System and method for managing access to active devices operably connected to a data network

US 7,315,890 B2
Filed: 10/02/2002
Issued: 01/01/2008
Est. Priority Date: 10/02/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system for managing access between active devices through a data network, comprising:

a. a plurality of active devices operative to communicate with a data network, a first portion of the active devices being disposed logically upstream from a second portion of the active devices;

b. a router, logically disposed intermediate the first portion of the active devices and the second portion of the active devices, the router capable of selectively allowing access by a requesting active device of the first portion of the active devices to an active device of the second portion of active devices;

c. a service station operative to communicate with the at least one active device and the router;

d. connection management software executing at least partially in the service station and operable to direct the router to selectively allow access by a requesting active device to a responding active device in the second portion of active devices based on a predetermined characteristic of the requesting active device; and

e. client software executing in a requesting active device and in communication with the connection management software, the client software operable to determine the predetermined characteristic of the requesting active device according to a dynamically definable rule;

wherein the predetermined characteristic is selected from the group consisting of the state of the requesting active device, the existence of a file on the requesting active device, the existence of one or more properties of a given file on the requesting active device, an INI value in an INI file on the requesting active device, whether a particular process is running on the requesting active device, and whether a key value exists in a registry of an operating system executing in the requesting active device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing access of one or more active devices through a data network is disclosed. The system comprises a service station operative to communicate with a requesting active device and a router, the active device and router operative to communicate with a data network. Connection management software executes at least partially in the service station to direct the router to control access to a responding active device by the requesting active device based on a detectable state of a predetermined characteristic of the requesting active device, the state being disclosed to the service station upon a request by the service station. It is submitted with the understanding that it will not be used to interpret or limit the scope of meaning of the claims.

23 Citations

View as Search Results

27 Claims

1. A system for managing access between active devices through a data network, comprising:
- a. a plurality of active devices operative to communicate with a data network, a first portion of the active devices being disposed logically upstream from a second portion of the active devices;
  
  b. a router, logically disposed intermediate the first portion of the active devices and the second portion of the active devices, the router capable of selectively allowing access by a requesting active device of the first portion of the active devices to an active device of the second portion of active devices;
  
  c. a service station operative to communicate with the at least one active device and the router;
  
  d. connection management software executing at least partially in the service station and operable to direct the router to selectively allow access by a requesting active device to a responding active device in the second portion of active devices based on a predetermined characteristic of the requesting active device; and
  
  e. client software executing in a requesting active device and in communication with the connection management software, the client software operable to determine the predetermined characteristic of the requesting active device according to a dynamically definable rule;
  
  wherein the predetermined characteristic is selected from the group consisting of the state of the requesting active device, the existence of a file on the requesting active device, the existence of one or more properties of a given file on the requesting active device, an INI value in an INI file on the requesting active device, whether a particular process is running on the requesting active device, and whether a key value exists in a registry of an operating system executing in the requesting active device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A system as in claim 1, wherein:
    - a. the data network is at least one of (i) a data packet network, (ii) a TCP/IP network, or (iii) a peer-to-peer network.
  - 3. A system as in claim 1, wherein:
    - a. the active devices comprise a logic processing unit.
  - 4. A system as in claim 1, wherein:
    - a. the router uses a predefined protocol to forward data to the service station.
  - 5. A system as in claim 4, wherein:
    - a. the predefined protocol comprises network address translation.
  - 6. A system as in claim 1, wherein the router further comprises:
    - a. a router control server, comprising;
      
      i. a control server message queue; and
      
      ii. an IP Address database.
  - 7. A system as in claim 1, wherein:
    - a. the service station further comprises a service station message queue.
  - 8. A system as in claim 1, wherein:
    - a. the connection management software further comprisesi. a first page, retrievable by the requesting active device, the first page comprising at least a portion of client control software executable at the requesting active device; and
      
      ii. a second page, controllable by the service station, through which a confirmation code may be passed to the service station by the client control software executing at the requesting active device.
  - 9. A system as in claim 8, wherein:
    - a. the client control software further comprises an ActiveX control; and
      
      b. the first page further comprises a codebase attribute to specify a location into which the ActiveX control may be downloaded if it is not yet installed on the requesting active device.
  - 10. A system as in claim 9, wherein:
    - a. the location is at least one of (i) an absolute URL or (ii) a relative URL.
  - 11. A system as in claim 9, wherein:
    - a. the ActiveX control supports versioning.
  - 12. A system as in claim 9, wherein:
    - a. the first page further comprises a tag to define a rule parameter needed by the client control software.
  - 13. A system as in claim 12, wherein:
    - a. the rule parameter further comprises at least one of (i) an operating system identifier, (ii) a URL uplog, (iii) a URL fail, (iv) a URL useful to specify a page responsible for displaying information upon denial of network access, or (v) a boolean.
  - 14. A system as in claim 12, wherein the rule parameter further comprises:
    - a. at least one of (i) a rule type, (ii) a log level, (iii) a severity level, or (iv) a URL.
  - 15. A system as in claim 14, wherein;
    - a. the rule type further comprises at least one of (i) a command rule, (ii) a file exist rule, (iii) a file property rule, (iv) a named section rule, (v) a process rule, or (vi) a registry rule;
      
      b. the log level further comprises at least one of (i) none, (ii) min, or (iii) max;
      
      c. the severity code further comprises at least one of (i) off, (ii) minimal, (iii) desired, or (iv) required; and
      
      d. the URL further comprises a URL providing access to a page containing instructions on how to set up the client machine in compliance wit the rule.
  - 16. A system as in claim 15, wherein:
    - a. the registry rule comprises directives for the client control software control to direct the Client control software control to check for a specific key value in a registry of an operating system;
      
      b. the process rule comprises directives for the client control software control to direct the client control software control to check whether a process is executing in the requesting active device;
      
      c. the file exist rule comprises directives for the client control software control to direct the client control software control to check for the existence of a given file at the requesting active device;
      
      d. the file property rule comprises directives for the client control software control to direct the client control software control to check for specific properties of a given file at the requesting active device, the file property rule further comprising at least one of (i) a version indicator, (ii) a date/time indicator, or (iii) an attribute indicator;
      
      e. the named section rule comprises directives for the client control software control to direct the client control software control to check for an named section value in a rule file; and
      
      f. the command rule comprises directives for the client control software control to direct the client control software control to run a specified command on the client machine.
  - 17. A system as in claim 1, further comprising:
    - a. a rule file, comprising the rule.
  - 18. A system as in claim 17, wherein:
    - a. the rule comprises a name-value pair that defines a named parameter and a value associated with the named parameter.
  - 19. A system as in claim 17, wherein:
    - a. the rule file comprises an identifiable named section; and
      
      b. the identifiable named section comprises a unique section name, the section name further comprising the name of the rule.

20. A method for managing access, comprising:
- a. receiving a request at a router, operative to communicate with a first data network, from a first active device operative to communicate with the data network, the request comprising a request to access at least one of (i) a second data network, (ii) a second active device operative to communicate with the first data network, or (iii) a second active device operative to communicate with the second data network;
  
  b. blocking further access by the router of the first active device;
  
  c. forwarding the request for access by the router to a service station;
  
  d. sending a request for information by the service station to the first active device, the request for information relating to a predetermined characteristic of the first active device and comprising a dynamically definable rule; and
  
  e. allowing access through the muter to the second active device only if the first active device returns an acceptable response to the request for information;
  
  wherein the predetermined characteristic is selected from the group consisting of the state of the first active device, the existence of a file on the first active device, the existence of one or more properties of a given file on the first active device, an INI value in an INI file on the first active device, whether a particular process is running on the first active device, and whether a key value exists in a registry of an operating system executing in the first active device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. A method as in claim 20, further comprising;
    - a. using a predefined protocol by the access router to forward data to a service station.
  - 22. A method as in claim 21, wherein:
    - a. the predefined protocol comprises network address translation.
  - 23. A method as in claim 20, further comprising:
    - a. sending a new client message by the service station to a router control server message queue controlled by a router control server, the router control server operative to communicate with the router and the service station; and
      
      b. updating by router control server of an IP Address database with the address of a connection request from the requesting active device.
  - 24. A method as in claim 23, further comprising:
    - a. sending a client accept message by the router control server to a service station message queue managed by the service station;
      
      b. determining if a connection currently exists between the router and the requesting active device; and
      
      c. clearing of the connection if it exists by the router control server from the router.
  - 25. A method as in claim 20, further comprising:
    - a. providing a welcome page containing an ActiveX control by the service station to the requesting active device; and
      
      b. examining a predetermined set of characteristics of the requesting active device using the Active X control according to at least one rule accessible to the Active X control.
  - 26. A method as in claim 20, further comprising:
    - a. redirecting software executing in the requesting active device to a predetermined page accessible on the service station; and
      
      b. using client control software to pass a confirmation code to the service station.
  - 27. A method as in claim 20, further comprising:
    - a. sending a message by the service station to the router control server message queue;
      
      b. updating by the router control server of the IP Address database with the an IP address of a requesting active device upon a successful scan of the requesting active device by client control software;
      
      c. creating by the muter control server of a new user account in a router list of acceptable active devices;
      
      d. sending by the router control server of a connection approval message to the service station message queue; and
      
      a. presenting by the service station of a user name and password to software executing at the requesting active device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Parent, Robert M., Tilton, Earl W., Morehead, Mark K., Beane, Tommy L.
Primary Examiner(s)
Najjar; Saleh
Assistant Examiner(s)
KOROBOV, VITALI A

Application Number

US10/263,137
Publication Number

US 20040068562A1
Time in Patent Office

1,917 Days
Field of Search

709/223, 709/229, 707/10, 726/2, 726/11, 726/13
US Class Current

709/223
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/303   Terminal profiles

H04L 67/34   involving the movement of s...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

System and method for managing access to active devices operably connected to a data network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

System and method for managing access to active devices operably connected to a data network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others