Network zones

US 9,003,048 B2
Filed: 04/01/2003
Issued: 04/07/2015
Est. Priority Date: 04/01/2003
Status: Active Grant

First Claim

Patent Images

1. A processor-readable storage memory having stored thereon processor-executable instructions that, responsive to execution by a client computer, cause the client computer to perform a method comprising:

defining by a module locally at the client computer a plurality of network zones each of which includes a different set of network properties and connection policies to associate networks encountered by the client computer with one of the plurality of network zones, the plurality of network zones configured to be enforced by the module to control connections of the client computer to the encountered networks;

connecting to at least one of the encountered networks;

subsequent to the connecting, assigning the at least one of the encountered networks to one of the plurality of network zones that has network properties corresponding to properties of the at least one of the encountered networks;

receiving, from an application program executing on the computer, preference information that identifies one of the plurality of network zones as a preferred network zone;

permitting communications between the application program and a network connected to the client computer that is assigned to the preferred network zone, the application program being permitted to communicate with specific network locations on the network that are defined by the preference information received from the application program; and

preventing communications between the application program and a network connected to the client computer that is not assigned to the preferred network zone, the application program being prevented from communicating with network locations on the network that are not specified in the preferred network zone.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer assigns networks to network zones based on predefined properties for each zone and/or the properties of the networks. An application program installed on the computer provides the computer with preference information that indicates the network zone whose network policies or properties are best suited for the application program. Thereafter, when executing the application program, the computer limits network contact for the application program to the network(s) that is assigned to the network zone(s) identified as a preferred network zone(s) or identified by a preferred network property or properties by the preference information from the application program.

Citations

51 Claims

1. A processor-readable storage memory having stored thereon processor-executable instructions that, responsive to execution by a client computer, cause the client computer to perform a method comprising:
- defining by a module locally at the client computer a plurality of network zones each of which includes a different set of network properties and connection policies to associate networks encountered by the client computer with one of the plurality of network zones, the plurality of network zones configured to be enforced by the module to control connections of the client computer to the encountered networks;
  
  connecting to at least one of the encountered networks;
  
  subsequent to the connecting, assigning the at least one of the encountered networks to one of the plurality of network zones that has network properties corresponding to properties of the at least one of the encountered networks;
  
  receiving, from an application program executing on the computer, preference information that identifies one of the plurality of network zones as a preferred network zone;
  
  permitting communications between the application program and a network connected to the client computer that is assigned to the preferred network zone, the application program being permitted to communicate with specific network locations on the network that are defined by the preference information received from the application program; and
  
  preventing communications between the application program and a network connected to the client computer that is not assigned to the preferred network zone, the application program being prevented from communicating with network locations on the network that are not specified in the preferred network zone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A processor-readable storage memory as recited in claim 1, comprising further processor-executable instructions configured for:
    - detecting an additional network available to the client computer; and
      
      associating the additional network with an additional network zone.
  - 3. A processor-readable storage memory as recited in claim 2, wherein the associating further comprises:
    - comparing network properties of the additional network with properties of each network zone; and
      
      based on the comparison, associating the additional network with the preferred network zone.
  - 4. A processor-readable storage memory as recited in claim 2, wherein the associating further comprises:
    - connecting to the additional network;
      
      determining network properties of the additional network; and
      
      assigning the additional network to the at least one network zone based on the network properties.
  - 5. A processor-readable storage memory as recited in claim 1, comprising further processor-executable instructions configured for associating the application program with the preferred network zone.
  - 6. A processor-readable storage memory as recited in claim 1, wherein the receiving further comprises initiating an installation of the application program.
  - 7. A processor-readable storage memory as recited in claim 1, wherein the permitting a connection further comprises:
    - allowing the application program to accept a communication from the network assigned to the preferred network zone; and
      
      allowing the application program to initiate a communication to the network assigned to the preferred network zone.
  - 8. A processor-readable storage memory as recited in claim 1, wherein the preventing a connection further comprises:
    - preventing the application program from accepting a communication from the network that is connected to the client computer and which is not assigned to the preferred network zone; and
      
      preventing the application program from initiating a communication to the network not assigned to the preferred network zone.
  - 9. A processor-readable storage memory as recited in claim 2, wherein each network zone is assigned a different network.
  - 10. A processor-readable storage memory as recited in claim 2, wherein each network zone is assigned a network selected from the group comprising:
    - a home network;
      
      a corporate network; and
      
      the Internet.
  - 11. A processor-readable storage memory as recited in claim 1, wherein the preference information comprises a preferred network property used to identify the preferred network zone based on a network that possesses the preferred network property.
  - 12. A processor-readable storage memory as recited in claim 1, wherein the preference information comprises properties and connection policies that define the preferred network zone as a custom zone.

13. A processor-readable storage memory having stored thereon processor-executable instructions that, responsive to execution by a client computer, cause the client computer to perform a method comprising:
- defining via a zone module of an operating system of the client computer a plurality of network zones each of which includes a set of network properties and policies to associate networks encountered by the client computer with one of the plurality of network zones, the plurality of network zones configured to be enforced by the zone module locally at the client computer to control connections of the client computer to the encountered networks;
  
  recognizing a connection between the client computer and a first network;
  
  based on recognition of the connection, assigning the first network to a first network zone;
  
  permitting access to the first network for application programs that specify the first network zone as a preferred network zone, the application programs being permitted to communicate with network locations on the first network that are specified in the first network zone;
  
  preventing the application programs from communicating with one or more network locations on the first network that are not specified in the first network zone; and
  
  preventing access to the first network connected to the client computer for additional application programs that specify a second network zone as a preferred network zone.
- View Dependent Claims (14, 15, 16, 17)
- - 14. A processor-readable storage memory as recited in claim 13, wherein the associating further comprises:
    - determining network properties of the first network; and
      
      assigning the first network to the first network zone based on the network properties.
  - 15. A processor-readable storage memory as recited in claim 13, comprising further processor-executable instructions configured for:
    - recognizing a connection between the client computer and a second network;
      
      assigning the second network to the second network zone;
      
      permitting access to the second network for application programs that specify the second network zone as a preferred network zone; and
      
      preventing access to the second network connected to the client computer for application programs that specify the first network zone as a preferred network zone.
  - 16. A processor-readable storage memory as recited in claim 15, comprising further processor-executable instructions configured for:
    - permitting access to the first network and the second network for application programs that specify the first network zone and the second network zone as preferred network zones.
  - 17. A processor-readable storage memory as recited in claim 13, wherein the first network connection is selected from the group comprising:
    - a home network connection;
      
      a corporate network connection; and
      
      an Internet connection.

18. A processor-readable storage memory having stored thereon processor-executable instructions that, responsive to execution by a client computer, cause the client computer to perform a method comprising:
- defining via a software module integrated with the client computer a plurality of network zones such that each network zone corresponds to a different network connection policy and includes a set of network properties to assign networks encountered by the client computer with the plurality of network zones, the plurality of network zones configured to be enforced by the software module locally at the client computer to control connections of the client computer to the encountered networks;
  
  connecting to at least one of the networks encountered by the client computer;
  
  responsive to the connecting, assigning the at least one of the networks to one of the plurality of network zones that has network properties corresponding to properties of the at least one of the networks;
  
  receiving a network zone preference from an application program executed at the client computer indicating a preferred network connection policy for the application program; and
  
  based upon the network connection policy and network properties of each network zone, enforcing the preferred network connection policy according to the network zone preference during execution of the application program to control communication of the application program with networks to which the client computer is connected, the communication being controlled by at least limiting network contact for the application to communications with particular network locations that are expressed in the preferred network connection policy received from the application program, the application program being prevented from communicating with networks connected to the client computer that are not associated with a network zone that corresponds to the network zone preference, the application program being prevented from communicating with network locations that are not specified in the preferred network connection policy.
- View Dependent Claims (19)
- - 19. A processor-readable storage memory as recited in claim 18, wherein the preferred network connection policy is a custom network connection policy, the processor-readable medium comprising further processor-executable instructions configured for:
    - receiving instructions from the application program that define the custom network connection policy; and
      
      enforcing the custom network connection policy according to the instructions during execution of the application program.

20. A method implemented at least in part by a mobile computer comprising:
- defining in a module integrated with an operating system of the mobile computer a plurality of network zones each of which includes a set of network properties and policies to associate networks encountered by the mobile computer with the plurality of network zones;
  
  receiving from an application program executing on the mobile computer, a preference that specifies a preferred network zone of the plurality of network zones;
  
  assigning the application program to the preferred network zone via the module integrated with the operating system in accordance with the preference;
  
  detecting a connection between the mobile computer and a network;
  
  comparing network properties of the connected network with properties of each network zone;
  
  based on the comparison, assigning the connected network to the preferred network zone; and
  
  based on the assigning of the application program to the preferred network zone;
  
  permitting one or more communications between the application program and the network assigned to the preferred network zone, the application program being permitted to communicate with particular network locations on the network that are defined by instructions received from the application program; and
  
  preventing one or more communications between the application program and another network connected to the mobile computer that is not assigned to the preferred network zone, the application program being prevented from communicating with network locations on the network that are not specified in the preferred network zone.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. A method as recited in claim 20, wherein the receiving further comprises initiating an installation of the application program.
  - 22. A method as recited in claim 20, wherein the permitting one or more communications further comprises:
    - allowing the application program to accept a communication from the network assigned to the preferred network zone; and
      
      allowing the application program to initiate a communication to the network assigned to the preferred network zone.
  - 23. A method as recited in claim 20, wherein the preventing one or more communications further comprises:
    - preventing the application program from accepting a communication from the other network connected to the mobile computer that is not associated with the preferred network zone; and
      
      preventing the application program from initiating a communication to the other network connected to the mobile computer that is not associated with the preferred network zone.
  - 24. A method as recited in claim 20, wherein each network zone is assigned a different network.
  - 25. A method as recited in claim 20, wherein each network zone is assigned a network selected from the group comprising:
    - a home network;
      
      a corporate network; and
      
      the Internet.

26. A method implemented at least in part by a mobile computer comprising:
- defining by a module integrated with an operating system of the mobile computer a plurality of network zones each of which includes a set of network properties and policies to associate networks encountered by the mobile computer with the plurality of network zones;
  
  recognizing a connection between the mobile computer and a first network;
  
  based on the connection, assigning the first network to a first network zone;
  
  permitting access to the first network for application programs that specify the first network zone as a preferred network zone, the application programs being permitted to communicate with network locations on the first network that are specified in the first network zone;
  
  preventing the application programs from communicating with one or more network locations on the first network that are not specified in the first network zone; and
  
  preventing access to the first network connected to the mobile computer for additional application programs that specify a second network zone as a preferred network zone.
- View Dependent Claims (27, 28, 29, 30)
- - 27. A method as recited in claim 26, wherein the associating further comprises:
    - determining network properties of the first network; and
      
      assigning the first network to the first network zone based on the network properties.
  - 28. A method as recited in claim 26, further comprising:
    - recognizing a connection between the mobile computer and a second network;
      
      assigning the second network to the second network zone;
      
      permitting access to the second network for application programs that specify the second network zone as a preferred network zone; and
      
      preventing access to the second network for application programs that do not specify the second network zone as the preferred network zone.
  - 29. A method as recited in claim 28, further comprising:
    - permitting access to the first network and the second network for application programs that specify the first network zone and the second network zone as preferred network zones.
  - 30. A method as recited in claim 26, wherein the first network connection is selected from the group comprising:
    - a home network connection;
      
      a corporate network connection; and
      
      an Internet connection.

31. A method comprising:
- defining in an operating system module of a client computer a plurality of network zones such that each network zone corresponds to a different network connection policy and includes a set of network properties to associate networks encountered by the client computer with the plurality of network zones;
  
  connecting the client computer to at least one encountered network;
  
  responsive to the connecting, assigning the at least one encountered network to one of the plurality of network zones that has network properties corresponding to properties of the at least one encountered network;
  
  receiving a network zone preference from an application program executed at the client computer indicating a preferred network connection policy for the application program; and
  
  based upon the network connection policy and network properties of each network zone, enforcing the preferred network connection policy according to the network zone preference during execution of the application program to control communication of the application program with networks to which the computer is connected, the communication being controlled by at least limiting communications between the application and specific network locations on the at least on encountered network that are specified in the network zone preference received from the application program, the application program being prevented from communicating with networks connected to the client computer that are not associated with a network zone that corresponds to the network zone preference, the application program being prevented from communicating with network locations on the at least one encountered network that are not specified in the network zone preference received from the application program.
- View Dependent Claims (32)
- - 32. A method as recited in claim 31, wherein the preferred network connection policy is a custom network connection policy, the method further comprising:
    - receiving instructions from the application program that define the custom network connection policy; and
      
      enforcing the custom network connection policy according to the instructions during execution of the application program.

33. A client computer comprising:
- a processor;
  
  a memory;
  
  a zone module integrated with an operating system of the client computer stored in the memory and executable on the processor; and
  
  a plurality of network zones supported by the zone module each of which includes a set of network properties and policies to assign networks encountered by the client computer to one of the plurality of network zones,wherein the processor is configured to execute instructions in the memory to cause the zone module to;
  
  assign a network connected to the computer to a network zone when the network corresponds to the set of properties and policies for the network zone; and
  
  receive a zone preference from an application and control communication between the network and the application according to the zone preference by at least preventing the application from communicating with networks connected to the client computer that are not associated with the network zone, the communication between the network and the application being controlled by a least limiting network contact for the application to communications with specific network locations on the network that are specified in the zone preference received from the application, the application being prevented from communicating with network locations on the network that are not specified in the zone preference.
- View Dependent Claims (34)
- - 34. A client computer as recited in claim 33, wherein the zone preference:
    - identifies one or more preferred network zones including a custom zone; and
      
      includes instructions defining the set of properties and policies for the custom zone; and
      
      wherein the zone module is configured to permit communication between the application and networks assigned to the one or more preferred network zones.

35. A mobile computer comprising:
- one or more processors configured to execute instructions stored in a memory associated with the mobile computer;
  
  a zone module configured to, responsive to execution by the one or more processors;
  
  define a plurality of network zones; and
  
  based on properties and policies included with each network zone, assign a network to which the mobile computer is connected to one or more of the plurality of network zones;
  
  a zone preference received by the zone module from an application program; and
  
  a preferred network zone of the plurality of network zones specified by the zone preference;
  
  wherein the zone module is further configured to;
  
  prevent communication between the application program and any network connected to the mobile computer that is not assigned to the preferred network zone; and
  
  limit network contact for the application program to communications with specific network locations on the network that are specified in the zone preference received from the application program, the application program being prevented from communicating with network locations on the network that are not specified in the zone preference.
- View Dependent Claims (36, 37)
- - 36. A mobile computer as recited in claim 35, further comprising:
    - a plurality of network connections, each network connection assigned by the zone module to a distinct network zone of the plurality of network zones.
  - 37. A mobile computer as recited in claim 36, wherein the preferred network zone is a custom zone, and the zone preference comprises instructions defining communication policies for the application program.

38. A client computer comprising:
- one or more processors; and
  
  a memory having instructions that are executable by the one or more processors to implement a zone module that is configured to;
  
  define within an operating system of the client computer a plurality of network zones each of which includes a set of network properties and policies to associate networks encountered by the client computer with the plurality of network zones plurality of network zones;
  
  connect the client computer to at least one of the encountered networks;
  
  after connecting to the at least one of the encountered networks, assign the at least one of the encountered networks to one of the plurality of network zones that has network properties corresponding to properties of the at least one of the encountered networks;
  
  receive, from an application program executed at the client computer, a preference that specifies a preferred network zone of the plurality of network zones;
  
  permit communications between the application program and a network connected to the client computer that is assigned to the preferred network zone, the application program being permitted to communicate with specific network locations on the network that are defined by the instructions in the preference received from the application program; and
  
  prevent communications between the application program and a network connected to the client computer that is not assigned to the preferred network zone, the application program being prevented from communicating with network locations on the network that are not specified in the preferred network zone.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45)
- - 39. A client computer as recited in claim 38, wherein the zone module is further configured to:
    - detect an additional network available to the client computer; and
      
      assign the additional network to an additional network zone of the plurality of network zones.
  - 40. A client computer as recited in claim 39, wherein the zone module is further configured to:
    - compare network properties of the additional network with properties of each network zone; and
      
      assign the additional network to the preferred network zone based on the comparison.
  - 41. A client computer as recited in claim 39, wherein the zone module is further configured to:
    - connect to the additional network;
      
      determine network properties of the additional network; and
      
      assign the network to the additional network zone based on the network properties.
  - 42. A client computer as recited in claim 38, wherein the zone module is further configured to associate the application program with the preferred network zone.
  - 43. A client computer as recited in claim 38, wherein the zone module is further configured to initiate an installation of the application program.
  - 44. A client computer as recited in claim 38, wherein the zone module is further configured to:
    - allow the application program to accept a communication from the network connected to the client computer that is assigned to the preferred network zone; and
      
      allow the application program to initiate a communication to the network connected to the client computer that is assigned to the preferred network zone.
  - 45. A client computer as recited in claim 38, wherein the zone module is further configured to:
    - prevent the application program from accepting a communication from the network connected to the client computer that is not assigned to the preferred network zone; and
      
      prevent the application program from initiating a communication to the network connected to the client computer that is not assigned to the preferred network zone.

46. A mobile computer comprising:
- one or more processors; and
  
  a memory having instructions that are executable by the one or more processors to implement a zone module that is configured to;
  
  define within an operating system of the mobile computer a plurality of network zones each of which includes a set of network properties and policies to associate networks encountered by the mobile computer with the plurality of network zones;
  
  recognize a connection between the mobile computer and a first network;
  
  assign the first network to a first network zone in response to the connection being recognized between the mobile computer and the first network;
  
  permit access to the first network for application programs that specify the first network zone as a preferred network zone, the application programs being permitted to communicate with network locations on the first network that are specified in the first network zone;
  
  prevent the application programs from communicating with one or more network locations on the first network that are not specified in the first network zone; and
  
  prevent access to the first network connected to the mobile computer for application programs that specify a second network zone as a preferred network zone.
- View Dependent Claims (47, 48, 49)
- - 47. A mobile computer as recited in claim 46, wherein the zone module is further configured to:
    - determine network properties of the first network; and
      
      assign the first network to the custom zone based on the network properties.
  - 48. A mobile computer as recited in claim 46, wherein the zone module is further configured to:
    - recognize a connection between the mobile computer and a second network;
      
      assign the second network to the second network zone;
      
      permit access to the second network for application programs that specify the second network zone as a preferred network zone; and
      
      prevent access to the second network for application programs that specify the first network zone as a preferred network zone.
  - 49. A mobile computer as recited in claim 48, wherein the zone module is further configured to:
    - permit access to the first network and the second network for application programs that specify the first network zone and the second network zone as preferred network zones.

50. A client computer comprising:
- one or more processors; and
  
  a memory having instructions that are executable by the one or more processors to implement a zone module that is configured to;
  
  define within an operating system of the client computer a plurality of network zones such that each network zone corresponds to a different network connection policy and includes a set of network properties to associate networks encountered by the client computer with the plurality of network zones;
  
  connect the client computer to at least one encountered network;
  
  responsive to the connecting, assign the at least one encountered network to one of the plurality of network zones that has network properties corresponding to properties of the at least one encountered network;
  
  receive a network zone preference from an application program indicating a preferred network connection policy for the application program; and
  
  based upon the network connection policy and network properties of each network zone, enforce the preferred network connection policy according to the network zone preference during execution of the application program to control communications between the application program and networks to which the computer is connected, the communications of the application program being controlled by at least preventing the application program from communicating with networks connected to the client computer that are not associated with a network zone corresponding to the network zone preference, the communications being further controlled by at least;
  
  limiting network contact for the application to communications with particular network locations on the at least one network that are expressed in the preferred network connection policy received from the application program; and
  
  preventing the application program from communicating with network locations on the at least one network that are not specified in the zone preference.
- View Dependent Claims (51)
- - 51. A client computer as recited in claim 50, wherein the preferred network connection policy is a custom network connection policy, the zone module further configured to:
    - receive instructions from the application program that define the custom network connection policy; and
      
      enforce the custom network connection policy according to the instructions during execution of the application program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Shelest, Art, Ward, Richard B.
Primary Examiner(s)
Daftuar, Saket K

Application Number

US10/405,972
Publication Number

US 20040199648A1
Time in Patent Office

4,389 Days
Field of Search

709/218, 709224-227, 709/229, 709/201, 709/202, 709/203, 709/217, 709/219, 709/220, 709/221, 709/222, 709/223, 709/228, 709/249, 709/250, 713/201, 726/3
US Class Current

709/229
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 47/803   Application aware

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

Network zones

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Network zones

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links