System and methodology for managing internet access on a per application basis for client computers connected to the internet

US 5,987,611 A
Filed: 05/06/1997
Issued: 11/16/1999
Est. Priority Date: 12/31/1996
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. In a system comprising a plurality of client computers connected to a network and having Internet access, a method for managing Internet access for a particular client computer, the method comprising:

providing at the particular client computer a client monitoring process;

providing at another computer on the network a supervisor process, said supervisor process specifying rules which govern Internet access by the client computers;

transmitting at least a subset of said rules to the particular client computer;

at the client monitoring process, trapping a request for Internet access from the particular client computer; and

processing the request for Internet access by performing substeps of;

(i) determining whether the request for Internet access violates any of the rules transmitted to the particular client computer, and(ii) if the request for Internet access violates any of the rules transmitted to the particular client computer, denying the request for Internet access.

View all claims

5 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A computing environment with methods for monitoring access to an open network, such as a WAN or the Internet, is described. The system includes one or more clients, each operating applications or processes (e.g., Netscape Navigator™ or Microsoft Internet Explorer™ browser software) requiring Internet (or other open network) access (e.g., an Internet connection to one or more Web servers). Client-based monitoring and filtering of access is provided in conjunction with a centralized enforcement supervisor. The supervisor maintains access rules for the client-based filtering and verifies the existence and proper operation of the client-based filter application. Access rules which can be defined can specify criteria such as total time a user can be connected to the Internet (e.g., per day, week, month, or the like), time a user can interactively use the Internet (e.g., per day, week, month, or the like), a list of applications or application versions that a user can or cannot use in order to access the Internet, a list of URLs (or WAN addresses) that a user application can (or cannot) access, a list of protocols or protocol components (such as Java Script™) that a user application can or cannot use, and rules to determine what events should be logged (including how long are logs to be kept). By intercepting process loading and unloading and keeping a list of currently-active processes, each client process can be checked for various characteristics, including checking executable names, version numbers, executable file checksums, version header details, configuration settings, and the like. With this information, the system can determine if a particular process in question should have access to the Internet and what kind of access (i.e., protocols, Internet addresses, time limitations, and the like) is permissible for the given specific user.

Citations

30 Claims

1. In a system comprising a plurality of client computers connected to a network and having Internet access, a method for managing Internet access for a particular client computer, the method comprising:
- providing at the particular client computer a client monitoring process;
  
  providing at another computer on the network a supervisor process, said supervisor process specifying rules which govern Internet access by the client computers;
  
  transmitting at least a subset of said rules to the particular client computer;
  
  at the client monitoring process, trapping a request for Internet access from the particular client computer; and
  
  processing the request for Internet access by performing substeps of;
  
  (i) determining whether the request for Internet access violates any of the rules transmitted to the particular client computer, and(ii) if the request for Internet access violates any of the rules transmitted to the particular client computer, denying the request for Internet access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the particular client computer includes a communication driver for processing requests for Internet access and wherein said step of providing at the particular client computer a client monitoring process comprises:
    - providing at the particular client computer a process which traps at the communication driver requests for Internet access.
  - 3. The method of claim 1, wherein said step of providing at the particular client computer a client monitoring process includes:
    - installing at the particular client computer a client monitoring process which executes anytime the communication driver processes requests for Internet access.
  - 4. The method of claim 1, wherein said another computer includes a server computer connected to the network.
  - 5. The method of claim 1, wherein said another computer includes another client computer connected to the network.
  - 6. The method of claim 1, wherein said rules transmitted to the particular client computer specify whether the particular client computer is allowed any Internet access.
  - 7. The method of claim 1, wherein said rules transmitted to the particular client computer specify which applications are allowed Internet access.
  - 8. The method of claim 1, wherein said rules transmitted to the particular client computer specify a particular type of Internet access which is allowed.
  - 9. The method of claim 1, wherein said system includes a "firewall" application for selectively blocking Internet access and wherein said substep of denying the request for Internet access includes:
    - instructing said firewall application to block Internet access for the particular client computer.
  - 10. The method of claim 9, wherein said firewall application operates independently to block Internet access for any client according to rules specified for the firewall application.
  - 11. The method of claim 1, wherein said rules which govern Internet access by the client computers include rules which are enforced against selected ones of users, computers, and groups thereof.
  - 12. The method of claim 11, wherein said transmitting at least a subset of said rules step includes:
    - determining, based on identification of users, computers, or groups thereof and for which rules have been defined, a subset of said rules filtered for a given user at the particular client computer.
  - 13. The method of claim 12, wherein said users are identified by user name.
  - 14. The method of claim 12, wherein said computers are identified by Internet Protocol (IP) addresses.
  - 15. The method of claim 1, wherein said transmitting at least a subset of said rules to the particular client computer includes:
    - transmitting a set of default rules for the particular client, if no particular rules are already defined for the client.

16. In a system comprising a plurality of client computers connected to a network and having Internet access, a method for managing Internet access for a particular client computer on a per application basis, the method comprising:
- storing at a supervisor computer a list of applications and versions thereof defining which applications are permitted Internet access;
  
  transmitting said list from the supervisor computer to the client computer;
  
  at the client computer, trapping a request for Internet access from a particular application;
  
  based on said list, determining whether the request for Internet access is from an application or version thereof which is permitted Internet access; and
  
  if the request for Internet access is from an application or version thereof which is not permitted Internet access, blocking Internet access for the application.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The method of claim 16, wherein said storing step includes:
    - storing with a supervisor process executing on a server computer connected to the network the list of applications and versions thereof which are permitted Internet access.
  - 18. The method of claim 16, wherein said storing step includes:
    - storing with a supervisor process executing on another client computer connected to the network the list of applications and versions thereof which are permitted Internet access.
  - 19. The method of claim 16, wherein said list includes executable names and version numbers for applications which are permitted Internet access.
  - 20. The method of claim 16, wherein said list includes executable names and version numbers for applications which are not permitted Internet access.
  - 21. The method of claim 16, wherein said list includes Internet access activities which are permitted or restricted for applications or versions thereof.
  - 22. The method of claim 21, wherein Internet access activities comprise use of particular communication protocols.
  - 23. The method of claim 22, wherein said communication protocols include at least one of Hypertext Transport Protocol (HTTP) and File Transport Protocol (FTP).
  - 24. The method of claim 22, wherein said communication protocols include an e-mail protocol.
  - 25. The method of claim 16, wherein said Internet access activities comprise at least one of browsing activity and e-mail activity.

26. A computer system regulating access by client computers comprising:
- a plurality of client computers which can connect to at least one open network;
  
  supervisor means provided at a computer which is in communication with each client computer to be regulated, said supervisor means including a database of enforcement rules governing access of client computers to said at least one open network;
  
  means for transferring rules from the database of enforcement rules to each computer requiring access to said at least one open network and which is to be regulated; and
  
  monitoring means provided at each client computer which is to be regulated, for selectively blocking access to said at least one open network based on said transferred rules.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The system of claim 26, further comprising:
    - means for selectively blocking access based on properties of applications executing at said client computers which attempt access to said at least one open network.
  - 28. The system of claim 27, wherein said properties of applications include version and executable name for each application.
  - 29. The system of claim 27, wherein said properties of applications include types of activities which applications are either allowed to perform or restricted from performing.
  - 30. The system of claim 29, wherein said types of activities include at least one of using e-mail and browsing.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Zone Labs Inc. (Check Point Software Technologies Limited)
Inventors
Freund, Gregor
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Elmore, Stephen C.

Application Number

US08/851,777
Time in Patent Office

924 Days
Field of Search

395/187.01, 395/186, 364/222.5, 364/286.4, 364/286.5, 711/163, 707/9, 707/10, 707/203, 713/200, 713/201
US Class Current

726/4
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2119   Authenticating web pages, e...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2151   Time stamp

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/2874   Processing of data for dist...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/0817   by checking functioning

H04L 63/0263   Rule management

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

System and methodology for managing internet access on a per application basis for client computers connected to the internet

First Claim

5 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and methodology for managing internet access on a per application basis for client computers connected to the internet

First Claim

5 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links