Systems and methods that provide external network access from a protected network

US 7,240,193 B2
Filed: 03/01/2002
Issued: 07/03/2007
Est. Priority Date: 03/01/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A browser interface system for protecting a computer network, comprising:

a browser module that provides communications access to an unprotected network from a protected network, wherein said browser module is separate and physically distinct from protected computers;

a browser client module that communicates with the browser module, wherein said browser client module provides control of video and audio output of a browser operating remotely on said browser module; and

a browser isolator module that analyzes communications between the browser module and the browser client module,wherein said browser isolator module prevents unauthorized communications between the browser module and the browser client module, andsaid browser isolator module prevents the transfer of permanently stored data between the protected computers and the browser module, and between the protected computers and the unprotected network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user who is connected to an unprotected network via a protected network is able to browse the Internet without concern that unauthorized code will execute within their local workstation as the result of a vulnerability within the browser executing on a special virtual machine or a browser module. Any unauthorized code will only affect one of a special virtual machine or a browser module.

24 Citations

View as Search Results

24 Claims

1. A browser interface system for protecting a computer network, comprising:
- a browser module that provides communications access to an unprotected network from a protected network, wherein said browser module is separate and physically distinct from protected computers;
  
  a browser client module that communicates with the browser module, wherein said browser client module provides control of video and audio output of a browser operating remotely on said browser module; and
  
  a browser isolator module that analyzes communications between the browser module and the browser client module,wherein said browser isolator module prevents unauthorized communications between the browser module and the browser client module, andsaid browser isolator module prevents the transfer of permanently stored data between the protected computers and the browser module, and between the protected computers and the unprotected network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the communication between the browser module and the browser client module is limited to those communications specifically necessary for remote operation of the browser module.
  - 3. The system of claim 2, wherein the browser isolator module screens at least one of the following types of information to determine if the communication is authorized:
    - source and destination ports, user information, origination information, host information, destination information, character information, IP address information, display identification, session information, display class, display number, TCP information, and date and/or time information.
  - 4. The system of claim 1, wherein the browser module comprises a distributed network browser.
  - 5. The system of claim 1, wherein the protected network is isolated from unauthorized communications received from the unprotected network.
  - 6. The system of claim 1, wherein any browser-executed code operates on the browser module.
  - 7. The system of claim 1, wherein said browser module is sacrificial and protects the protected computers from unauthorized content.
  - 8. The system of claim 1, wherein said browser isolator module performs detailed field checks and reduce the chance of defect in the protocol implementation on either the browser module or the protected computer.

9. A method for providing a browser interface system for protecting a computer network, said method comprising:
- providing communications access to an unprotected network from a protected network via a browser module, wherein the browser module is separate and physically distinct from protected computers;
  
  communicating with the browser module through a browser client module, wherein said browser client module provides control of video and audio output of a browser operating remotely on said browser module;
  
  analyzing communications between the browser module and the browser client module via a browser isolator module;
  
  preventing unauthorized communications between the browser module and the browser client module via the browser isolator module; and
  
  said browser isolator module preventing the transfer of permanently stored data between the protected computers and the browser module and between the protected computers and the unprotected network.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, further comprising limiting the communication between the browser and browser client module to those communications specifically necessary for remote operation of the browser module.
  - 11. The method of claim 10, further comprising screening at least one of the following types of information to determine if the communication is authorized:
    - source and destination ports, user information, origination information, host information, destination information, character information, IP address information, display identification, session information, display class, display number, TCP information, and date and/or time information.
  - 12. The method of claim 9, said browser module further comprising a distributed network browser.
  - 13. The method of claim 9, further comprising isolating the protected network from unauthorized communications received from the unprotected network.
  - 14. The method of claim 9, further comprising operating any browser-executed code on the browser module.
  - 15. The method of claim 9, further comprising protecting the protected computer from unauthorized content, wherein said browser module is sacrificial.
  - 16. The method of claim 9, said browser isolator module performing detailed field checks, said field checks reducing the chance of defect in the protocol implementation on either the browser module or protected computer.

17. A computer program product for providing a browser interface system for protecting a computer network, and including one or more computer-readable instructions embedded on a computer readable storage medium and configured to cause one or more computer processors to perform the steps of:
- providing communications access to an unprotected network from a protected network via a browser module, wherein the browser module is separate and physically distinct from protected computers;
  
  communicating with the browser module through a browser client module, wherein said browser client module provides control of video and audio output of a browser operating remotely on said browser module;
  
  analyzing communications between the browser module and the browser client module via a browser isolator module;
  
  preventing unauthorized communications between the browser module and the browser client module via the browser isolator module; and
  
  preventing the transfer of permanently stored data between the protected computers and the browser module, and between the protected computers and the unprotected network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product of claim 17, comprising further instructions embedded on the computer readable storage medium and configured to cause the one or more computer processors to perform the step of limiting the communication between the browser and browser client module to those communications specifically necessary for remote operation of the browser module.
  - 19. The computer program product of claim 18, comprising further instructions embedded on the computer readable storage medium and configured to cause the one or more computer processors to perform the step of screening at least one of the following types of information to determine if the communication is authorized:
    - source and destination ports, user information, origination information, host information, destination information, character information, IP address information, display identification, session information, display class, display number, TCP information, and date and/or time information.
  - 20. The computer program product of claim 17, comprising further instructions embedded on the computer readable storage medium and configured to cause the one or more computer processors to perform the step of said browser module further comprising a distributed network browser.
  - 21. The computer program product of claim 17, comprising further instructions embedded on the computer readable storage medium and configured to cause the one or more computer processors to perform the step of isolating the protected network from unauthorized communications received from the unprotected network.
  - 22. The computer program product of claim 17, comprising further instructions embedded on the computer readable storage medium and configured to cause the one or more computer processors to perform the step of operating any browser-executed code on the browser module.
  - 23. The computer program product of claim 17, comprising further instructions embedded on the computer readable storage medium and configured to cause the one or more computer processors to perform the step of protecting the protected computer from unauthorized content, wherein said browser module is sacrificial.
  - 24. The computer program product of claim 17, comprising further instructions embedded on the computer readable storage medium and configured to cause the one or more computer processors to perform the step of performing detailed field checks, said field checks reducing the chance of defect in the protocol implementation on either the browser module or protected computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Invicta Networks, Inc.
Original Assignee
Invicta Networks, Inc.
Inventors
Noble, James G., Hatfalvi, Emil J.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Parthasarathy; Pramila

Application Number

US10/085,130
Publication Number

US 20020129281A1
Time in Patent Office

1,950 Days
Field of Search

709/217, 726/23
US Class Current

713/154
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/145   the attack involving the pr...

Systems and methods that provide external network access from a protected network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods that provide external network access from a protected network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links