System providing internet access management with router-based policy enforcement
First Claim
1. In a system comprising one or more client computers connected to the Internet by client premises equipment serving a routing function for client computers, a method for managing Internet access based on a specified access policy, the method comprising:
- transmitting a plurality of challenges over a period of time from said client premises equipment to each client computer, for determining whether a given client computer remains in compliance with said specified access policy during said period of time;
transmitting a response from at least one client computer back to said client premises equipment for responding to each of said challenges that has been issued; and
blocking Internet access for any client computer that does not respond appropriately to any challenge issued to it,wherein said access policy specifies applications that are allowed Internet access and wherein said applications are specified by executable name and version number that are acceptable.
4 Assignments
0 Petitions
Accused Products
Abstract
A computing environment with methods for monitoring access to an open network such as the Internet, is described. The system includes one or more client computers, each operating applications (e.g., Netscape Navigator or Microsoft Internet Explorer) requiring access to an open network, such as a WAN or the Internet, and a router or other equipment that serves a routing function (e.g., a cable modem) for the client computers. A centralized security enforcement module on the router maintains access rules for the client computers and verifies the existence and proper operation of a client-based security module on each client computer. The router-side security module periodically sends out a router challenge via Internet broadcast to the local computers on the network. If the client-side security module is installed and properly operating, the client-side security module responds to the router challenge. The responses received by the router-side security module are maintained in a table. Each time the router receives a request from a client computer to connect to the Internet, the router-side security module reviews the table and analyzes whether or not the computer requesting a connection to the Internet properly responded to the most recent router challenge. If it determines that the computer has properly responded to the router challenge, then it permits the computer to connect to the Internet. If a computer has not properly responded or if a computer has not answered the router challenge, then the computer is not allowed to connect to the Internet as requested.
-
Citations
59 Claims
-
1. In a system comprising one or more client computers connected to the Internet by client premises equipment serving a routing function for client computers, a method for managing Internet access based on a specified access policy, the method comprising:
-
transmitting a plurality of challenges over a period of time from said client premises equipment to each client computer, for determining whether a given client computer remains in compliance with said specified access policy during said period of time; transmitting a response from at least one client computer back to said client premises equipment for responding to each of said challenges that has been issued; and blocking Internet access for any client computer that does not respond appropriately to any challenge issued to it, wherein said access policy specifies applications that are allowed Internet access and wherein said applications are specified by executable name and version number that are acceptable. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. In a system comprising one or more client computers connected to the Internet by client premises equipment serving a routing function for client computers, a method for managing Internet access based on a specified access policy, the method comprising:
-
transmitting a plurality of challenges over a period of time from said client premises equipment to each client computer, for determining whether a given client computer is in compliance with said specified access policy during said period of time; transmitting a response from at least one client computer back to said client premises equipment for responding to said challenge that has been issued; and redirecting a request for Internet access by any client computer that does not respond appropriately to any challenge issued to it to a sandbox server, wherein said access policy specifies executable names and version number of applications that are allowed Internet access. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A system for regulating Internet access by client computers comprising:
-
an access policy governing Internet access by said client computers; client premises equipment serving a routing function for each client computer to be regulated and capable of issuing a plurality of challenges over a period of time to each client computer, for determining whether a given client computer is in compliance with said access policy during said period of time; one or more client computers which can connect to the Internet and at least one of which can respond to challenges issued by said client premises equipment; and an enforcement module for selectively blocking Internet access to the Internet for any client computers that fail to respond in a manner that would establish that they are in compliance with said access policy, wherein said access policy specifies applications that are allowed Internet access and wherein said applications are specified by executable name and version number that are acceptable. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
-
Specification