Access network dynamic firewall

US 7,743,158 B2
Filed: 12/04/2002
Issued: 06/22/2010
Est. Priority Date: 12/04/2002
Status: Active Grant

First Claim

Patent Images

1. A network system comprising:

a network, wherein the network includes a network edge point configured to provide access to the network; and

a terminal, wherein the terminal is coupled to the network edge point and communicates with the network via the network edge point;

wherein the network edge point has a security policy that includes a personal filter which is provided by the terminal and which is applicable exclusively to the terminal and which customizes the security policy for network communications between the network and the terminal.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network system includes a network edge point configured to provide a terminal with access to a network. The network edge point includes a security policy associated with the terminal, and controls communications between the network and the terminal according to the security policy. The security policy may include a personal filter downloaded from the terminal, a service filter downloaded from a service policy server, and/or a domain filter downloaded from a domain policy server. The terminal may access the network through a second network edge point. The second network edge point may download one or more of the filters from the first network edge point, and control communications between the network and the terminal according to the security policy.

47 Citations

View as Search Results

26 Claims

1. A network system comprising:
- a network, wherein the network includes a network edge point configured to provide access to the network; and
  
  a terminal, wherein the terminal is coupled to the network edge point and communicates with the network via the network edge point;
  
  wherein the network edge point has a security policy that includes a personal filter which is provided by the terminal and which is applicable exclusively to the terminal and which customizes the security policy for network communications between the network and the terminal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The network system of claim 1, wherein the network edge point integrates the personal filter into the security policy.
  - 3. The network system of claim 2, wherein the personal filter is defined by a user of the terminal.
  - 4. The network system of claim 1, wherein the personal filter replaces a default filter defined by a network administrator.
  - 5. The network system of claim 1, wherein the network edge point includes a domain filter, and the network edge point integrates the domain filter into the security policy.
  - 6. The network system of claim 1, further including a domain policy server coupled to the network, wherein the domain policy server includes a domain filter, the domain policy server transmits the domain filter to the network edge point, and the network edge point integrates the domain filter into the security policy.
  - 7. The network system of claim 1, further including a service policy server coupled to the network, wherein the service policy server includes a service filter, the service policy server transmits the service filter to the network edge point, and the network edge point integrates the service filter into the security policy.
  - 8. The network system of claim 1, wherein the security policy is an integrated filter table comprising a personal filter received from the terminal and a service filter received from a service policy server.
  - 9. The network system of claim 8, wherein the integrated filter table further comprises a domain filter received from a domain policy server.

10. A method of securing communications in a network, comprising the steps of:
- sending a service filter from a service policy server to a network edge point;
  
  sending a personal filter from a terminal to the network edge point, the personal filter being applicable exclusively to the terminal, customizing a security policy that governs communications between the terminal and the network at the network edge point;
  
  integrating the service filter and the personal filter into an integrated filter table; and
  
  filtering traffic to the terminal at the network edge point according to the integrated filter table.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, wherein the service filter is enforced if the service filter and the personal filter conflict.
  - 12. The method of claim 10, further including the step of sending an access notification message to the terminal in response to unknown traffic arriving at the network edge point.
  - 13. The method of claim 12, further including the steps of sending a second personal filter to the network edge point in response to the access notification message, and integrating the second personal filter into the integrated filter table.
  - 14. The method of claim 10, further including the step of sending an access notification message to the service policy server in response to unknown traffic arriving at the network edge point.
  - 15. The method of claim 14, further including the steps of sending a second service filter to the network edge point in response to the access notification message, and integrating the second service filter into the integrated filter table.
  - 16. The method of claim 10, wherein the personal filter includes an internet protocol address.
  - 17. The method of claim 10, wherein the personal filter includes a media access control address.
  - 18. The method of claim 10, wherein the service filter includes a service access port, further including the step of sending an access notification message to the service policy server in response to traffic including the service access port arriving at the network edge point.
  - 19. The method of claim 18, further including the step of tracking the traffic for billing purposes in response to the access notification message.

20. A method of securing communications in a network, comprising the steps of:
- sending a personal filter from a terminal to a first network edge point, the personal filter being applicable exclusively to the terminal, customizing a security policy that governs communications between the terminal and the network at the network edge point;
  
  sending the personal filter from the first network edge point to a second network edge point, when the terminal hands-off from the first network edge point to the second network edge point; and
  
  filtering traffic to the terminal at the second network edge point according to the personal filter.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The method of claim 20, further including the step of mutually authenticating the terminal and the first network edge point.
  - 22. The method of claim 20, further including the step of authenticating the terminal with the second network edge point.
  - 23. The method of claim 20, further including the step of authenticating the first network edge point with the second network edge point.
  - 24. The method of claim 20, further including the step of filtering traffic at the first network edge point according to the personal filter.
  - 25. The method of claim 20, further including the steps of sending a service filter from a service policy server to the first network edge point, sending the service filter from the first network edge point to the second network edge point, and filtering traffic at the second network edge point according to the service filter.
  - 26. The method of claim 20, wherein the step of sending the personal filter from the first network edge point to the second network edge point further includes sending the personal filter after authenticating the terminal with the second network edge point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Godo Kaisha IP Bridge 1 (IP Bridge, Inc.)
Original Assignee
NTT Docomo Incorporated (Nippon Telegraph and Telephone Corporation)
Inventors
Wood, Jonathan, Fu, Guangrui, Kawahara, Toshiro, Funato, Daichi
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
WASEL, MOHAMED A

Application Number

US10/310,164
Publication Number

US 20040111519A1
Time in Patent Office

2,757 Days
Field of Search

709217-219, 709/227, 709/229.Z, 709/229
US Class Current

709/229
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0869   for achieving mutual authen...

H04L 63/20   for managing network securi...

Access network dynamic firewall

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Access network dynamic firewall

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others