System providing internet access management with router-based policy enforcement

US 8,200,818 B2
Filed: 08/30/2001
Issued: 06/12/2012
Est. Priority Date: 07/06/2001
Status: Active Grant

First Claim

Patent Images

1. In a system comprising one or more client computers connected to the Internet by client premises equipment serving a routing function for client computers, a method for managing Internet access based on a specified access policy, the method comprising:

transmitting a plurality of challenges over a period of time from said client premises equipment to each client computer, for determining whether a given client computer remains in compliance with said specified access policy during said period of time;

transmitting a response from at least one client computer back to said client premises equipment for responding to each of said challenges that has been issued; and

blocking Internet access for any client computer that does not respond appropriately to any challenge issued to it,wherein said access policy specifies applications that are allowed Internet access and wherein said applications are specified by executable name and version number that are acceptable.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing environment with methods for monitoring access to an open network such as the Internet, is described. The system includes one or more client computers, each operating applications (e.g., Netscape Navigator or Microsoft Internet Explorer) requiring access to an open network, such as a WAN or the Internet, and a router or other equipment that serves a routing function (e.g., a cable modem) for the client computers. A centralized security enforcement module on the router maintains access rules for the client computers and verifies the existence and proper operation of a client-based security module on each client computer. The router-side security module periodically sends out a router challenge via Internet broadcast to the local computers on the network. If the client-side security module is installed and properly operating, the client-side security module responds to the router challenge. The responses received by the router-side security module are maintained in a table. Each time the router receives a request from a client computer to connect to the Internet, the router-side security module reviews the table and analyzes whether or not the computer requesting a connection to the Internet properly responded to the most recent router challenge. If it determines that the computer has properly responded to the router challenge, then it permits the computer to connect to the Internet. If a computer has not properly responded or if a computer has not answered the router challenge, then the computer is not allowed to connect to the Internet as requested.

234 Citations

59 Claims

1. In a system comprising one or more client computers connected to the Internet by client premises equipment serving a routing function for client computers, a method for managing Internet access based on a specified access policy, the method comprising:
- transmitting a plurality of challenges over a period of time from said client premises equipment to each client computer, for determining whether a given client computer remains in compliance with said specified access policy during said period of time;
  
  transmitting a response from at least one client computer back to said client premises equipment for responding to each of said challenges that has been issued; and
  
  blocking Internet access for any client computer that does not respond appropriately to any challenge issued to it,wherein said access policy specifies applications that are allowed Internet access and wherein said applications are specified by executable name and version number that are acceptable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein a client computer that does not respond at all is blocked from Internet access.
  - 3. The method of claim 1, wherein a client computer that responds with a particular predefined code indicating non-compliance is blocked from Internet access.
  - 4. The method of claim 1, wherein a client computer that responds with a particular predefined code indicating compliance is permitted Internet access.
  - 5. The method of claim 1, further comprising:
    - before receipt of a challenge, transmitting an initial message from a particular client computer to the client premises equipment, for requesting the client premises equipment to transmit a challenge to that particular client computer.
  - 6. The method of claim 5, wherein said initial message comprises a “
    - client hello”
      
      packet.
  - 7. The method of claim 1, wherein said client premises equipment is capable of permitting Internet access by selected client computers and denying access to other client computers.
  - 8. The method of claim 1, wherein said access policy specifies rules that govern Internet access by the client computers.
  - 9. The method of claim 8, wherein said step of blocking Internet access includes:
    - determining whether permitting Internet access for a given client computer would violate any of said rules, andif permitting such Internet access would violate any of said rules, denying Internet access for that client computer.
  - 10. The method of claim 1, wherein said access policy includes rules that are enforced against selected ones of users, computers, and groups thereof.
  - 11. The method of claim 1, wherein said access policy specifies which applications are allowed Internet access.
  - 12. The method of claim 1, wherein said applications are specified by digital signatures that are acceptable.
  - 13. The method of claim 12, wherein said digital signatures are computed using a cryptographic hash.
  - 14. The method of claim 13, wherein said cryptographic hash comprises a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic hashes.
  - 15. The method of claim 1, wherein said access policy specifies Internet access activities that are permitted or restricted for applications or versions thereof.
  - 16. The method of claim 1, wherein said access policy specifies rules that are transmitted to client computers from a remote location.
  - 17. The method of claim 16 wherein said remote location comprises a centralized location for maintaining said access policy.
  - 18. The method of claim 1, wherein said step of blocking Internet access includes:
    - determining, based on identification of a particular client computer or group thereof, a specific subset of rules filtered for that particular client computer or group thereof.
  - 19. The method of claim 1, wherein said challenge includes a request for a particular client computer to respond as to whether it is in compliance with said access policy.
  - 20. The method of claim 1, further comprising:
    - redirecting a client computer that is not in compliance with said access policy to a sandbox server; and
      
      informing such client computer that it is not in compliance with said access policy.
  - 21. The method of claim 20 further comprising:
    - redirecting a client computer that is not in compliance with a particular access policy, to a particular port on the sandbox server; and
      
      displaying particular error message pages on the sandbox server in response to communications on particular ports.

22. In a system comprising one or more client computers connected to the Internet by client premises equipment serving a routing function for client computers, a method for managing Internet access based on a specified access policy, the method comprising:
- transmitting a plurality of challenges over a period of time from said client premises equipment to each client computer, for determining whether a given client computer is in compliance with said specified access policy during said period of time;
  
  transmitting a response from at least one client computer back to said client premises equipment for responding to said challenge that has been issued; and
  
  redirecting a request for Internet access by any client computer that does not respond appropriately to any challenge issued to it to a sandbox server,wherein said access policy specifies executable names and version number of applications that are allowed Internet access.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 23. The method of claim 22, further comprising:
    - displaying an error message on the sandbox server to any client computer that does not respond appropriately to said challenge.
  - 24. The method of claim 23, further comprising:
    - after display of such error message, permitting said client computer to elect to access the Internet.
  - 25. The method of claim 22, wherein a client computer that responds with a particular predefined code indicating non-compliance is redirected to said sandbox server.
  - 26. The method of claim 22, wherein a client computer that responds with a particular predefined code indicating compliance is permitted Internet access.
  - 27. The method of claim 22, further comprising:
    - before receipt of a challenge, transmitting an initial message from a particular client computer to the client premises equipment, for requesting the client premises equipment to transmit a challenge to that particular client computer.
  - 28. The method of claim 27, wherein said initial message comprises a “
    - client hello”
      
      packet.
  - 29. The method of claim 22, wherein said client premises equipment is capable of permitting Internet access by selected client computers and redirecting other client computers to the sandbox server.
  - 30. The method of claim 22, wherein said access policy includes rules that are enforced against selected ones of users, computers, and groups thereof.
  - 31. The method of claim 22, wherein said access policy specifies which applications are allowed Internet access.
  - 32. The method of claim 22, wherein said access policy specifies Internet access activities that are permitted or restricted for applications or versions thereof.
  - 33. The method of claim 22, wherein said access policy specifies rules that are transmitted to client computers from a remote location.
  - 34. The method of claim 33, wherein said remote location comprises a centralized location for maintaining said access policy.
  - 35. The method of claim 22, wherein said step of redirecting a request for Internet access by a client computer includes:
    - determining, based on identification of a particular client computer or group thereof, a specific subset of rules filtered for that particular client computer or group thereof.
  - 36. The method of claim 22, wherein said challenge includes a request for a particular client computer to respond as to whether it is in compliance with said access policy.
  - 37. The method of claim 22, further comprising:
    - redirecting a client computer that is not in compliance with a particular access policy, to a particular port on the sandbox server; and
      
      displaying particular error messages on the sandbox server in response to communications on particular ports.
  - 38. The method of claim 22, further comprising:
    - permitting client computers that are not in compliance with particular access policies to elect to access the Internet; and
      
      blocking computers that are not in compliance with other access policies from accessing the Internet.
  - 39. The method of claim 22, wherein said access policy specifies which applications are allowed Internet access, and wherein said applications are specified by digital signatures which are acceptable.
  - 40. The method of claim 39, wherein said digital signatures are computed using a cryptographic hash.
  - 41. The method of claim 40, wherein said cryptographic hash comprises a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic hashes.

42. A system for regulating Internet access by client computers comprising:
- an access policy governing Internet access by said client computers;
  
  client premises equipment serving a routing function for each client computer to be regulated and capable of issuing a plurality of challenges over a period of time to each client computer, for determining whether a given client computer is in compliance with said access policy during said period of time;
  
  one or more client computers which can connect to the Internet and at least one of which can respond to challenges issued by said client premises equipment; and
  
  an enforcement module for selectively blocking Internet access to the Internet for any client computers that fail to respond in a manner that would establish that they are in compliance with said access policy,wherein said access policy specifies applications that are allowed Internet access and wherein said applications are specified by executable name and version number that are acceptable.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 43. The system of claim 42, wherein said client premises equipment includes a router.
  - 44. The system of claim 42, wherein said access policy is provided at each client computer to be regulated.
  - 45. The system of claim 42, wherein said enforcement module is provided at said client premises equipment.
  - 46. The system of claim 42, wherein said at least one client computer which can respond to challenges responds with a particular predefined code indicating noncompliance with said access policy and is blocked from Internet access.
  - 47. The system of claim 42, wherein a client computer that responds with a particular predefined code indicating compliance with said access policy is permitted Internet access.
  - 48. The system of claim 42, wherein at least one of the client computer is capable of transmitting an initial message to the client premises equipment before receipt of a challenge, for requesting the client premises equipment to transmit a challenge to that particular client computer.
  - 49. The system of claim 42, wherein said enforcement module is capable of permitting Internet access by selected client computers and denying access to other client computers.
  - 50. The system of claim 42, wherein said access policy includes rules that are enforced against selected ones of users, computers, and groups thereof.
  - 51. The system of claim 50, wherein said enforcement module is capable of determining, based on identification of a particular client computer or group thereof, a specific subset of said access policies filtered for that particular client computer or group thereof.
  - 52. The system of claim 42, wherein said access policy specifies types of activities which applications are allowed to perform or restricted from performing.
  - 53. The system of claim 42, wherein said applications are specified by digital signatures that are acceptable.
  - 54. The system of claim 53, wherein said digital signatures are computed using a cryptographic hash.
  - 55. The system of claim 54, wherein said cryptographic hash comprises a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic hashes.
  - 56. The system of claim 42, further comprising:
    - a sandbox server to which client computers that are not in compliance with said access policy are redirected.
  - 57. The system of claim 56, wherein said sandbox server informs non-compliant client computers that they are not in compliance with said access policy.
  - 58. The system of claim 57, wherein said client computers client computers may elect to access the Internet after being informed that they are not in compliance with said access policy.
  - 59. The system of claim 56, wherein:
    - said enforcement module is capable of redirecting a client computer that is not in compliance with a particular access policy to a particular port on the sandbox server; and
      
      said sandbox server is capable of displaying particular error message pages in response to communications on particular ports.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Freund, Gregor Paul, Haycock, Keith Allan, Herrmann, Conrad Kamaha'o
Primary Examiner(s)
DIVECHA, KAMAL B

Application Number

US09/944,057
Publication Number

US 20030055962A1
Time in Patent Office

3,939 Days
Field of Search

709/217, 709/225, 709/244, 709/203, 709/229, 709/232
US Class Current

709/225
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/104   Grouping of entities

H04L 63/145   the attack involving the pr...

System providing internet access management with router-based policy enforcement

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

234 Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

System providing internet access management with router-based policy enforcement

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

234 Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links