System and method for managing access to active devices operably connected to a data network

US 20040068562A1
Filed: 10/02/2002
Published: 04/08/2004
Est. Priority Date: 10/02/2002
Status: Active Grant

First Claim

Patent Images

1. ) A device for managing access of an active device through a data network, comprising:

a. a service station operative to communicate with a requesting active device and a router, the active device and router operative to communicate with a data network; and

b. connection management software executing at least partially in the service station and at least partially at the requesting active device, the connection management software operable to direct the router to control access through the router by the requesting active device based on a detectable state of a predetermined characteristic of the requesting active device, the state being disclosed to the service station upon a request by the service station, according to a dynamically definable rule for the state.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing access of one or more active devices through a data network is disclosed. The system comprises a service station operative to communicate with a requesting active device and a router, the active device and router operative to communicate with a data network. Connection management software executes at least partially in the service station to direct the router to control access to a responding active device by the requesting active device based on a detectable state of a predetermined characteristic of the requesting active device, the state being disclosed to the service station upon a request by the service station. It is submitted with the understanding that it will not be used to interpret or limit the scope of meaning of the claims.

52 Citations

View as Search Results

33 Claims

1. ) A device for managing access of an active device through a data network, comprising:
- a. a service station operative to communicate with a requesting active device and a router, the active device and router operative to communicate with a data network; and
  
  b. connection management software executing at least partially in the service station and at least partially at the requesting active device, the connection management software operable to direct the router to control access through the router by the requesting active device based on a detectable state of a predetermined characteristic of the requesting active device, the state being disclosed to the service station upon a request by the service station, according to a dynamically definable rule for the state.

2. ) A system for managing access between active devices through a data network, comprising:
- a. a plurality of active devices operative to communicate with a data network, a first portion of the active devices being disposed logically upstream from a second portion of the active devices;
  
  b. a router, logically disposed intermediate the first portion of the active devices and the second portion of the active devices, the router capable of selectively allowing access by a requesting active device of the first portion of the active devices to an active device of the second portion of active devices;
  
  c. a service station operative to communicate with the at least one active device and the router;
  
  d. connection management software executing at least partially in the service station and operable to direct the router to selectively allow access by a requesting active device to a responding active device in the second portion of active devices based on a predetermined characteristic of the requesting active device; and
  
  e. client software executing in a requesting active device and in communication with the connection management software, the client software operable to determine the predetermined characteristic of the requesting active device according to a dynamically definable rule.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 3. ) A system as in claim 2, wherein:
    - a. the data network is at least one of (i) a data packet network, (ii) a TCP/IP network, or (iii) a peer-to-peer network.
  - 4. ) A system as in claim 2, wherein:
    - a. the active devices comprise a logic processing unit.
  - 5. ) A system as in claim 2, wherein:
    - a. the router uses a predefined protocol to forward data to the service station.
  - 6. ) A system as in claim 5, wherein:
    - a. the predefined protocol comprises network address translation.
  - 7. ) A system as in claim 2, wherein the router further comprises:
    - a. a router control server, comprising;
      
      i. a control server message queue; and
      
      ii. an IP Address database.
  - 8. ) A system as in claim 2, wherein:
    - a. the service station further comprises a service station message queue.
  - 9. ) A system as in claim 2, further comprising:
    - a. the connection management software further comprises i. a first page, retrievable by the requesting active device, the first page comprising at least a portion of client control software executable at the requesting active device; and
      
      ii. a second page, controllable by the service station, through which a confirmation code may be passed to the service station by the client control software executing at the requesting active device.
  - 10. ) A system as in claim 9, wherein:
    - a. the client control software further comprises an ActiveX control; and
      
      b. the first page further comprises a codebase attribute to specify a location into which the ActiveX control may be downloaded if it is not yet installed on the requesting active device.
  - 11. ) A system as in claim 10, wherein:
    - a. the location is at least one of (i) an absolute URL or (ii) a relative URL.
  - 12. ) A system as in claim 10, wherein:
    - a. the ActiveX control supports versioning.
  - 13. ) A system as in claim 10, wherein:
    - a. the first page further comprises a tag to define a rule parameter needed by the client control software.
  - 14. ) A system as in claim 13, wherein:
    - a. the rule parameter further comprises at least one of (i) an operating system identifier, (ii) a URL uplog, (iii) a URL fail, (iv) a URL useful to specify a page responsible for displaying information upon denial of network access, or (v) a boolean.
  - 15. ) A system as in claim 2, further comprising:
    - a. a rule file, comprising the rule.
  - 16. ) A system as in claim 15, wherein:
    - a. the rule comprises a name-value pair that defines a named parameter and a value associated with the named parameter.
  - 17. ) A system as in claim 15, wherein:
    - a. the rule file comprises an identifiable named section; and
      
      b. the identifiable named section comprises a unique section name, the section name further comprising the name of the rule.
  - 18. ) A system as in claim 13, wherein the rule parameter further comprises:
    - a. at least one of (i) a rule type, (ii) a log level, (iii) a severity level, or (iv) a URL.
  - 19. ) A system as in claim 18, wherein:
    - a. the rule type further comprises at least one of (i) a command rule, (ii) a file exist rule, (iii) a file property rule, (iv) a named section rule, (v) a process rule, or (vi) a registry rule;
      
      b. the log level further comprises at least one of (i) none, (ii) min, or (iii) max;
      
      c. the severity code further comprises at least one of (i) off, (ii) minimal, (iii) desired, or (iv) required; and
      
      d. the URL further comprises a URL providing access to a page containing instructions on how to set up the client machine in compliance with the rule.
  - 20. ) A system as in claim 19, wherein:
    - a. the registry rule comprises directives for the client control software control to direct the Client control software control to check for a specific key value in a registry of an operating system;
      
      b. the process rule comprises directives for the client control software control to direct the client control software control to check whether a process is executing in the requesting active device;
      
      c. the file exist rule comprises directives for the client control software control to direct the client control software control to check for the existence of a given file at the requesting active device;
      
      d. the file property rule comprises directives for the client control software control to direct the client control software control to check for specific properties of a given file at the requesting active device, the file property rule further comprising at least one of (i) a version indicator, (ii) a date/time indicator, or (iii) an attribute indicator;
      
      e. the named section rule comprises directives for the client control software control to direct the client control software control to check for an named section value in a rule file; and
      
      f. the command rule comprises directives for the client control software control to direct the client control software control to run a specified command on the client machine.

21. ) A method of managing access to a data network or active devices operatively connected to the data network, comprising:
- a. determining by a service station if a requesting active device possesses a state of a predetermined characteristic of the requesting active device which is acceptable to a dynamically definable rule comprising a criterion for that state; and
  
  b. allowing access to a responding active device by the requesting active device only if the state of the predetermined characteristic is acceptable to the criterion for that state.
- View Dependent Claims (22, 31, 32, 33)
- - 22. ) A method according to claim 21, further comprising:
    - a. providing the requesting active device with a resource to allow a change to the state to satisfy the criterion if the state is not acceptable to the criterion for that state.
  - 31. ) A method as in claim 22, further comprising:
    - a. pinging by the router control server of the requesting active device;
      
      b. waiting for a response from the requesting active device by the router control server;
      
      c. using telnet by the requesting active device to the router to pass the supplied user name and password;
      
      d. verifying by the router of the user name and password by the router control server;
      
      e. creating by the router of a dynamic access list for a verified active device;
      
      f. receiving a ping reply by the router control server from the verified active device; and
      
      g. updating by the router control server of client status in the IP Address database.
  - 32. ) A method as in claim 22, further comprising:
    - a. deleting by the router control server of a user name from a list of active users;
      
      b. disconnecting of the requesting active device from the second data network;
      
      c. after the requesting active device is disconnected, refusing to receive ping replies by the router control server from the requesting active device;
      
      d. using telnet by the router control server to the router to remove the access list for the requesting active device; and
      
      e. removing by the router control server of the IP address of the requesting active device from the database.
  - 33. ) A method as in claim 22, further comprising:
    - a. determining if a desired component exists at the first active device;
      
      b. determining a predetermined characteristic of the component if it exists; and
      
      c. updating the component if the predetermined characteristic is not at an acceptable level.

23. ) A method of managing access, comprising:
- a. receiving a request at a router, operative to communicate with a first data network, from a first active device operative to communicate with the data network, the request comprising a request to access at least one of (i) a second data network, (ii) a second active device operative to communicate with the first data network, or (iii) a second active device operative to communicate with the second data network;
  
  b. blocking further access by the router of the first active device;
  
  c. forwarding the request for access by the router to a service station;
  
  d. sending of a request for information by the service station to the first active device, the request for information comprising a dynamically definable rule; and
  
  e. allowing access through the router to the second active device only if the first active device returns an acceptable response to the request for information.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. ) A method as in claim 23, further comprising:
    - a. using a predefined protocol by the access router to forward data to a service station.
  - 25. ) A method as in claim 24, wherein:
    - a. the predefined protocol comprises network address translation.
  - 26. ) A method as in claim 23, further comprising:
    - a. sending a new client message by the service station to a router control server message queue controlled by a router control server, the router control server operative to communicate with the router and the service station; and
      
      b. updating by router control server of an IP Address database with the address of a connection request from the requesting active device.
  - 27. ) A method as in claim 26, further comprising:
    - a. sending a client accept message by the router control server to a service station message queue managed by the service station;
      
      b. determining if a connection currently exists between the router and the requesting active device; and
      
      c. clearing of the connection if it exists by the router control server from the router.
  - 28. ) A method as in claim 23, further comprising:
    - a. providing a welcome page containing an ActiveX control by the service station to the requesting active device; and
      
      b. examining a predetermined set of characteristics of the requesting active device using the Active X control according to at least one rule accessible to the Active X control.
  - 29. ) A method as in claim 23, further comprising:
    - a. redirecting software executing in the requesting active device to a predetermined page accessible on the service station; and
      
      b. using client control software to pass a confirmation code to the service station.
  - 30. ) A method as in claim 23, further comprising:
    - a. sending a message by the service station to the router control server message queue;
      
      b. updating by the router control server of the IP Address database with the an IP address of a requesting active device upon a successful scan of the requesting active device by client control software;
      
      c. creating by the router control server of a new user account in a router list of acceptable active devices;
      
      d. sending by the router control server of a connection approval message to the service station message queue; and
      
      e. presenting by the service station of a user name and password to software executing at the requesting active device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Parent, Robert M., Tilton, Earl W., Morehead, Mark K., Beane, Tommy L.

Granted Patent

US 7,315,890 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/303   Terminal profiles

H04L 67/34   involving the movement of s...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

System and method for managing access to active devices operably connected to a data network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing access to active devices operably connected to a data network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links