Access control of networked data
First Claim
1. A network device for controlling access by clients on a private network to a data file stored at servers in a public network, the network device being interconnected between the private and public networks, the network device comprising:
- a first interface receiving a request from a client on the private network to access a data file stored at servers on the public network;
an access control processor coupled to first interface, the access control processor analyzing data in the request from the client and determining if the request should be forwarded to the public network for processing by a server to which it is destined, the determination being made by cross referencing resource identifier information in the request with access control data in at least one access control database, the access control data containing categorized resource identifier information the categorized resource identifier information specifying a content subject matter category to which the data file is assigned, and the categorized resource identifier information associated with each data file being assigned by prior human interpretation of the content in the data file, and then, as a result of such human interpretation, determining a subject matter category to which the data file is to be assigned, the data file stored at the servers on the public network;
a second interface coupled between the first interface and the public network and coupled to the access control processor, the second interface forwarding the requests from the first interface to the servers on the public network if the access control processor determines the request should be forwarded to the public network for processing by a server to which it is destined; and
means permitting a network administrator of the public network to control the operation of the network device.
1 Assignment
0 Petitions
Accused Products
Abstract
An access control technique to limit access to information content such as available on the Internet. The technique is implemented within a network device such as a proxy server, router, switch, firewall, bridge or other network gateway. The access control process analyzes data in each request from the clients and determines if the request should be forwarded for processing by a server to which it is destined. Access control may be determined by comparing client source information against a database of Uniform Resource Locators (URLs), IP addresses, or other resource identification data specifying the data requested by the client. The invention therefore provides access control not based only upon content, but rather, based primarily upon the identity of the computers or users making the requests. The technique further avoids the problems of the prior art which categories or filters the content of only web pages based solely upon objectionable words. This is becauase a category database is used by the network device to control access and is created via a process involving human editors who assist in the creation and maintenance of the category database.
-
Citations
27 Claims
-
1. A network device for controlling access by clients on a private network to a data file stored at servers in a public network, the network device being interconnected between the private and public networks, the network device comprising:
-
a first interface receiving a request from a client on the private network to access a data file stored at servers on the public network;
an access control processor coupled to first interface, the access control processor analyzing data in the request from the client and determining if the request should be forwarded to the public network for processing by a server to which it is destined, the determination being made by cross referencing resource identifier information in the request with access control data in at least one access control database, the access control data containing categorized resource identifier information the categorized resource identifier information specifying a content subject matter category to which the data file is assigned, and the categorized resource identifier information associated with each data file being assigned by prior human interpretation of the content in the data file, and then, as a result of such human interpretation, determining a subject matter category to which the data file is to be assigned, the data file stored at the servers on the public network;
a second interface coupled between the first interface and the public network and coupled to the access control processor, the second interface forwarding the requests from the first interface to the servers on the public network if the access control processor determines the request should be forwarded to the public network for processing by a server to which it is destined; and
means permitting a network administrator of the public network to control the operation of the network device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
the request includes a source designation and the resource identifier information specifies a destination of the request;
the categorized resource identifier information in the access control data is categorized by associating predetermined destinations to specific categories of content; and
the access control processor determines if the client making the request is associated with a category of content which contains a predetermined destination having a portion that is equal to the destination specified in the resource identifier information of the request.
-
-
10. The network device of claim 9, wherein the portion that is equal to the destination specified in the resource identifier information of the request is a segment of the resource identifier information.
-
11. The network device of claim 9, wherein the resource identifier information is an internet protocol address.
-
12. The network device of claim 9, wherein categorized resource identifier information in the access control database is categorized by searching for uncategorized content provided by servers located on the public network and presenting the content of the data files to humans for evaluation and categorization, the categorized content being represented in the access control database by an identification of a location of the content on servers of the public network.
-
13. The network device of claim 12, wherein the uncategorized content provided by the servers on the public network is discovered by a network walker process which records new content destinations as they are discovered.
-
14. The network device of claim 1, wherein:
the request includes a source designation and the resource identifier information specifies a destination of the request and the at least one access control database includes a group-source database and the access control processor, in determining if the request should be forwarded to the public network, matches the source designation of the request to the group-source database to determine the group of the client making the request.
-
15. The network device of claim 14, wherein:
the at least one access control database further includes a group-category database and the access control processor, in determining if the request should be forwarded to the public network, matches the group of the client making the request to at least one category to determine which categories of content may be accessed by that group.
-
16. The network device of claim 14, wherein:
at least one access control database further includes a category-destination database and the access control processor, in determining if the request should be forwarded to the public network, attempts to match the destination specified in the resource identifier information to at least one resource identifier destination listed within categories in the category-destination database, and if a match is made, the access control processor denies access to the server to which the request is destined.
-
17. The network device of claim 16, wherein the access control processor, in determining if the request should be forwarded to the public network, matches the group of the client making the request to at least one category having an associated block of allowed access times, to determine which categories of content may be accessed by that group and at which times.
-
18. A method for controlling access by clients of a private network to data files stored on servers connected in a public network, the method comprising the steps of:
-
at a client computer connected to the public network, searching for uncategorized data files being stored on servers connected in the public network, the data files being available on demand;
presenting a view of each selected data file in human readable form on the client computer connected to the public network;
permitting a human being to review the contents of each selected data file so presented;
determining a content rating for each data file in response to presenting the contents of the data file to a human being, the content rating being determined as a result of the human being assigning the data file to at least one content subject matter category;
storing a uniform resource locator (URL) of each data file together with the associated content subject matter categories in a category-destination database;
at an access controller connected to the private network,downloading the category-destination database;
receiving requests from client computers connected to the private network, the requests indicating data files stored on the servers of the public network;
analyzing the data in each request against the data from the category-destination database; and
determining whether to forward the request to a server of the public network for processing, the determination being made based upon the content rating of the requested data file. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
examining a source of the request against a group-source database to determine a group associated with the client making the request;
examining the group associated with the client making the request against a group-category database to determine the content ratings that the group may access;
obtaining URL information from the request; and
determining if the URL information has been assigned a content rating that the group may access, and if so, allowing the request, and if not, denying the request.
-
-
20. The method of claim 18, further comprising the step of filtering contents of return data sent from servers on the public network in response to a request which is allowed.
-
21. The method of claim 18, wherein the URL information is an Internet Protocol (IP) address.
-
22. The method of claim 18, wherein the URL information is a world wide web page address.
-
23. The method of claim 18, wherein the URL information is a portion of a world wide web page address.
-
24. The method of claim 18, wherein the downloading is automatically performed at regular intervals.
-
25. The method of claim 24, wherein the downloading is a subscription service to which the access controller must be registered so that the downloading can be performed.
-
26. The method of claim 18, wherein the step of searching for new data files on the public network is performed by a network walker process.
-
27. The method of claim 19, wherein the group-category database includes at least one group that is associated with different content ratings depending on the time of day of the request.
Specification