Systems and methods for a protocol gateway

US 7,707,401 B2
Filed: 06/10/2003
Issued: 04/27/2010
Est. Priority Date: 06/10/2002
Status: Active Grant

First Claim

Patent Images

1. A method for managing a communication protocol in a network, the method comprising:

receiving at a firewall a plurality of messages from a computer network;

intercepting with an enforcer module executing on a computing device selected messages of the plurality of messages, the selected messages comprising each of the plurality of messages associated with an instant messaging protocol;

comparing the instant messaging protocol of each of the selected messages with at least one protocol template stored by the enforcer module, the instant messaging protocol of each selected message comprising (i) a screen name of a user originating the selected message and (ii) at least one of a source internet protocol (IP) address and a port number;

based on said comparing, redirecting to a protocol message gateway within the computer network each selected message having bypassed the protocol message gateway, wherein said redirecting comprises using a content vectoring protocol;

for each redirected selected message,identifying with an authentication module of the protocol message gateway a unique user name associated with the screen name of the user originating the redirected selected message,based at least in part on the unique user name, selecting a policy rule for restricting the user'"'"'s usage of the instant messaging protocol, andapplying the selected policy rule to the redirected selected message.

View all claims

30 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A protocol management system is capable of detecting certain message protocols and applying policy rules to the detected message protocols that prevent intrusion, or abuse, of a network'"'"'s resources. In one aspect, a protocol message gateway is configured to apply policy rules to high level message protocols, such as those that reside at layer 7 of the ISO protocol stack.

Citations

30 Claims

1. A method for managing a communication protocol in a network, the method comprising:
- receiving at a firewall a plurality of messages from a computer network;
  
  intercepting with an enforcer module executing on a computing device selected messages of the plurality of messages, the selected messages comprising each of the plurality of messages associated with an instant messaging protocol;
  
  comparing the instant messaging protocol of each of the selected messages with at least one protocol template stored by the enforcer module, the instant messaging protocol of each selected message comprising (i) a screen name of a user originating the selected message and (ii) at least one of a source internet protocol (IP) address and a port number;
  
  based on said comparing, redirecting to a protocol message gateway within the computer network each selected message having bypassed the protocol message gateway, wherein said redirecting comprises using a content vectoring protocol;
  
  for each redirected selected message,identifying with an authentication module of the protocol message gateway a unique user name associated with the screen name of the user originating the redirected selected message,based at least in part on the unique user name, selecting a policy rule for restricting the user'"'"'s usage of the instant messaging protocol, andapplying the selected policy rule to the redirected selected message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein the policy rule comprises a rule for restricting the user from sending or receiving a predefined number of instant messages within a given time period.
  - 3. The method of claim 1, wherein said selecting the policy rule is based at least partly on the source of the redirected selected message.
  - 4. The method of claim 1, wherein said selecting the policy rule is based at least partly on the intended destination internet protocol (IP) address of the redirected selected message.
  - 5. The method of claim 1, wherein said selecting the policy rule is based at least partly on when the redirected selected message is sent or intended to be received.
  - 6. The method of claim 1, wherein said selecting the policy rule is based at least partly on the size of the redirected selected message.
  - 7. The method of claim 1, wherein the selection of the policy rule is based at least partly on whether the redirected selected message includes an attachment.
  - 8. The method of claim 1, further comprising creating a log comprising information associated with the redirected selected message.
  - 9. The method of claim 1, wherein said identifying further comprises:
    - generating the unique user name for the user;
      
      associating the screen name with the unique user name; and
      
      storing in a database the association between the screen name and the unique user name.
  - 10. The method of claim 1, wherein applying the selected policy rule comprises forcing the redirected selected message to use a defined communication connection when flowing into or out of the computer network.
  - 11. The method of claim 1, wherein applying the selected policy rule comprises terminating a communication connection associated with the redirected selected message.
  - 12. The method of claim 1, wherein applying the selected policy rule comprises resetting a communication connection associated with the redirected selected message.
  - 13. The method of claim 1, wherein comparing the instant messaging protocol comprises determining whether the selected message is directed to port 5190.
  - 14. The method of claim 1, wherein comparing the instant messaging protocol comprises determining whether the selected message is directed to port 8080 and whether the selected message includes a string “
    - ?pword=%1”
      
      , wherein %1 represents a value maintained in a message traffic database.
  - 15. The method of claim 1, wherein comparing the instant messaging protocol comprises determining whether the selected message includes a string of five characters in an incoming packet header, wherein the five characters represent a signature of the instant messaging protocol.
  - 16. The method of claim 1, wherein comparing the instant messaging protocol comprises determining whether the selected message is directed to port 8080 and whether the selected message includes a string “
    - ?message=”
      
      .
  - 17. The method of claim 8, further comprising encrypting the log.
  - 18. The method of claim 8, further comprising restricting access to the log.
  - 19. The method of claim 9, wherein said generating the unique user name comprises identifying a client device using the source internet protocol (IP) address.
  - 20. The method of claim 10, wherein the defined communication connection is a defined port on the protocol message gateway associated with the computer network.
  - 21. The method of claim 19, wherein determining the unique user name further comprises determining a global user identification associated with the client device.
  - 22. The method of claim 21, wherein determining the global user identification comprises interrogating a registry associated with the client device.

23. A system for restricting usage of instant messaging in a network, the system comprising:
- a firewall operative to receive a plurality of messages leaving a computer network coupled to the firewall;
  
  a proxy enforcer executing on a computing device and in communication with the firewall, the proxy enforcer operative to identify one or more of the plurality of messages that are associated with an instant messaging protocol, the instant messaging protocol comprising an application layer protocol;
  
  a plurality of protocol definition files accessible to the proxy enforcer, wherein the proxy enforcer is further operative to compare the instant messaging protocol of each of the one or more messages with at least one of the plurality of protocol definition files;
  
  a protocol message gateway in communication with the proxy enforcer, the proxy enforcer operative to redirect to the protocol message gateway each of the one or more messages that did not previously pass through the protocol message gateway prior to being received by the firewall;
  
  the protocol message gateway further comprisingat least one protocol adapter operative to generate a data structure comprising information indicative of a communication session of each redirected message,an authentication module operative to identify a unique user name based on a screen name associated with each redirected message, the unique user name identifying an actual user of the computer network, anda policy enforcement module operative to select a policy rule for restricting the actual user'"'"'s usage of the instant messaging protocol and to apply the selected policy rule to the redirected message.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The system of claim 23, wherein the policy enforcement module of the protocol message gateway is further operative to select the policy rule based at least partly on when the redirected message is originally sent or intended to be received.
  - 25. The system of claim 23, wherein the policy enforcement module of the protocol message gateway is further operative to select the policy rule based at least partly on the size of the redirected message.
  - 26. The system of claim 23, wherein the policy enforcement module of the protocol message gateway is further operative to select the policy rule based at least partly on whether the redirected message includes an attachment.
  - 27. The system of claim 23, wherein the policy enforcement module of the protocol message gateway is further operative to select the policy rule based at least partly on whether the redirected message includes a virus.
  - 28. The system of claim 23, wherein the protocol message gateway further comprises a logging module configured to record information associated with each of the redirected messages.
  - 29. The system of claim 23, wherein the authentication module is further configured todetermine the unique user name for the actual user;
    - associate the screen name with the unique user name; and
      
      store in a database the association between the screen name and the unique user name.
  - 30. The system of claim 23, wherein the firewall further comprises a content vectoring protocol application programming interface (API) operative to communicate the redirected messages to the protocol message gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Quest Software, Inc.
Inventors
Shapiro, Dmitry, Miller, Randy, Poling, Robert, Pugh, Richard S.
Primary Examiner(s)
ZIA, SYED

Application Number

US10/459,408
Publication Number

US 20040109518A1
Time in Patent Office

2,513 Days
Field of Search

None
US Class Current

713/153
CPC Class Codes

G06Q 20/027   involving a payment switch ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0281   Proxies

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 67/56   Provisioning of proxy servi...

H04L 67/564   Enhancement of application ...

H04L 69/329   in the application layer [O...

H04L 7/00   Arrangements for synchronis...

Systems and methods for a protocol gateway

First Claim

30 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for a protocol gateway

First Claim

30 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links