Personal remote firewall

US 20050060328A1
Filed: 08/30/2004
Published: 03/17/2005
Est. Priority Date: 08/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method of a virtual private network (VPN) gateway server (10) providing rules for wireless access over a secure tunnel connection to a corporate network (20), the method including:

configuring a user database (15, 25) of the server to provide user specific rules for the access over the secure tunnel connection, the configuring including associating different specific users with respective sets of allowed TCP server ports;

authenticating a user connecting to the secure tunnel connection; and

limiting the authenticated user'"'"'s access to the corporate network (20) by forwarding only user data received in the secure tunnel that as destination has a port that is included by the set of allowed TCP server ports associated with the user in the user database (15, 25).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method and a virtual private network (VPN) gateway server 10 providing rules for wireless access over a secure tunnel connection to a corporate network 20. The corporate network 20 is protected by firewall functionality, with different access configurations for different remote users. The VPN gateway server 10 includes a user database 15 which provides rules specific for each user for the access to the corporate network 20 using the secure tunnel. The rules include specific sets of TCP ports associated with respective specific users. The gateway server 10 limits an authenticated user'"'"'s access to the corporate network 20, which access is performed by means of the tunnel connection provided by the gateway server 10, to the associated allowed TCP server ports.

76 Citations

View as Search Results

24 Claims

1. A method of a virtual private network (VPN) gateway server (10) providing rules for wireless access over a secure tunnel connection to a corporate network (20), the method including:
- configuring a user database (15, 25) of the server to provide user specific rules for the access over the secure tunnel connection, the configuring including associating different specific users with respective sets of allowed TCP server ports;
  
  authenticating a user connecting to the secure tunnel connection; and
  
  limiting the authenticated user'"'"'s access to the corporate network (20) by forwarding only user data received in the secure tunnel that as destination has a port that is included by the set of allowed TCP server ports associated with the user in the user database (15, 25).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as claimed in claim 1, including configuring the secure tunnel to be bound to a specific TCP server port of the gateway server (10).
  - 3. The method as claimed in claim 1, wherein said configuring step includes configuring the user database (15, 25) to associate an allowed TCP server port number of a specific user with a specific IP address within the corporate network, the method including forwarding user data received in the secure tunnel to the IP address associated with an allowed TCP server port.
  - 4. The method as claimed in claim 1, including forwarding user data received in the secure tunnel to an allowed TCP server port over a separate TCP connection, in which connection the gateway server acts as a client.
  - 5. The method as claimed in claim 4, wherein said configuring step includes configuring the user database to associate the same allowed TCP server port number of different users with different IP addresses within the corporate network.
  - 6. The method as claimed in claim 1, wherein the allowed TCP server ports associated with a specific user are allowed client side TCP server ports, said configuring step including configuring the user database (25) to associate an allowed client side TCP server port with a server side TCP server port, the method including forwarding user data received in the secure tunnel to a server side TCP server port associated with an allowed client side TCP server port over a separate TCP connection, in which connection the gateway server (10) acts as a client.
  - 7. The method as claimed in claim 6, wherein said configuring step includes configuring the user database (25) to associate different allowed client side TCP server ports, which are associated with a specific user, with the same server side TCP port but with different respective IP addresses, the method including forwarding user data received in the secure tunnel to the IP address associated with an allowed client side TCP server port.
  - 8. The method as claimed in claim 7, wherein the configuring step includes configuring the database (25) to associate different allowed client side TCP server ports with server side TCP server ports of different electronic mail servers having respective IP addresses.
  - 9. The method as claimed in claim 6, wherein the configuring step includes configuring the database (25) to associate an allowed client side TCP server port with a server side TCP server port and IP address of a corporate DNS server within the corporate network.
  - 10. The method as claimed in claim 1, including the step of transmitting to the authenticated user, over the secure tunnel, the set of allowed TCP server ports that are associated with the authenticated user in the user database (15, 25).
  - 11. The method as claimed in claim 10, wherein the configuring step includes configuring the user database (15, 25) to associate a port specific protocol with an allowed TCP server port, which port specific protocol is transmitted together with the allowed TCP server port to the authenticated user.

12. A virtual private network (VPN) gateway server (10) providing rules for wireless access over a secure tunnel connection to a corporate network (20), the server (10) including:
- a user database (15, 25) providing user specific rules for the access over the secure tunnel connection by storing associations between different specific users and respective sets of allowed TCP server ports;
  
  authenticating means (11) for authenticating a user connecting to the secure tunnel connection; and
  
  port filtering means (12) for limiting the authenticated user'"'"'s access to the corporate network (20) by forwarding only user data received in the secure tunnel that as destination has a port that is included by the set of allowed TCP server ports associated with the user in the user database (15, 25).
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 13. The gateway server as claimed in claim 12, wherein the secure tunnel is bound to a specific TCP server port of the gateway server (10).
  - 14. The gateway server as claimed in claim 12, wherein the user database (15, 25) associates an allowed TCP server port number of a specific user with a specific IP address within the corporate network, the port filtering means being arranged for forwarding user data received in the secure tunnel to the IP address associated with an allowed TCP server port.
  - 15. The gateway server as claimed in claim 12, wherein the port filtering means is arranged for forwarding user data received in the secure tunnel to an allowed TCP server port over a separate TCP connection, in which connection the gateway server acts as a client.
  - 16. The gateway server as claimed in claim 15, wherein the user database associates the same allowed TCP server port number of different users with different IP addresses within the corporate network.
  - 17. The gateway server as claimed in claim 12, wherein the allowed TCP server ports associated with a specific user are allowed client side TCP server ports, said user database (25) associating an allowed client side TCP server port with a server side TCP server port, the port filtering means being further arranged for forwarding user data received in the secure tunnel to a server side TCP server port associated with an allowed client side TCP server port over a separate TCP connection, in which connection the gateway server (10) acts as a client.
  - 18. The gateway server as claimed in claim 17, wherein the user database (25) associates different allowed client side TCP server ports, which are associated with a specific user, with the same server side TCP port but with different respective IP addresses, wherein the port filtering means is arranged for forwarding user data received in the secure tunnel to the IP address associated with an allowed client side TCP server port.
  - 19. The gateway server as claimed in claim 18, wherein the user database (25) associates different allowed client side TCP server ports with server side TCP server ports of different electronic mail servers having respective IP addresses.
  - 20. The gateway server as claimed in claim 17, wherein the user database (25) associates an allowed client side TCP server port with a server side TCP server port and IP address of a corporate DNS server within the corporate network.
  - 21. The gateway server as claimed in claim 12, including transmitting means for transmitting to the authenticated user, over the secure tunnel, the set of allowed TCP server ports that are associated with the authenticated user in the user database (15, 25).
  - 22. The gateway server as claimed in claim 21, wherein the user database (15, 25) associates a port specific protocol with an allowed TCP server port, said transmitting means being arranged for transmitting the port specific protocol together with the allowed TCP server port to the authenticated user.
  - 23. A virtual private network (VPN) system including:
    - a corporate network (20);
      
      a virtual private network (VPN) gateway server (10) in accordance with claim 12 for providing wireless access over a secure tunnel connection to the corporate network (20); and
      
      at least one wireless client terminal (40), wherein the client terminal is configured to use a specific TCP server port and IP address when connecting to the VPN gateway server (10) over the tunnel connection and a specific set of TCP server ports within the tunnel connection when accessing the corporate network (20).
  - 24. The system as claimed in claim 23, wherein the wireless client terminal (40) is configured to receive the TCP server ports, to be used within the tunnel connection, from the gateway server (10) in response to an authentication message transmitted to the gateway server (10).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Nokia Corporation
Inventors
Stenvall, Jyrki, Suhonen, Harri, Lassila, Ari

Granted Patent

US 7,734,647 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

Personal remote firewall

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

76 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Personal remote firewall

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others