set of clients that may be
connected to the controller. For example, such a predetermined rule
may specify that the controller may be connected to any client in a
specified intranet. Based on this predetermined rule, operation 908
may identify the clients that are in the specified intranet but
that are not yet connected to the controller as the clients that
may be connected to the controller.
[0054] At an operation 910, one or more agents that are already
connected to the controller may be identified. In implementations,
the one or more clients may be identified from the table shown in
FIG. 4. In FIG. 7, the one or more clients identified at operation
906 are shown in the list 703.
[0055] At an operation 912, one or more clients that may be
connected to the controller may be identified. In implementations,
the identification at operation 908 may be performed using a
predetermined rule that specifies a set of agents that may be
connected to the controller. For example, such a predetermined rule
may specify that the controller may be connected to a specific set
of agents. Based on this predetermined rule, operation 908 may
identify the agents that are in the specified set but that are not
yet connected to the controller as the agents that may be connected
to the controller.
[0056] At an operation 914, a user, e.g., an administrator of
access control network, may be facilitate to remove or configure
the clients that are identified in operation 906. An example of the
operation 914 is illustrated in FIG. 7.
[0057] At an operation 916, the user may be facilitated to add one
or more clients identified in operation 908 to the controller. An
example of this operation is also illustrated in FIG. 7.
[0058] At an operation 918, the user may be facilitate to remove or
configure the agents that are identified in operation 910. An
example of the operation 918 is illustrated in FIG. 7.
[0059] At an operation 920, the user may be facilitated to add one
or more clients identified in operation 912 to the controller. An
example of this operation is also illustrated in FIG. 7.
[0060] FIG. 10 is a flow diagram showing an exemplary method 1000
for configuring a node as a client, a controller, an agent, and/or
a server in accordance with disclosure. The operations of method
1000 presented below are intended to be illustrative. In some
embodiments, method 1000 may be accomplished with one or more
additional operations not described and/or without one or more of
the operations discussed. Additionally, the order in which the
operations of method 1000 are illustrated in FIG. 10 and described
below is not intended to be limiting.
[0061] In some embodiments, method 1000 may be implemented in one
or more processing devices (e.g., a digital processor, an analog
processor, a digital circuit designed to process information, an
analog circuit designed to process information, a state machine,
and/or other mechanisms for electronically processing information).
The one or more processing devices may include one or more devices
executing some or all of the operations of method 1000 in response
to instructions stored electronically on an electronic storage
medium. The one or more processing devices may include one or more
devices configured through hardware, firmware, and/or software to
be specifically designed for execution of one or more of the
operations of method 1000.
[0062] At an operation 1002, one or more predetermined rules may be
retrieved. In some examples, operation 1002 may be performed by the
administration/monitoring system 602. The predetermined rules
retrieved at operation 1002 may include the workload based rules,
time period based rules described above, and/or any other
predetermined rules configured to facilitate configuration of roles
(i.e., client, controller, agent, and/or server) of a given node in
the access control network.
[0063] At an operation 1004, a node may be identified based on the
predetermined rules retrieved at operation 1002. For example, the
predetermined rules may specify that a first node should be
configured as a controller in a first time period. In that example,
the first controller is identified at operation 1004. In some
examples, operation 1004 may be performed by the
administration/monitoring system 602.
[0064] At an operation 1006, the node identified at operation 1004
may be configured as a client, a controller, an agent, an access
control component, and/or a server in accordance with the
predetermined rules retrieved at operation 1002. In some examples,
operation 1006 may be performed by the administration/monitoring
system 602.
[0065] Implementations of the invention may be made in hardware,
firmware, software, or various combinations thereof. The invention
may also be implemented as instructions stored on a
machine-readable medium, which may be read and executed using one
or more processing devices. In one implementation, machine-readable
media may include various mechanisms for storing and/or
transmitting information in a form that can be read by a machine
(e.g., a computing device). For example, machine-readable storage
media may include read-only memory, random access memory, magnetic
disk storage media, optical storage media, flash memory devices,
and other media for storing information, and machine-readable
transmission media may include forms of propagated signals,
including carrier waves, infrared signals, digital signals, and
other media for transmitting information. While firmware, software,
routines, or instructions may be described in the above disclosure
in terms of specific exemplary aspects and implementations
performing certain actions, it will be apparent that such
descriptions are merely for the sake of convenience and that such
actions in fact result from computing devices, processing devices,
processors, controllers, or other devices or machines executing the
firmware, software, routines, or instructions.
[0066] Furthermore, aspects and implementations may be described in
the above disclosure as including particular features, structures,
or characteristics, but it will be apparent that every aspect or
implementation may or may not necessarily include the particular
features, structures, or characteristics. Further, where particular
features, structures, or characteristics have been described in
connection with a specific aspect or implementation, it will be
understood that such features, structures, or characteristics may
be included with other aspects or implementations, whether or not
explicitly described. Thus, various changes and modifications may
be made to the preceding disclosure without departing from the
scope or spirit of the invention, and the specification and
drawings should therefore be regarded as exemplary only, with the
scope of the invention determined solely by the appended
claims.
* * * * *