BROWSER ACCESS CONTROL

US 20100077444A1
Filed: 09/23/2008
Published: 03/25/2010
Est. Priority Date: 09/23/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

receiving at a processing node a request for a domain from a client browser;

determining at the processing node whether the request for the domain includes browser authorization data;

if the request for the domain includes the browser authorization data, then allowing the request;

if the request for the domain does not include the browser authorization data, then;

providing a configuration page to the client browser, the configuration page including a configuration script that in response to execution at the client browser generates browser configuration data, the browser configuration data defining a browser configuration of the client browser;

receiving the browser configuration data from the client browser;

comparing the browser configuration data to security policy data associated with the client browser, the security policy data defining a security policy associated with the browser configuration of the client browser;

determining whether the browser configuration data complies with the security policy data based on the comparison; and

if the browser configuration data complies with the security policy data, then providing the browser authorization data to the client browser.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for a distributed security that monitors communications to manage client browser network access based upon the browser configuration of the client browser by use of a configuration script executed in the browser environment. Such management can reduce the exposure of potentially vulnerable client browsers to domains associated with malicious activity.

Citations

17 Claims

1. A computer implemented method, comprising:
- receiving at a processing node a request for a domain from a client browser;
  
  determining at the processing node whether the request for the domain includes browser authorization data;
  
  if the request for the domain includes the browser authorization data, then allowing the request;
  
  if the request for the domain does not include the browser authorization data, then;
  
  providing a configuration page to the client browser, the configuration page including a configuration script that in response to execution at the client browser generates browser configuration data, the browser configuration data defining a browser configuration of the client browser;
  
  receiving the browser configuration data from the client browser;
  
  comparing the browser configuration data to security policy data associated with the client browser, the security policy data defining a security policy associated with the browser configuration of the client browser;
  
  determining whether the browser configuration data complies with the security policy data based on the comparison; and
  
  if the browser configuration data complies with the security policy data, then providing the browser authorization data to the client browser.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the browser configuration data includes browser version data of the client browser.
  - 3. The method of claim 1, wherein the browser configuration data includes browser plugin data associated with the client browser.
  - 4. The method of claim 3, wherein the configuration script is configured to query an HTML DOM object associated with the client browser and associate the results of the query with the browser configuration data.
  - 6. The method of claim 1, wherein the request for the domain is a request for a URL.
  - 7. The method of claim 1, wherein determining at the processing node whether the request for the domain includes browser authorization data comprises determining at the processing node whether the request for the domain includes browser authorization data as a browser cookie.
  - 8. The method of claim 1, wherein the browser authorization data is a authorization token.
  - 9. The method of claim 1, further comprising:
    - if the browser configuration data does not comply with the security policy data, then providing a policy information page having compliance instructions for the client browser.
  - 10. The method of claim 1, further comprising:
    - if the browser configuration data does not comply with the security policy data, then;
      
      determining updates required to bring the browser configuration of the client browser in compliance with the security policy; and
      
      providing a policy information page that includes the updates for the client browser to comply with the security policy.
  - 11. The method of claim 1, further comprising:
    - if the browser configuration data does not comply with the security policy data, then implementing an automatic update based on the browser configuration data on the client browser, the automatic update including necessary updates to bring the browser configuration of the client browser in compliance with the security policy.
  - 12. The method of claim 1, further comprising:
    - determining at the processing node whether the request for the domain includes user authentication data; and
      
      wherein the determination of whether the request for the domain includes the browser authorization data is done before the determination of whether the request for the domain includes the user authentication data.
  - 13. The method of claim 1, wherein the configuration page provides a random token to the client browser, the method further comprising:
    - receiving at the processing node the random token from the client browser;
      
      determining at the processing node the authenticity of the random token; and
      
      if both the random token is authentic and the browser configuration data complies with the security policy data, then providing the browser authorization data to the client browser.

5. The method of 1, further comprising:
- if the request for the domain includes the browser authorization data, then;
  
  removing the browser authorization data before the request for the domain is allowed; and
  
  redirecting the request to the domain.

14. A computer implemented method, comprising:
- providing from a client browser a request for a domain to a processing node;
  
  in response to the request;
  
  receiving at the client browser a configuration page including a configuration script;
  
  executing at the client browser the configuration script to generate browser configuration data, the browser configuration data defining a browser configuration of the client browser;
  
  comparing at the client browser the browser configuration data to security policy data associated with the client browser;
  
  determining at the client browser whether the browser configuration data complies with the security policy data based on the comparison; and
  
  if the browser configuration data complies with the security policy data, then providing security policy compliance data to the processing node.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, further comprising:
    - receiving, at the client browser, browser authorization data after providing the security policy compliance data to the processing node.
  - 16. The method of claim 15, further comprising:
    - providing from the client browser the browser authorization data and the request for the domain to the processing node.

17. A network security system, comprising:
- a processing node external to network edges of an external system, the processing node comprising;
  
  a configuration processor configured to;
  
  receive a request for a domain from a client browser;
  
  determine whether the request for the domain includes browser authorization data;
  
  identify browser configuration data associated with the request for the domain from the client browser;
  
  generate the browser authorization data if the browser configuration data complies with a security policy data associated with the client browser; and
  
  provide the browser authorization data to the client browser.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
FORRISTAL, JEFF

Granted Patent

US 8,286,220 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 41/0886   Fully automatic configuration

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

BROWSER ACCESS CONTROL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

BROWSER ACCESS CONTROL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links