Internet isolation for avoiding internet security threats

US 9,942,198 B2
Filed: 01/27/2012
Issued: 04/10/2018
Est. Priority Date: 01/27/2011
Status: Active Grant

First Claim

Patent Images

1. A networked system comprising:

a local area network; and

a connection on the local area network communicating with an Internet; and

a plurality of computer systems coupled to the local area network;

each computer system of the plurality of computer systems operating as a host system according to stored data corresponding to an operating system and one or more program applications;

each computer system supporting operation of a respective virtual computer system that is separated and isolated from the host system by an internal firewall, wherein a local host-based firewall is configured to implement a first policy when the computer system is connected to the local area network and a second policy when the computer system is not connected to the local area network, wherein the first policy permits at least one or more communications between the host system of the computer system and one or more resources on the local area network using a second browser program running on the host system outside of the virtual computer system, and the second policy blocks at least communications egressing from the second browser program running on the host system of the computer system but allows communications egressing from a first browser program of the virtual computer system;

the local area network having a respective virtual conduit connection between each of said virtual computer systems and a virtual private network termination point on the local area network, and each virtual conduit connection is associated with a respective Internet Protocol (IP) address;

each virtual computer system comprising the first browser program that communicates via the respective virtual conduit connection over the local area network with the connection to the Internet such that said virtual computer system is enabled to access sites on the Internet through said virtual conduit connection without exposing the host system;

wherein each virtual computer system is isolated against any other communication with or over the local area network except for the communication through the respective virtual conduit connection; and

wherein each virtual computer system is isolated so as to prevent any communication of data to the respective host system from the virtual computer system operating thereon, except for a predetermined set of types of permitted data transfers therebetween; and

wherein the predetermined set of types of permitted data transfers from the virtual computer system to the host computer system is limited to transfers of data that are initiated by receiving an input from a user.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host computer supports a virtual guest system running thereon. The host system has a firewall that prevents it from communicating directly with the Internet, except with predetermined trusted sites. The virtual guest runs on a hypervisor, and the virtual guest comprises primarily a browser program that is allowed to contact the Internet freely via an Internet access connection that is completely separate from the host computer connection, such as a dedicated network termination point with its specific Internet IP address, or by tunneling through the host machine architecture to reach the Internet without exposing the host system. The virtual guest system is separated and completely isolated by an internal firewall from the host, and the guest cannot access any of the resources of the host computer, except that the guest can initiate cut, copy and paste operations that reach the host, and the guest can also request print of documents. The host can transfer files to and from a virtual data storage area accessible by the guest by manual operator action. No other transfer of data except these user initiated actions is permitted.

46 Citations

View as Search Results

23 Claims

1. A networked system comprising:
- a local area network; and
  
  a connection on the local area network communicating with an Internet; and
  
  a plurality of computer systems coupled to the local area network;
  
  each computer system of the plurality of computer systems operating as a host system according to stored data corresponding to an operating system and one or more program applications;
  
  each computer system supporting operation of a respective virtual computer system that is separated and isolated from the host system by an internal firewall, wherein a local host-based firewall is configured to implement a first policy when the computer system is connected to the local area network and a second policy when the computer system is not connected to the local area network, wherein the first policy permits at least one or more communications between the host system of the computer system and one or more resources on the local area network using a second browser program running on the host system outside of the virtual computer system, and the second policy blocks at least communications egressing from the second browser program running on the host system of the computer system but allows communications egressing from a first browser program of the virtual computer system;
  
  the local area network having a respective virtual conduit connection between each of said virtual computer systems and a virtual private network termination point on the local area network, and each virtual conduit connection is associated with a respective Internet Protocol (IP) address;
  
  each virtual computer system comprising the first browser program that communicates via the respective virtual conduit connection over the local area network with the connection to the Internet such that said virtual computer system is enabled to access sites on the Internet through said virtual conduit connection without exposing the host system;
  
  wherein each virtual computer system is isolated against any other communication with or over the local area network except for the communication through the respective virtual conduit connection; and
  
  wherein each virtual computer system is isolated so as to prevent any communication of data to the respective host system from the virtual computer system operating thereon, except for a predetermined set of types of permitted data transfers therebetween; and
  
  wherein the predetermined set of types of permitted data transfers from the virtual computer system to the host computer system is limited to transfers of data that are initiated by receiving an input from a user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The networked system of claim 1, wherein a network firewall is interposed between the Internet and the local area network, and said network firewall is configured to block communications between untrusted destinations on the Internet and local area network resources while allowing communications utilizing the virtual conduit connection to access the Internet.
  - 3. The networked system of claim 1, wherein one or more of the computer systems correspond to a computer work station or a laptop computer.
  - 4. The networked system of claim 1, wherein the host system is at least partially blocked from communicating over the Internet via one or more predetermined ports of said computer system by said local host-based firewall.
  - 5. The networked system of claim 1, wherein the host system is blocked against communicating with any destination resource except for destination resources defined by predetermined whitelist data identifying trusted destination resources and/or ports.
  - 6. The networked system of claim 1, wherein the virtual computer system is defined by a hypervisor program data stored as data accessible to and running on the computer system that isolates the virtual computer system from the host system.
  - 7. The networked system of claim 1, wherein the user of the computer system activates the virtual computer system by starting the first browser program that runs in the virtual computer system.
  - 8. The networked system of claim 1, wherein the computer system stores data defining a pristine version of the virtual computer system, and the computer system is configured to restore the virtual computer system to a pristine version thereof based on an input received from a user interface.
  - 9. The networked system of claim 1, wherein the set of permitted data transfers is a set of one or more elements selected from the group consisting of:
    - cutting or copying;
      
      pasting;
      
      printing; and
      
      transferring files.

10. A method for a user to browse the Internet, said method comprising:
- providing a local area network;
  
  providing a connection on the local area network communicating with the Internet; and
  
  providing a plurality of computer systems coupled to the local area network, each computer system of the plurality of computer systems operating as a host system according to stored data corresponding to an operating system and one or more program applications, each computer system supporting operation of a respective virtual computer system that is separated and isolated from the host system by an internal firewall, wherein a local host-based firewall is configured to implement a first policy when the computer system is connected to the local area network and a second policy when the computer system is not connected to the local area network, wherein the first policy permits one or more communications between the host system of the computer system and one or more resources on the local area network using at least a second browser program running on the host system outside of the virtual computer system, and the second policy blocks at least communications egressing from the second browser program of the host system of the computer system but allows communications egressing from at least a first browser program of the virtual computer system, the local area network having a respective virtual conduit connection between each of said virtual computer systems and a virtual private network termination point on the local area network, and each virtual conduit connection is associated with a respective Internet Protocol (IP) address, each virtual computer system comprising the first internet browser program that communicates via the respective virtual conduit connection over the local area network with the connection to the Internet such that said virtual computer system is enabled to access sites on the Internet through said virtual conduit connection without exposing the host system;
  
  accessing the Internet using the first browser program running on the virtual computer system via a virtual private network conduit through the local area network to an Internet connection;
  
  providing restricted communication of data from the virtual computer system to the host system that is limited to transfers of data that are initiated by receiving an input initiated by the user;
  
  providing the second browser program running on the host system outside of the virtual computer system, wherein communications associated with the second browser program running on the host system are processed using a local host-based firewall;
  
  responsive to an input by the user to access a site, determining whether or not the site is a predetermined trusted site;
  
  accessing the site using the first browser program on condition that the site is determined not to be a predetermined trusted site;
  
  displaying the site using the first browser program on condition that the site is determined not to be a predetermined trusted site;
  
  accessing the site using the second browser program on condition that the site is determined to be a predetermined trusted site, wherein a request to access the site from the second browser program is allowed by the local host-based firewall on condition that the site is determined to be a predetermined trusted site; and
  
  displaying the site using the second browser program on condition that the site is determined to be a predetermined trusted site.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, and said method further comprising determining possible infection of the host computer system responsive to at least a detection of the host system accessing one or more predetermined ports.
  - 12. The method of claim 10, wherein the virtual computer system is created by a hypervisor program stored as data accessible to and running on the host computer system, said method further comprising:
    - storing an original version of data defining the virtual computer system and software running thereon; and
      
      restoring the original version of said data so as to restore the virtual computer system to said original version thereof responsive to input instruction from the user or periodically without input form the user.
  - 13. The method of claim 10, wherein the communication of data between the host and virtual computer systems is restricted so as to be limited to transfers of data selected from the group consisting ofcutting or copying;
    - pasting;
      
      printing; and
      
      transferring files.
  - 14. The method of claim 10, wherein the second browser program is used for accessing one or more resources on the local area network.

15. A computerized work station comprising:
- a computer operatively connected to one or more user input devices, a display device, and computer-accessible data storage configured to store computer-readable instructions for an operating system and one or more applications programs that run on said operating system;
  
  an interface configured to connect to a local area network (LAN) having a connection to an Internet, wherein the computer comprises a virtual computer system and a host system, and the virtual computer system is separated and isolated from the host system by an internal firewall;
  
  a local host-based firewall configured implement a first policy when connected to the local area network and a second policy when not connected to the local area network, wherein the first policy permits at least one or more communications between the host system of the computer system and one or more resources on the local area network using a second browser program running on the host system outside of the virtual computer system, and the second policy blocks at least communications egressing a host system of the computer system but allows communications egressing from a first browser program of the virtual computer system, wherein the virtual computer system and the first browser program access untrusted destinations through a virtual private network (VPN) conduit and the second browser program running on the host system accesses one or more trusted resources on the local area network that are associated with a predetermined set of trusted locations, wherein the host-based firewall is configured to block the second browser program running on the host system from accessing any resources other than the predetermined set of trusted locations, wherein the computer is configured to access any websites not on the predetermined set of trusted location using the first browser program running on the virtual computer system via the VPN conduit without exposing the host system, the VPN conduit being associated with an Internet Protocol (IP) address, wherein the virtual computer system is configured such that the virtual computer system and the first browser program running thereon are restricted from accessing at least a portion of computing resources of the computer, wherein the virtual computer system and the first browser program are restricted from communicating except through the VPN conduit, wherein data transfers from the virtual computer system to the host system are blocked except for a limited set of types of transfers initiated by a input received via at least one of the one or more user-input devices.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computerized work station according to claim 15, wherein the workstation is a laptop computer.
  - 17. The computerized work station according to claim 15, wherein the local host-based firewall blocks any communications of the host system of the computer, except for communications with sites that are identified by the data defining the predetermined set of trusted sites and/or ports.
  - 18. The computerized work station according to claim 15, wherein the virtual computer system is operated as a virtual machine supported by a hypervisor program data stored so as to be accessible to and run on said computer.
  - 19. The computerized work station according to claim 15, wherein the VPN conduit goes through the LAN to a VPN termination point linked to the Internet.
  - 20. The computerized work station according to claim 15, wherein the data transfers are limited to cut instructions, copy instructions, paste instructions, print requests and file transfer instructions initiated by a user accessing the computer manually.

21. A computer system comprising:
- a computer having a computer-accessible data storage, an input device connected therewith and a display, said computer having stored thereon software causing the computer to operate as a host system executing application programs;
  
  an interface configured to connect to a local area network having a connection that communicates with an Internet;
  
  a virtual computer system of the computer that is separated and isolated from the host system via an internal firewall, wherein communication of data from the virtual computer system to the host system is limited to transfers of data that are initiated by receiving an input via the input device; and
  
  a local host-based firewall configured to implement a first policy when the computer system is connected to the local area network and a second policy when the computer system is not connected to the local area network, wherein the first policy permits at least one or more communications between the host computer system of the computer system and one or more resources on the local area network using a second browser program running on the host system outside of the virtual computer system, and the second policy blocks at least communications egressing from the second browser program of the host system of the computer system but allows communication egressing from a first browser program of the virtual computer system, wherein the first browser program is configured to communicate via a virtual conduit connection between the virtual computer system and a virtual private network termination point on the local area network, the virtual conduit connection being associated with an Internet Protocol (IP) address, wherein the virtual computer system is isolated against any other communication with or over the local area network except for the communication through the virtual conduit connection such that said virtual computer system is enabled to access sites on the Internet through said virtual conduit connection without exposing the host system.
- View Dependent Claims (22, 23)
- - 22. The computer system of claim 21, wherein the local host-based firewall prevents access to all Internet sites except the predetermined trusted sites and/or ports, and disables other communications from the host system, andwherein data transfer between the host and virtual computer systems is limited to cutting text, copying text, pasting text, transmitting files to be printed at a printed locally attached to the computer system, and manual transfer of files into and out of the virtual computer system.
  - 23. The networked computer system of claim 21, wherein the set of permitted data transfers is a set of one or more elements selected from the group consisting of:
    - cutting or copying;
      
      pasting;
      
      printing; and
      
      transferring files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Croga Innovations Limited (Atlantic IP Services Limited)
Original Assignee
L3 Technologies, Inc. (L3Harris Technologies, Inc.)
Inventors
Hoy, Robert B., Fenkner, Mark, Farren, Sean W.
Primary Examiner(s)
Thiaw, Catherine
Assistant Examiner(s)
An, Wayne

Application Number

US13/981,896
Publication Number

US 20130318594A1
Time in Patent Office

2,265 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

Internet isolation for avoiding internet security threats

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Internet isolation for avoiding internet security threats

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links