Integration of social network information and network firewalls

US 20070250922A1
Filed: 04/21/2006
Published: 10/25/2007
Est. Priority Date: 04/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method of operating a firewall associated with a computer comprising:

monitoring an invitation sent to a first network endpoint inviting the first network endpoint to connect to a second network endpoint hosted on the computer;

extracting information from the invitation; and

establishing a firewall setting in accordance with information extracted from the invitation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall functions normally to pass data on open ports to a respective service or endpoint associated with an open port. Invitations may sent to from an internal endpoint to an external peer-to-peer network endpoint inviting a connection back to the internal endpoint. Rather than leave ports open in a firewall for such connections, an invitation manager analyzes the invitation and in real time programs an exception in the firewall based on the invitation. The exceptions may be programmed for a limited duration, based on the nature of the internal endpoint. When an authenticated connection is required, a public key or handle to a public key for the external endpoint may be passed to the firewall for use in establishing the connection.

Citations

20 Claims

1. A method of operating a firewall associated with a computer comprising:
- monitoring an invitation sent to a first network endpoint inviting the first network endpoint to connect to a second network endpoint hosted on the computer;
  
  extracting information from the invitation; and
  
  establishing a firewall setting in accordance with information extracted from the invitation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein extracting information from the invitation comprises extracting first network endpoint address information from the invitation.
  - 3. The method of claim 2, further comprising:
    - comparing the first network endpoint address information with a list of approved addresses; and
      
      establishing a firewall setting comprises setting an exception in the firewall allowing access via the firewall when the first network endpoint address information matches an entry from the list of approved addresses.
  - 4. The method of claim 2, wherein the first network endpoint address information comprises one of an IP Address and an authenticatable identifier of an entity.
  - 5. The method of claim 1, wherein extracting information from the invitation comprises extracting first network endpoint address information from the invitation and further comprising:
    - comparing the address information with a list of non-approved addresses; and
      
      establishing a firewall setting comprises denying access via the firewall when the address information matches an entry from the list of non-approved addresses.
  - 6. The method of claim 1, wherein monitoring the invitation comprises monitoring the invitation at one of an invitation subsystem of an operating system, a subsystem of the firewall, and a subsystem of the application issuing invitations.
  - 7. The method of claim 1, wherein extracting the information from the invitation comprises extracting cryptographic matter from the invitation, wherein establishing the firewall setting comprises setting the firewall exception to require an authenticated and secured connection with the first network endpoint.
  - 8. The method of claim 1, wherein extracting the information from the invitation comprises extracting application information from the invitation and no cryptographic matter, wherein an application-level exception is made for accepting traffic from the first network endpoint.
  - 9. The method of claim 1, wherein extracting the information from the invitation comprises extracting application information from the invitation and no cryptographic matter, wherein an application-level exception is made for accepting traffic from any network endpoint.
  - 10. The method of claim 1, wherein extracting the information from the invitation comprises extracting application information from the invitation and establishing the firewall setting comprises setting a validity period for the exception.

11. A firewall adapted to accept event-based programming comprising:
- an internal port for bidirectional transmission of data with a first endpoint on an internal network;
  
  a network interface for bidirectional transmission of data with a second endpoint on an external network; and
  
  a traffic manager, coupled between the network interface and the internal port, that controls data traffic from the network port to the internal port responsive to an invitation sent from the first endpoint to the second endpoint on the external network.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The firewall of claim 11, further comprising an invitation manager that analyzes the invitation for at least one criteria and directs the traffic manager to pass or block the data traffic.
  - 13. The firewall of claim 12, wherein the invitation manager is further operable to direct the traffic manager to require an authenticated and secured connection before passing the data traffic.
  - 14. The firewall of claim 11, further comprising a configuration function for receiving instructions for controlling data traffic from a network invitation manager.
  - 15. The firewall of claim 14, wherein the instructions comprise one of requiring the firewall to open an exception for all endpoints, requiring the firewall to open an authenticated and secured connection-only exception for the second endpoint, or requiring the firewall to block data traffic from the second endpoint.
  - 16. The firewall of claim 15, wherein the instructions comprise a duration for one of the exceptions.

17. A computer programmed to support a network invitation function comprising:
- a network connection supporting traffic on a network;
  
  a processor coupled to the network connection; and
  
  a computer-readable medium storing computer executable modules comprising;
  
  a first module for monitoring an invitation sent from the computer to an endpoint on the network;
  
  a second module for determining to allow or block network traffic from the endpoint based on information in the invitation; and
  
  a third module for setting a limited duration period for a response from the endpoint when the second module determines to allow the network traffic.
- View Dependent Claims (18, 19, 20)
- - 18. The computer of claim 17, wherein the second module determines to allow or block the network traffic from the endpoint after comparing an indicia in the invitation to list of approved endpoints.
  - 19. The computer of claim 17, wherein the second module determines to allow network traffic from the endpoint when the invitation contains cryptographic material that allows establishing an authenticated and secured connection.
  - 20. The computer of claim 17, wherein the cryptographic material comprises one of a public key or a public key infrastructure certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Horton, Noah, Singhal, Sandeep

Granted Patent

US 8,122,492 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0254 Stateful filtering

H04L 63/029 Firewall traversal, e.g. tu...

Integration of social network information and network firewalls

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Integration of social network information and network firewalls

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links