SYSTEM, MOBILE NODE, NETWORK ENTITY, METHOD, AND COMPUTER PROGRAM PRODUCT FOR NETWORK FIREWALL CONFIGURATION AND CONTROL IN A MOBILE COMMUNICATION SYSTEM

US 20070067838A1
Filed: 09/19/2006
Published: 03/22/2007
Est. Priority Date: 09/19/2005
Status: Abandoned Application

First Claim

Patent Images

1. A system for providing firewall protection for a wireless communication network, the system comprising:

a mobile node;

a firewall disposed along a communications path between the mobile node and an outside node, wherein the firewall is capable of controlling transmission of data between the outside node and the mobile node through a pinhole; and

a network entity capable of determining a connection of the mobile node to the wireless communication network, the network entity further capable of accessing a firewall profile associated with the mobile node, the firewall profile comprising at least one predefined static pinhole, the network entity further capable of instructing the firewall to open a pinhole corresponding to the at least one predefined static pinhole.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, mobile node, network entity, method and computer program product for providing firewall protection for a wireless communication network are provided in which a firewall profile is accessed by the network entity when a mobile node connects to the network. The firewall profile defines a list of static firewall pinholes which are opened in a firewall by the network entity. The mobile node may open additional pinholes dynamically. The opened pinholes are closed by the network entity when the mobile node disconnects from the network.

Citations

40 Claims

1. A system for providing firewall protection for a wireless communication network, the system comprising:
- a mobile node;
  
  a firewall disposed along a communications path between the mobile node and an outside node, wherein the firewall is capable of controlling transmission of data between the outside node and the mobile node through a pinhole; and
  
  a network entity capable of determining a connection of the mobile node to the wireless communication network, the network entity further capable of accessing a firewall profile associated with the mobile node, the firewall profile comprising at least one predefined static pinhole, the network entity further capable of instructing the firewall to open a pinhole corresponding to the at least one predefined static pinhole.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the firewall is further capable of receiving a dynamic pinhole request from the mobile node, wherein the firewall is further capable of transmitting an authentication request, wherein the firewall is further capable of receiving a successful authentication, and wherein the firewall is further capable of opening a pinhole corresponding to the dynamic pinhole request in response to the successful authentication of the mobile node.
  - 3. The system of claim 1, further comprising a plurality of firewalls, wherein the plurality of firewalls are capable of performing a pinhole synchronization such that any pinhole opening in at least one firewall is opened in all of the firewalls.
  - 4. The system of claim 1, wherein the firewall is further capable of closing at least one pinhole in response to a request from the mobile node.
  - 5. The system of claim 4, wherein the firewall profile further comprises all network identifiers corresponding to the mobile node.
  - 6. The system of claim 5, wherein, if the firewall receives a request from the mobile node to close the pinhole using a second network identifier different than a first network identifier that was used by the mobile node to request to open the pinhole, the firewall is further capable of sending a verification request to the network entity to determine if the first and second network identifiers both correspond to the mobile node.
  - 7. The system of claim 6, wherein the network entity closes the pinhole when it is determined that the first and second network identifiers both correspond to the mobile node.
  - 8. The system of claim 7, wherein the network entity keeps the pinhole open when it is determined that the first and second network identifiers do not correspond to the mobile node and wherein the network entity closes the pinhole when the mobile node disconnects from the wireless communication network.
  - 9. The system of claim 6, wherein the network entity closes the pinhole when it is determined that the first and second network identifiers do not correspond to the mobile node and wherein it is determined that the first and second network identifiers correspond to another network entity that is authorized to act on behalf of the mobile node.
  - 10. The system of claim 6, wherein the network entity closes the pinhole when it is determined that the first and second network identifiers both correspond to the mobile node and wherein when the first and second network identifiers do not correspond to the mobile node, the network entity closes the pinhole when it is determined that another network entity is authorized to perform one or more actions on behalf of the mobile node.
  - 11. The system of claim 1, further comprising one or more additional mobile nodes, wherein when the network entity determines that the mobile node, or the one or more additional mobile nodes, is connected to the wireless communication network, the network entity opens one or more pinholes, corresponding to the mobile node or the one or more additional mobile nodes, in the firewall based on data contained in the firewall profile or a dynamic pinhole request received from the mobile node or the one or more additional mobile nodes.
  - 12. The system of claim 11, wherein when the mobile node, or the one or more additional mobile nodes, is no longer connected to the wireless communication network, the network entity closes a corresponding one of the one or more pinholes in the firewall.

13. A method for providing firewall protection for a wireless communication network, the method comprising:
- controlling transmission of data between an outside node and a mobile node through a pinhole in a firewall that is disposed along a communications path between the mobile node and the outside node;
  
  determining a connection of the mobile node to the wireless communication network;
  
  accessing a firewall profile associated with the mobile node, the firewall profile comprising at least one predefined static pinhole; and
  
  instructing the firewall to open a pinhole corresponding to the at least one predefined static pinhole.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, further comprising:
    - receiving a dynamic pinhole request from the mobile node;
      
      transmitting an authentication request;
      
      receiving a successful authentication; and
      
      opening a pinhole corresponding to the dynamic pinhole request in response to the successful authentication of the mobile node.
  - 15. The method of claim 13, further comprising:
    - performing a pinhole synchronization among a plurality of firewalls such that any pinhole opening in at least one firewall is opened in all of the firewalls.
  - 16. The method of claim 13, further comprising:
    - closing at least one pinhole in response to a request from the mobile node.
  - 17. The method of claim 16, wherein the firewall profile further comprises all network identifiers corresponding to the mobile node.
  - 18. The method of claim 17, further comprising:
    - receiving a request from the mobile node to close the pinhole using a second network identifier different than a first network identifier that was used by the mobile node to request to open the pinhole; and
      
      sending a verification request to determine if the first and second network identifiers both correspond to the mobile node.
  - 19. The method of claim 18 further comprising, closing the pinhole when it is determined that the first network identifier and the second network identifier both correspond to the mobile node.
  - 20. The method of claim 18, further comprising:
    - keeping the pinhole open when it is determined that the first and second network identifiers do not correspond to the mobile node; and
      
      closing the pinhole when the mobile node disconnects from the wireless communication network.
  - 21. The method of claim 18, further comprising closing the pinhole when the network entity determines that the first and second network identifiers do not correspond to the mobile node and wherein when it is determined that the first and second network identifiers correspond to another network entity that is authorized to act on behalf of the mobile node.
  - 22. The method of claim 18, further comprising:
    - closing the pinhole when it is determined that the first and second network identifiers both correspond to the mobile node; and
      
      closing the pinhole when it is determined that the first and second network identifiers do not correspond to the mobile node, and when it is determined that another network entity is authorized to perform one or more actions on behalf of the mobile node.
  - 23. The method of claim 13, further comprising:
    - disposing the firewall along the communications path between one or more additional mobile nodes and at least one outside node;
      
      determining that the mobile node, or the one or more additional mobile nodes, is connected to the wireless communication network; and
      
      opening the one or more pinholes, corresponding to the mobile node or the one or more additional mobile nodes, in the firewall based on data contained in the firewall profile or a dynamic pinhole request from the mobile node or the one or more additional mobile nodes.
  - 24. The method of claim 23, further comprising:
    - determining that the mobile node, or the one or more additional mobile nodes, is no longer connected to the wireless communication network; and
      
      closing a corresponding one of the one or more pinholes in the firewall.

25. A computer program product for providing firewall protection for a wireless communication network, the computer program product comprising at least one computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising:
- a first executable portion for controlling transmission of data between an outside node and a mobile node through a pinhole in a firewall that is disposed along a communications path between the mobile node and the outside node;
  
  a second executable portion for determining a connection of the mobile node to the wireless communication network;
  
  a third executable portion for accessing a firewall profile associated with the mobile node, the firewall profile comprising at least one predefined static pinhole; and
  
  a fourth executable portion for instructing the firewall to open a pinhole corresponding to the at least one predefined static pinhole.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The computer program product according to claim 25, further comprising:
    - a fifth executable portion for receiving a dynamic pinhole request from the mobile node;
      
      a sixth executable portion for transmitting an authentication request;
      
      a seventh executable portion for receiving a successful authentication; and
      
      an eighth executable portion for opening a pinhole corresponding to the dynamic pinhole request in response to the successful authentication of the mobile node.
  - 27. The computer program product according to claim 25, further comprising a fifth executable portion for performing a pinhole synchronization among a plurality of firewalls such that any pinhole opening in at least one firewall is opened in all of the firewalls.
  - 28. The computer program product according to claim 25, further comprising a fifth executable portion for closing at least one pinhole in response to a request from the mobile node.
  - 29. The computer program product according to claim 28, wherein the firewall profile further comprises all network identifiers corresponding to the mobile node.
  - 30. The computer program product according to claim 29, further comprising:
    - a sixth executable portion for receiving a request from the mobile node to close the pinhole using a second network identifier different than a first network identifier that was used by the mobile node to request to open the pinhole; and
      
      a seventh executable portion for sending a verification request to determine if the first and second network identifiers both correspond to the mobile node.
  - 31. The computer program product according to claim 30, further comprising an eighth executable code for closing the pinhole when it is determined that the first and second network identifiers both correspond to the mobile node.
  - 32. The computer program product according to claim 30, further comprising:
    - an eighth executable portion for keeping the pinhole open when it is determined that the first and second network identifiers do not correspond to the mobile node and;
      
      a ninth executable portion for closing the pinhole when the mobile node disconnects from the wireless communication network.
  - 33. The computer program product according to claim 30, further comprising an eighth executable portion for closing the pinhole when the network entity determines that the first and second network identifiers do not correspond to the mobile node and wherein when it is determined that the first and second network identifiers correspond to another network entity that is authorized to act on behalf of the mobile node.
  - 34. The computer program product according to claim 30, further comprising:
    - an eighth executable portion for closing the pinhole when it is determined that the first and second network identifiers both correspond to the mobile node; and
      
      a ninth executable portion for closing the pinhole when it is determined that the first and second network identifiers do not correspond to the mobile node, and when it is determined that another network entity is authorized to perform one or more actions on behalf of the mobile node.
  - 35. The computer program product according to claim 25, further comprising:
    - a fifth executable portion for disposing the firewall along the communications path between one or more additional mobile nodes and at least one outside node;
      
      a sixth executable portion for determining that the mobile node, or the one or more additional mobile nodes, is connected to the wireless communication network; and
      
      a seventh executable portion for opening the one or more pinholes, corresponding to the mobile node or the one or more additional mobile nodes, in the firewall based on data contained in the firewall profile or a dynamic pinhole request from the mobile node or the one or more additional mobile nodes.
  - 36. The computer program product according to claim 35, further comprising:
    - an eighth executable portion for determining that the mobile node, or the one or more additional mobile nodes, is no longer connected to the wireless communication network; and
      
      a ninth executable portion for closing a corresponding one of the one or more pinholes in the firewall.

37. A network element for providing firewall protection for a wireless communication network, the network element comprising a processing element configured to:
- determine a connection of a mobile node to the wireless communication network;
  
  access a firewall profile associated with the mobile node, the firewall profile comprising at least one predefined static pinhole; and
  
  instruct the firewall to open a pinhole corresponding to the at least one predefined static pinhole.
- View Dependent Claims (38, 39, 40)
- - 38. The network element according to claim 37, wherein the processing element is further configured to:
    - receive a request from the mobile node to close at least one pinhole using a second network identifier different than a first network identifier that was used by the mobile node to request to open the at least one pinhole; and
      
      receive a verification request from the firewall to determine if the first and second network identifiers both correspond to the mobile node.
  - 39. The network element according to claim 38, wherein the processing element is further configured to close the at least one pinhole when it is determined that the first and second network identifiers both correspond to the mobile node.
  - 40. The network element according to claim 39, wherein the processing element is further configured to:
    - keep the at least one pinhole open when it is determined that the first and second network identifiers do not correspond to the mobile node; and
      
      close the at least one pinhole when the mobile node disconnects from the wireless communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Nokia Corporation
Inventors
Bajko, Gabor

Application Number

US11/533,218
Publication Number

US 20070067838A1
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04W 12/06   Authentication

SYSTEM, MOBILE NODE, NETWORK ENTITY, METHOD, AND COMPUTER PROGRAM PRODUCT FOR NETWORK FIREWALL CONFIGURATION AND CONTROL IN A MOBILE COMMUNICATION SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, MOBILE NODE, NETWORK ENTITY, METHOD, AND COMPUTER PROGRAM PRODUCT FOR NETWORK FIREWALL CONFIGURATION AND CONTROL IN A MOBILE COMMUNICATION SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links