Network session management

US 7,096,495 B1
Filed: 03/31/2000
Issued: 08/22/2006
Est. Priority Date: 03/31/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A network system, comprising:

first and second devices, whereinthe first device is adapted to;

deliver a set of policies to the second device during initialization of a virtual private network between the first and second devices; and

the second device is remote from the first device and adapted to;

run an application;

use both said policies and a priority assigned to the application to detect data packets from unauthorized activities; and

reject data packets from the unauthorized activities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention uses network stack information to enforce context-based policies. The combination of policies, user/application context information and packet filtering is used to enable fine-grained control of network resources.

179 Citations

25 Claims

1. A network system, comprising:
- first and second devices, whereinthe first device is adapted to;
  
  deliver a set of policies to the second device during initialization of a virtual private network between the first and second devices; and
  
  the second device is remote from the first device and adapted to;
  
  run an application;
  
  use both said policies and a priority assigned to the application to detect data packets from unauthorized activities; and
  
  reject data packets from the unauthorized activities.
- View Dependent Claims (2, 3, 4, 8)
- - 2. The system of claim 1 further comprising a network stack.
  - 3. The system of claim 2, wherein the network stack comprises:
    - a policy engine connected to the first device;
      
      a policy store connected to the policy engine;
      
      a socket interceptor connected to the policy engine; and
      
      a packet guard connected to the policy engine.
  - 4. The system of claim 1, the first device further comprising instructions to monitor the system for the intervening processes.
  - 8. A system as in claim 1, wherein said second device uses said policies to determine if an application is running and allows certain kinds of network packets, associated with said network application, to pass only when said application is running and to be blocked when said application is not running.

5. A network stack, comprising:
- a policy engine;
  
  a policy store adapted to interact with the policy engine and store a set of policies from the policy engine;
  
  a socket interceptor coupled to the policy engine;
  
  a packet guard coupled to the policy engine;
  
  a configurable management process adapted to reconfigure the network stack and having instructions to;
  
  receive policies in the policy engine from the policy server during a virtual private network session with a remote device;
  
  use the socket interceptor to detect and reject data packets from unauthorized users and applications and provide the packet guard with context information about the unauthorized users and applications including at least information about a running state of the application;
  
  use the packet guard to filter unauthorized activities received from the network interface;
  
  use the packet guard to filter the data packets from unauthorized users and applications based on the context information received by the socket interceptor; and
  
  use the packet guard to filter data packets based on the policies.
- View Dependent Claims (6, 7)
- - 6. The network stack of claim 5 further comprising a packet translator adapted to interact with the socket interceptor and the packet guard.
  - 7. The network stack of claim 5 further comprising an interface to a network adapted to connect the network stack to the network, wherein the network has a policy server.

9. A method comprising:
- establishing a virtual private network (VPN) session between a primary computing system and a remote computing system, wherein the primary computing system includes a security policy engine, and wherein the remote computing system includes a network stack;
  
  transmitting information indicative of security parameters from the primary computing system to the remote computing system using the security policy engine during initialization of the VPN;
  
  configuring the network stack based on the information indicative of security parameters;
  
  subsequently running a particular application program on the remote computing system;
  
  selecting information indicative of updated security parameters based on a priority of the particular application program; and
  
  dynamically reconfiguring the network stack based on the information indicative of the updated security parameters.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein the primary computing system is a corporate local area network (LAN).
  - 11. The method of claim 9, wherein the remote primary computing system is a remote home network.
  - 12. The method of claim 9, wherein the particular application program is a data processing program, and wherein, when a running state of the data processing program indicates that the data processing program is not running, the information indicative of security parameters causes the remote computing system to block packets received at the remote computing system.
  - 13. The method of claim 9, wherein the particular application program is a data word processing program, and wherein, when a running state of the data processing program indicates that the data processing program is running, the information indicative of updated security parameters causes the remote computing system to not block packets received at the remote computing system.

14. A method comprising:
- establishing a secure virtual private network connection between a server and a remote system;
  
  delivering security policies from the server to the remote system during initialization of the secure private network connection; and
  
  regulating access to nodes accessible via the server by the remote system based on the security policies and a priority associated with at least one application program running on the remote system.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14 wherein regulating access comprises providing filters that are adapted to reject unauthorized data packets based on rejection criteria that are conditioned on the security policies and the priority of the at least one application program.
  - 16. The method of claim 14 wherein regulating access comprises:
    - providing a session layer adapted to reject unauthorized data packets based on context information; and
      
      providing filters adapted to reject unauthorized data packets based on rejection criteria from at least one of the context information and the policies.
  - 17. The method of claim 14 further comprising updating the set of policies.
  - 18. The method as in claim 14, wherein the remote system includes a network stack, and wherein the regulating access comprises reconfiguring the network stack to control filtering of network packets, based on the policies and the priority of the application.
  - 19. The method as in claim 14, wherein the policies include information about authorized kinds of information when certain applications are running, and regulating access comprises determining if a specified application is running, allowing a specified kind of network packet to pass only when the specified application is running, and blocking the specified kind of network packet from passing when the specified application is not running.
  - 20. The method as in claim 19, wherein the specified application is a word processing program, and the kind of network packet is word processing data.

21. An article comprising a computer-readable medium which stores computer-executable instructions, the instructions causing a computer to:
- establish a secure virtual private network connection between a server and a remote system;
  
  deliver security policies from the server to the remote system during initialization of the secure private network connection; and
  
  regulate access to nodes accessible via the server by the remote system based on the security policies and a priority associated with at least one application program running on the remote system.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The article of claim 21 wherein regulating access comprises providing filters that are adapted to reject unauthorized data packets based on rejection criteria that are conditioned on the security policies and the priority of the at least one application program.
  - 23. The article of claim 21 wherein regulating access comprises:
    - providing a session layer adapted to reject unauthorized data packets based on context information; and
      
      providing filters adapted to reject unauthorized data packets based on rejection criteria from at least one of the context information and the policies.
  - 24. The article of claim 21 further comprising updating the set of policies.
  - 25. The article as in claim 21, wherein the policies include information about authorized kinds of information when certain applications are running, and regulating access comprises determining if a specified application is running, and allowing a specified kind of network packet to pass only when the specified application is running, based on the policies, and, blocking the specified kind of network packet from passing, when the specified application is not running, based on the policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Warrier, Ulhas S., Iyer, Prakash
Primary Examiner(s)
Louis-Jacques, Jacques H.
Assistant Examiner(s)
Tran, Ellen C.

Application Number

US09/539,928
Time in Patent Office

2,335 Days
Field of Search

709200-250, 713150-250, 714/39, 714/47, 726/15, 726/14
US Class Current

726/15
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/105   Multiple levels of security

Network session management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

179 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Network session management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links