System methodology for automatic local network discovery and firewall reconfiguration for mobile computing devices

US 7,222,359 B2
Filed: 11/14/2001
Issued: 05/22/2007
Est. Priority Date: 07/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method for a mobile client device to regulate access to different networks that the client device may be connected to, the method comprising:

automatically obtaining information to identify adapters connected to a particular client device and networks to which said adapters are connected;

automatically generating a profile for each network, including a current network to which said particular client device is connected;

automatically comparing said profile of said current network to previously generated profiles to determine if said particular client device has previously connected to said current network; and

if said particular client device has previously connected to said current network, automatically applying security settings previously utilized for said current network for regulating access to said current network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system providing methodologies for automatically detecting when a computing device is plugged into a new network is described. The system includes methods for detecting a connection to a new network by receiving notice of, and evaluating, changes to an existing network configuration. The system profiles and generates an identity for the new network. This includes collecting information about the network to uniquely identify it and generating a unique identifier for the network. Once a network has been profiled, a user may decide whether or not to include it as part of a trusted zone. Alternatively, this decision may be guided by policy established by a system administrator or user. The system automatically reconfigures a firewall to include or exclude the network from the trusted zone based upon this decision. The profile of each network is stored so that the next time the device is connected to the same network it remembers the network and applies the same security settings previously adopted. The stored profile also facilitates the detection of changes to the network configuration or the connection to a new network.

324 Citations

78 Claims

1. A method for a mobile client device to regulate access to different networks that the client device may be connected to, the method comprising:
- automatically obtaining information to identify adapters connected to a particular client device and networks to which said adapters are connected;
  
  automatically generating a profile for each network, including a current network to which said particular client device is connected;
  
  automatically comparing said profile of said current network to previously generated profiles to determine if said particular client device has previously connected to said current network; and
  
  if said particular client device has previously connected to said current network, automatically applying security settings previously utilized for said current network for regulating access to said current network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The method of claim 1, further comprising:
    - determining the security settings to be applied for said current network if said particular client device has not previously connected to said current network; and
      
      applying said security settings for regulating access to said current network.
  - 3. The method of claim 2, further comprising:
    - storing said security settings for said current network; and
      
      automatically applying said security settings when said particular client device subsequently connects to said current network.
  - 4. The method of claim 2, wherein said step of determining the security settings to be applied for said current network includes applying an established policy.
  - 5. The method of claim 4, wherein said established policy includes treating a current network to which said device has not previously connected as untrusted.
  - 6. The method of claim 4, wherein said established policy includes treating a current network to which said device has not previously connected as trusted.
  - 7. The method of claim 4. wherein said established policy includes obtaining user input regarding said security settings.
  - 8. The method of claim 7, wherein said established policy includes security settings to be applied when said user input is not obtained.
  - 9. The method of claim 1, wherein said security settings are applied to a firewall module for regulating access to said current network.
  - 10. The method of claim 1, wherein said step of obtaining information to identify adapters and networks is initiated each time said particular client device is connected to a network.
  - 11. The method of claim 1, wherein information to identify adapters and networks is obtained from an operating system kernel facility.
  - 12. The method of claim 11, wherein changes to network information in said operating kernel facility are examined to determine if an adapter'"'"'s configuration has changed.
  - 13. The method of claim 11, wherein changes to network information in said operating kernel facility are examined to determine if said current network has changed.
  - 14. The method of claim 1, wherein a list of all adapters is constructed upon connection of said particular client device to a network.
  - 15. The method of claim 14, wherein each said adapter'"'"'s network configuration is constructed upon connection of said particular client device to a network.
  - 16. The method of claim 14, wherein a profile of all adapters and said adapters'"'"' network configuration is constructed each time said particular client device is connected to a network.
  - 17. The method of claim 16, wherein said profile of an adapter includes a selected one or more of:
    - connection method, physical address, IP address, subnet mask, and gateway IP address.
  - 18. The method of claim 16, wherein said profile of an adapter'"'"'s network configuration includes a selected one or more of:
    - network IP address, network mask, gateway MAC address, and connection name.
  - 19. The method of claim 1, wherein a profile of said adaptors and networks connected to said adapters is constructed each time a change in said adapters'"'"' network configuration is detected.
  - 20. The method of claim 1, wherein a network is identified by connection name if said network is a dialup connection with a resolvable connection name.
  - 21. The method of claim 1, wherein a network is identified by connection name if said network is a PPP over Ethernet (PPPoE) connection with a resolvable connection name.
  - 22. The method of claim 1, wherein a network is identified by gateway IP address and subnet mask if said network is an Ethernet network with a public IP address.
  - 23. The method of claim 1, wherein a network is identified by gateway IP address, subnet mask and physical address if said network is an Ethernet network with a private IP address.
  - 24. The method of claim 23, wherein said physical address is a MAC address.
  - 25. The method of claim 1, wherein a network is identified by gateway IP address and subnet mask if said network is a token ring network.
  - 26. The method of claim 1, wherein a network is identified by gateway IP address and subnet mask if said network is an infrared network.
  - 27. The method of claim 1, wherein a unique identifier is assigned to each network that is profiled.
  - 28. The method of claim 27, wherein said unique identifier is based upon a selected one or more of connection name, gateway IP address, subnet mask and physical address.
  - 29. The method of claim 27, wherein each said unique identifier is stored.
  - 30. The method of claim 27, wherein said unique identifier for a current network that is identified is compared to prior identifiers to determine if said particular client device has previously connected to said current network.

31. A method for a mobile device to identify different networks to which said device is connected, the method comprising:
- automatically obtaining information to identify adapters connected to said device and current networks to which said adapters are connected;
  
  automatically generating a profile for said current networks, including a current network to which said device is connected;
  
  automatically comparing said profile of said current network to which said device is connected to prior profiles to determine if said device has previously connected to said current network; and
  
  if said device has not previously connected to said current network, automatically notifying the device'"'"'s user of a new connection to said current network.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
- - 32. The method of claim 31, further comprising:
    - if said device has not previously connected to said current network, obtaining user input on particular security settings to be applied for said current network.
  - 33. The method of claim 32, further comprising:
    - applying said security settings to regulate access to said device.
  - 34. The method of claim 33, wherein said security settings are applied to a firewall module for regulating access to said device.
  - 35. The method of claim 32, further comprising:
    - storing said security settings; and
      
      applying said security settings when said device subsequently connects to said current network.
  - 36. The method of claim 31, further comprising:
    - if said device has previously connected to said current network, applying any security settings previously utilized for said current network for regulating access to said device.
  - 37. The method of claim 31, wherein said profiles of said current networks are used by a policy management application.
  - 38. The method of claim 31, wherein said profiles of said current networks are used by a security management application.
  - 39. The method of claim 31, wherein said profiles of said current networks are used by an end point security product to regulate access to said device.

40. A method for a mobile device to identify different networks to which said device is connected, the method comprising:
- automatically obtaining information to identify a current network to which said device is connected;
  
  automatically generating a profile for said current network;
  
  automatically comparing said profile of said current network to previously generated profiles to determine if said device has previously connected to said current network; and
  
  if said device has not previously connected to said current network, automatically treating said current network as untrusted for purposes of regulating access to said device.
- View Dependent Claims (41, 42, 43, 44)
- - 41. The method of claim 40, wherein a firewall module regulates access to said device.
  - 42. The method of claim 40, further comprising:
    - notifying the device'"'"'s user if said device has not previously connected to said current network.
  - 43. The method of claim 42, further comprising:
    - obtaining user input on particular security settings to be applied to regulate access to said device.
  - 44. The method of claim 43, further comprising:
    - automatically applying said security settings to a firewall module to regulate access to said device.

45. A method for a mobile device to identify different networks to which said device is connected, the method comprising:
- automatically obtaining information to identify a current network to which said device is connected;
  
  automatically generating a profile for said current network;
  
  automatically comparing said profile of said current network to previously stored profiles to determine if said device has previously connected to said current network; and
  
  if said device has not previously connected to said current network, automatically treating said current network as trusted for purposes of regulating access to said device.
- View Dependent Claims (46, 47, 48, 49)
- - 46. The method of claim 45, wherein a firewall module regulates access to said device.
  - 47. The method of claim 45, further comprising:
    - notifying the devise'"'"'s user if said device has not previously connected to said current network.
  - 48. The method of claim 47, further comprising:
    - obtaining user input on particular security settings to be applied to regulate access to said device.
  - 49. The method of claim 48, further comprising:
    - automatically applying said security settings to a firewall module to regulate access to said device.

50. A system for a mobile device to identify different networks to which said device is connected and regulate access to said device, the system comprising:
- a network information engine for automatically obtaining and processing information on networks to which said device is connected;
  
  a network information data structure for storing said information automatically collected on said networks, said information uniquely identifying each network, including uniquely identifying local networks having duplicate network addresses; and
  
  a zone configuration module for establishing security settings to regulate access to said device, said security settings being applied automatically in a manner to regulate access to said device based on which uniquely-identified network said device is currently connected to.
- View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78)
- - 51. The system of claim 50, wherein said network information engine constructs a list of all connected adapters upon connection of said device to a network.
  - 52. The system of claim 51, wherein said network information engine constructs a list of all networks connected to said adapters upon connection of said device to a network.
  - 53. The system of claim 51, wherein said network information engine constructs a list of all adapters and networks to which said adapters are connected each time a change in network connection is detected.
  - 54. The system of claim 50, wherein said network information engine obtains information to identify adapters connected to said device from an operating system kernel facility.
  - 55. The system of claim 54, wherein said network information engine obtains information to identify networks connected to said adapters from said operating system kernel facility.
  - 56. The system of claim 54, wherein changes to network information in said operating kernel facility are examined to determine if a current network to which said device is connected has changed.
  - 57. The system of claim 50, wherein said network information engine identifies a network by connection name if said network is a dialup connection with a resolvable connection name.
  - 58. The system of claim 50, wherein said network information engine identifies a network by connection name if said network is a PPPoE connection wit a resolvable connection name.
  - 59. The system of claim 50, wherein said network information engine identifies a network by gateway IP address and subnet mask if said network is an Ethernet network with a public IP address.
  - 60. The system of claim 50, wherein said network information engine identifies a network by gateway IP address, subnet mask and physical address if said network is an Ethernet network with a private IP address.
  - 61. The system of claim 60, wherein said physical address is a MAC address.
  - 62. The system of claim 50, wherein said network information engine identifies a network by gateway IP address and subnet mask if said network is a token ring network.
  - 63. The system of claim 50, wherein said network information engine identifies a network by gateway IP address and subnet mask if said network is an infrared network.
  - 64. The system of claim 50, wherein said network information engine assigns a unique identifier to each network.
  - 65. The system of claim 64, wherein said network information engine constructs said unique identifier based upon a selected one or more of connection name, gateway IP address, subnet mask and physical address.
  - 66. The system of claim 64, wherein each said unique identifier is stored in said network information data structure.
  - 67. The system of claim 64, wherein each said unique identifier is stored in a database.
  - 68. The system of claim 64, wherein said network information engine compares said unique identifier for a current network to previously stored identifiers to determine if said device has previously connected to said current network.
  - 69. The system of claim 50, wherein said zone configuration module stores security settings for regulating access to said device.
  - 70. The system of claim 69, wherein said security settings include whether to treat a network as trusted.
  - 71. The system of claim 69, wherein said security settings include whether to treat a network as untrusted.
  - 72. The system of claim 69, wherein said security settings include treating a current network to which said device has not previously connected as untrusted.
  - 73. The system of claim 69, wherein said security settings include obtaining user input regarding the security settings to be applied for a network.
  - 74. The system of claim 73, wherein said security settings include rules to be applied when user input is not obtained.
  - 75. The system of claim 50, wherein said zone configuration module stores security settings for regulating access from said device to different networks.
  - 76. The system of claim 50, wherein said zone configuration module automatically applies said security settings to a firewall module for purposes of regulating access to said device.
  - 77. The system of claim 50, further comprising:
    - a firewall module for regulating access to and from said device.
  - 78. The system of claim 77, wherein said zone configuration module automatically applies said security settings to said firewall module for purposes of regulating access to said device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Freund, Gregor, Haycock, Keith, Hermann, Conrad
Primary Examiner(s)
Smithers; Matthew

Application Number

US10/003,161
Publication Number

US 20030167405A1
Time in Patent Office

2,015 Days
Field of Search

709/225, 709/227, 709/249, 709/250, 709/253, 710/36, 710/8, 710104-105, 710/107, 726/3
US Class Current

726/3
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/20 for managing network securi...

System methodology for automatic local network discovery and firewall reconfiguration for mobile computing devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

324 Citations

78 Claims

Specification

Use Cases

Quick Links

Others

System methodology for automatic local network discovery and firewall reconfiguration for mobile computing devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

324 Citations

78 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others