Network access control using network address translation

US 7,072,933 B1
Filed: 01/24/2000
Issued: 07/04/2006
Est. Priority Date: 01/24/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method of controlling at a gateway computing device access of a client machine to a desired resource hosted on a destination server, the desired resource being of at least one material type selected from the group including audible materials, readable materials, and viewable materials, comprising:

at the gateway computing device receiving handshaking packets from the client machine having as a destination address the destination server;

redirecting network communications at the gateway computing device, including;

redirecting the entirety of each of the handshaking packets by rewriting the destination address in the handshaking packets'"'"' IP headers to route the packets to an access controlling web server that is remote from the client, the gateway, and the destination server;

receiving a content request packet from the client machine at the gateway destined for the destination server intended to retrieve the desired resource from the destination server; and

at the gateway redirecting the content request packet in its entirety by rewriting the destination address in the packet IP header to route the packet to the access controlling web server;

receiving a response at the gateway from the access controlling web server; and

at the gateway, controlling access of the client machine to the desired resource based on the response from the access controlling web server, including refusing the client machine access to the desired resource if the response from the access controlling web server indicates that the client should not have access to the desired resource and granting the client machine access to the desired resource if the response from the access controlling web server indicates that the client should have access to the desired resource.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved network content filtering system and method utilize the network address translation functionality of a shared network connection to redirect outgoing packets from a client intended for a destination web server to an access controlling web server instead. Before a session to the destination web server is established, the access controlling web server either approves or refuses the connection, providing a content filtering mechanism. If the connection is refused, the access controlling web server may substitute other content for a filtered URL. In order to identify the client, the shared connection may additionally embed an identifier token in the redirected traffic, so as to customize the filtering action or to facilitate billing functions.

Citations

32 Claims

1. A method of controlling at a gateway computing device access of a client machine to a desired resource hosted on a destination server, the desired resource being of at least one material type selected from the group including audible materials, readable materials, and viewable materials, comprising:
- at the gateway computing device receiving handshaking packets from the client machine having as a destination address the destination server;
  
  redirecting network communications at the gateway computing device, including;
  
  redirecting the entirety of each of the handshaking packets by rewriting the destination address in the handshaking packets'"'"' IP headers to route the packets to an access controlling web server that is remote from the client, the gateway, and the destination server;
  
  receiving a content request packet from the client machine at the gateway destined for the destination server intended to retrieve the desired resource from the destination server; and
  
  at the gateway redirecting the content request packet in its entirety by rewriting the destination address in the packet IP header to route the packet to the access controlling web server;
  
  receiving a response at the gateway from the access controlling web server; and
  
  at the gateway, controlling access of the client machine to the desired resource based on the response from the access controlling web server, including refusing the client machine access to the desired resource if the response from the access controlling web server indicates that the client should not have access to the desired resource and granting the client machine access to the desired resource if the response from the access controlling web server indicates that the client should have access to the desired resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, controlling access to the desired resource based on the response from the access controlling web server further comprises:
    - establishing a connection between the client machine and the destination server if the response indicates that access to the desired resource is allowable.
  - 3. The method according to claim 2, the content request packet comprises a GET URL packet.
  - 4. The method according to claim 3, the response indicates that access to the desired resource is allowable if the access controlling web server does not recognize the URL of the GET URL packet.
  - 5. The method according to claim 4, further comprising refusing a connection to the destination server and establishing instead a connection between the client machine and the access controlling web server if the response is that the access controlling web server recognizes the URL of the GET URL packet.
  - 6. The method according to claim 5, establishing a connection between the client machine and the destination server comprises:
    - resending the handshaking packets and GET URL packet to the destination server transparently with respect to the client machine.
  - 7. The method according to claim 6, further comprising embedding an identity token readable by the access controlling web server in the GET URL packet, the identity token uniquely identifies the client machine.
  - 8. The method according to claim 6, further comprising determining whether to redirect network communications based on the content of a handshaking packet.
  - 9. The method according to claim 8, determining whether to redirect network communications comprises deciding to redirect network communications if the handshaking packet is a SYN packet directed to port 80 on the destination server.
  - 10. The method according to claim 3, the response indicates that access to the desired resource is allowable if the access controlling web server recognizes the URL of the GET URL packet.
  - 11. The method according to claim 10, further comprising refusing a connection to the destination server and establishing instead a connection between the client machine and the access controlling web server if the response indicates that the access controlling web server does not recognize the URL of the GET URL packet.
  - 12. The method according to claim 11, the access controlling web server is an RSACi Web Server.
  - 13. The method according to claim 11, establishing a connection between the client machine and the destination server comprises:
    - resending the handshaking packets and GET URL packet to the destination server transparently with respect to the client machine.
  - 14. The method according to claim 13, further comprising embedding an identity token readable by the access controlling web server in the GET URL packet, the identity token uniquely identifies the client machine.
  - 15. The method according to claim 13, further comprising determining whether to redirect network communications based on the content of a handshaking packet.
  - 16. The method according to claim 15, determining whether to redirect network communications comprises deciding to redirect network communications if the handshaking packet is a SYN packet directed to port 80 on the destination server.

17. A computer-readable medium having computer-executable instructions for controlling access at a gateway computer of a client to a desired resource hosted on a destination server comprising:
- receiving handshaking packets at the gateway computer from the client machine having as a destination address an address corresponding to the destination server;
  
  redirecting network communications at the gateway computer, including;
  
  redirecting the entirety of each of the handshaking packets by rewriting the destination address in the handshaking packets'"'"' IP headers to route the packets to an access controlling web server that is remote from the gateway computer;
  
  receiving a content request packet from the client machine destined for the destination server intended to retrieve the desired resource from the destination server; and
  
  redirecting the entirety of the content request packet by rewriting the destination address in the packet IP header to route the packet to the access controlling web server;
  
  receiving a response at the gateway computer from the access controlling web server; and
  
  at the gateway computer controlling access of the client machine to the desired resource based on the response from the access controlling web server by granting access if the response indicates that the client may access the desired resource and denying access if the response indicates that the client may not access the desired resource.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The computer-readable medium of claim 17, controlling access to the desired resource based on the response from the access controlling web server further comprises:
    - establishing a connection between the client machine and the destination server if the response indicates that access to the desired resource is allowable.
  - 19. The computer-readable medium of claim 18, the content request packet comprises a GET URL packet.
  - 20. The computer-readable medium of claim 19, the response indicates that access to the desired resource is allowable if the access controlling web server does not recognize the URL of the GET URL packet.
  - 21. The computer-readable medium of claim 20, further comprising refusing a connection to the destination server and establishing instead a connection between the client machine and the access controlling web server if the response is that the access controlling web server recognizes the URL of the GET URL packet.
  - 22. The computer-readable medium of claim 19, establishing a connection between the client machine and the destination server comprises:
    - resending the handshaking packets and GET URL packet to the destination server transparently with respect to the client machine.
  - 23. The computer-readable medium of claim 22, further comprising embedding an identity token readable by the access controlling web server in the GET URL packet, the identity token uniquely identifies the client machine.
  - 24. The computer-readable medium of claim 22, further comprising determining whether to redirect network communications based on the content of a handshaking packet.
  - 25. The computer-readable medium of claim 24, determining whether to redirect network communications comprises deciding to redirect network communications if the handshaking packet is a SYN packet directed to port 80 on the destination server.
  - 26. The computer-readable medium of claim 19, the response indicates that access to the desired resource is allowable if the access controlling web server recognizes the URL of the GET URL packet.
  - 27. The computer-readable medium of claim 26, further comprising refusing a connection to the destination server, and establishing instead a connection between the client machine and the access controlling web server if the response indicates that the access controlling web server does not recognize the URL of the GET URL packet.
  - 28. The computer-readable medium of claim 27, the access controlling web server is an RSACi Web Server.
  - 29. The computer-readable medium of claim 27, establishing a connection between the client machine and the destination server comprises:
    - resending the handshaking packets and GET URL packet to the destination server transparently with respect to the client machine.
  - 30. The computer-readable medium of claim 29, further comprising embedding an identity token readable by the access controlling web server in the GET URL packet, the identity token uniquely identifies the client machine.
  - 31. The computer-readable medium of claim 29, further comprising determining whether to redirect network communications based on the content of a handshaking packet.
  - 32. The computer-readable medium of claim 31, determining whether to redirect network communications comprises deciding to redirect network communications if the handshaking packet is a SYN packet directed to port 80 on the destination server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zhigu Holdings Limited
Original Assignee
Microsoft Corporation
Inventors
Guzovsky, Eduard, Lamb, Richard H.
Primary Examiner(s)
VU, THONG H

Application Number

US09/489,629
Time in Patent Office

2,353 Days
Field of Search

709/200, 709/203, 709217-219, 709/238, 709/224, 709/225, 709/229, 709/226, 709/245, 707/501, 713/153, 713/201, 713/168, 713/200, 715/500, 370/349
US Class Current

709/203
CPC Class Codes

H04L 61/2571   for identification, e.g. fo...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 67/56   Provisioning of proxy servi...

H04L 67/563   Data redirection of data ne...

H04L 67/564   Enhancement of application ...

Network access control using network address translation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Network access control using network address translation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links