Network access control based on program state
First Claim
Patent Images
1. One or more computer-readable storage device comprising executable instructions to perform a method of controlling access, the method comprising:
- granting a machine access to a first region of a network;
determining that a program that meets one or more criteria is running on said machine; and
based on said determining, granting said machine access to a second region of said network, wherein said program sends data, while said program operates, to a site that is in said network, outside of said second region, and separate from a gateway through which said machine connects to said network, and wherein said determining comprises;
sending an inquiry to said site; and
receiving, from said site in response to said inquiry, a message that indicates;
(a) that an initial message was received at said site from said program, (b) that said data is continually being received by said site from said program, (c) that said program is running, and (d) that access to said second region is to be granted to said machine, said site authenticates said initial message to distinguish said initial message sent by said program from a message sent by an imposter program,said method further comprising;
subsequent to said receiving of said message from said site, said site receiving a callback that is exposed by a first component that performs said method, said site invoking said callback to indicate that conditions under which said machine is to be granted access are no longer being met, said callback being a mechanism that is exposed by said first component, said callback being invocable by a second component to report a change in said machine'"'"'s authorization status, said second component being associated with a service provider.
2 Assignments
0 Petitions
Accused Products
Abstract
A gateway controls access to a region of a network by either granting or denying a client machine access to the network region based on whether a particular program is running on the client machine. A program is installed on the client machine which sends a detectable indication that the program is running. When it is detected that the program is running, the gateway allows the client machine access to the network region. When the program is not detected to be running, the gateway denies the client machine access to the network region.
42 Citations
20 Claims
-
1. One or more computer-readable storage device comprising executable instructions to perform a method of controlling access, the method comprising:
-
granting a machine access to a first region of a network; determining that a program that meets one or more criteria is running on said machine; and based on said determining, granting said machine access to a second region of said network, wherein said program sends data, while said program operates, to a site that is in said network, outside of said second region, and separate from a gateway through which said machine connects to said network, and wherein said determining comprises; sending an inquiry to said site; and receiving, from said site in response to said inquiry, a message that indicates;
(a) that an initial message was received at said site from said program, (b) that said data is continually being received by said site from said program, (c) that said program is running, and (d) that access to said second region is to be granted to said machine, said site authenticates said initial message to distinguish said initial message sent by said program from a message sent by an imposter program,said method further comprising; subsequent to said receiving of said message from said site, said site receiving a callback that is exposed by a first component that performs said method, said site invoking said callback to indicate that conditions under which said machine is to be granted access are no longer being met, said callback being a mechanism that is exposed by said first component, said callback being invocable by a second component to report a change in said machine'"'"'s authorization status, said second component being associated with a service provider. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17)
-
-
9. A system comprising:
-
one or more processors; one or more data remembrance devices; software that is stored in one or more of said data remembrance devices and that executes on one or more of said processors, said software comprising; a first component that receives heartbeat data from a program that runs at a first device, said first component storing said heartbeat data, and a timestamp indicating a time at which said heartbeat data is received by said first component, in a database that is stored in one or more of said data remembrance devices; and a second component that makes a determination based at least in part on whether said heartbeat data has been received from said program within an amount of time and that, based on said determination, either (a) instructs a second device either to grant or to deny said first device access to a network region;
or (b) informs said second device as to whether said heartbeat data is being received from said program; anda server that communicates with said first device through said second device, said server communicating with said first device irrespective of whether said second device allows said first device access to said network region, said network region comprising said server and at least one location other than said server, the system receiving an inquiry from said second device; and
instructing of said second device to grant or deny said first device access to said network region, or informing of said second device as to whether said heartbeat data is being received from said program, being done by said second component in response to said inquiry, said second component instructing said second device to deny said first device access to a network region by issuing a callback exposed by said second device, said callback being a mechanism that is exposed by said second device, said callback being invocable by said second component to report a change in said first device'"'"'s authorization status, said second component being associated with a service provider. - View Dependent Claims (10, 11, 12, 18, 19)
-
-
13. A method of controlling use of a gateway, the method comprising:
-
providing, to a device, a program that sends data over a network while said program is running; receiving, from said program, said data while said program is running; determining that said data has ceased being received; and based on said determining, sending a message to the gateway that either (a) informs the gateway that said program is not running on said device, or (b) instructs the gateway to deny said device access to a region of said network, said message being sent by issuing a callback exposed by said gateway, said callback being a mechanism that is exposed by said gateway, said callback being invocable by a component that performs said method to report a change in said device'"'"'s authorization status, said component being associated with a service provider, wherein said region is the Internet, receiving and said sending are performed by a server that is in said region, and wherein said program communicates with said server even when said gateway has denied said device access to the Internet, said program displaying advertisements on a display while said program runs. - View Dependent Claims (14, 15, 16, 20)
wherein said determining is based on said monitoring.
-
-
15. The method of claim 13, wherein said program comprises an identifier that distinguishes different instances of said program from each other, and wherein said data comprises said identifier.
-
16. The method of claim 13, wherein said program sends a message upon startup, and wherein the gateway allows said device access to said region of said network from a time after said message is sent until the gateway has been informed that said program is not running on said device or has been instructed to deny said device access to said region of said network.
-
20. The method of claim 13, further comprising:
-
receiving an initial message from said program, said program being operable in a plurality of modes that include a state other than running and a state other than not-running; authenticating said initial message to distinguishing said initial message from a message sent by an imposter program.
-
Specification