SYSTEM AND METHOD FOR FILTERING NETWORK COMMUNICATIONS

US 20150156183A1
Filed: 12/03/2013
Published: 06/04/2015
Est. Priority Date: 12/03/2013
Status: Abandoned Application

First Claim

Patent Images

1. A system, comprising:

a network interface capable of connecting to a wide area network;

a tunneling front end node capable of establishing a communication tunnel with a client access point, wherein packets transmitted through the communication tunnel are encapsulated, the tunneling front end node being capable of authenticating a user of a user device in communication with the client access point whereby the user is allowed access to the wide area network after a successful authentication through the communication tunnel;

a plurality of filter nodes in communication with the network interface such that the filter nodes are connected to the wide area network via the network interface;

a plurality of filtering rules associated with the authenticated user defining how transmissions between the user of the user device and wide area network are to be handled, the tunneling front end node being capable of determining how to handle transmissions to and from the authenticated user according to the filtering rules, wherein the tunneling front end node passes at least some of the transmission received from the authenticated user to at least one of the filter nodes according to the filtering rules;

the filter nodes being capable of sending transmissions of the authenticated user passed from the tunneling front end node to the wide area network according to the filtering rules, the filter nodes being capable of receiving transmissions from the wide area network destined to the authenticated user, and the filter nodes being capable of filtering the transmissions received from the wide area network according to the filtering rules and passing the transmissions to the tunneling front end node for forwarding the transmissions to the authenticated user via the communications tunnel;

a worker node capable of receiving one or more messages from one or more of nodes, the messages containing information concerning the status of the one or more nodes, the worker node being capable of generating one or more jobs in response to a received message and sending each generated job to a job dispatcher node; and

the job dispatcher node being capable of receiving the generated jobs sent by the worker node, the job dispatcher node being capable of assigning at least one of the generated jobs to one of the nodes and sending messages to that node to perform the assigned job.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of a secure network gateway system and a filtering method using the system are disclosed. The secure network gateway system includes a tunneling front end node capable of establishing a communication tunnel with a client access point and authenticating a user to allow the user to access to a wide area network via the communication tunnel. The system also includes a plurality of filter nodes. A plurality of filtering rules are associated with the authenticated user. The tunneling front end node is capable of determining how to handle transmissions to and from the authenticated user according to these filtering rules and passing the transmissions to the appropriate filter nodes. The filter nodes are capable of filtering transmissions according to the filtering rules and passing the filtered transmissions to the tunneling front end node for forwarding to the authenticated user via the communications tunnel.

87 Citations

View as Search Results

30 Claims

1. A system, comprising:
- a network interface capable of connecting to a wide area network;
  
  a tunneling front end node capable of establishing a communication tunnel with a client access point, wherein packets transmitted through the communication tunnel are encapsulated, the tunneling front end node being capable of authenticating a user of a user device in communication with the client access point whereby the user is allowed access to the wide area network after a successful authentication through the communication tunnel;
  
  a plurality of filter nodes in communication with the network interface such that the filter nodes are connected to the wide area network via the network interface;
  
  a plurality of filtering rules associated with the authenticated user defining how transmissions between the user of the user device and wide area network are to be handled, the tunneling front end node being capable of determining how to handle transmissions to and from the authenticated user according to the filtering rules, wherein the tunneling front end node passes at least some of the transmission received from the authenticated user to at least one of the filter nodes according to the filtering rules;
  
  the filter nodes being capable of sending transmissions of the authenticated user passed from the tunneling front end node to the wide area network according to the filtering rules, the filter nodes being capable of receiving transmissions from the wide area network destined to the authenticated user, and the filter nodes being capable of filtering the transmissions received from the wide area network according to the filtering rules and passing the transmissions to the tunneling front end node for forwarding the transmissions to the authenticated user via the communications tunnel;
  
  a worker node capable of receiving one or more messages from one or more of nodes, the messages containing information concerning the status of the one or more nodes, the worker node being capable of generating one or more jobs in response to a received message and sending each generated job to a job dispatcher node; and
  
  the job dispatcher node being capable of receiving the generated jobs sent by the worker node, the job dispatcher node being capable of assigning at least one of the generated jobs to one of the nodes and sending messages to that node to perform the assigned job.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system of claim 1, wherein the communication tunnel between the tunneling end node and client access point comprises at least one of a OpenVPN tunnel, a PPTP tunnel, and a LISP tunnel.
  - 3. The system of claim 1, wherein the filtering rules include at least one of:
    - one or more rules for blocking certain transmissions between the authenticated user and wide area network, one or more rules for allowing certain transmissions between the authenticated user and the wide area network, and one or more rules for filtering content of transmissions received from the wide area network that are intended for the authenticated user.
  - 4. The system of claim 1, wherein the job dispatcher is capable of scheduling jobs based on the type of job and the location of the target node.
  - 5. The system of claim 1, wherein the jobs include parallel-type jobs and sequential-type jobs.
  - 6. The system of claim 5, wherein the job dispatching node is capable of sending the message for a pending parallel-type job to the assigned node as soon as the assigned node indicates no other job with a status of processing is currently assigned to that node.
  - 7. The system of claim 5, wherein the job dispatching node is capable of sending the message for a pending sequential-type job to the assigned node when the assigned node has only one job with a status of processing.
  - 8. The system of claim 1, wherein a tunneling identifier associated with the user is included in subsequent communications between the user device and the tunneling front end node after the user has been successfully authenticated.
  - 9. The system of claim 1, further comprising an internal communications network through which the nodes are capable of sending communications between one another.
  - 10. The system of claim 1, wherein the filter nodes including one or more web filters capable of receiving at least HTTP packets.
  - 11. The system of claim 1, wherein the filter nodes include one or more web filter nodes capable of receiving at least HTTP packets, one or more mail filter nodes capable of receiving packets conforming to at least one electronic mail message format, and one or more instant message filters capable of receiving instant messaging format packets.
  - 12. The system of claim 11, wherein the filter nodes include one or more a game filter nodes capable of filtering game content.
  - 13. The system of claim 11, wherein the filter nodes include at least one a file/media filter node capable of filtering at least one of content, streaming content, downloadable content, image content, and video content.
  - 14. The system of claim 1, further including a storage node capable of temporarily storing data downloaded from the wide area network, the storage node having a scanning element capable of scanning the downloaded data according to the filtering rules to identify portions of the data that are to be blocked from delivery to the authenticated user.
  - 15. The system of claim 1, wherein the filtering rules have at least one filtering rule selected by a registered user.
  - 16. The secure network gateway system of claim 1, wherein the messages sent by the worker node and the job dispatcher node comprise SOAP messages.
  - 17. The system of claim 1, further comprising a firewall node capable of maintaining the filtering rules associated with authenticated user in an IP table.
  - 18. The system of claim 17, wherein the IP table is created after the user has been authenticated.
  - 19. The system of claim 18, wherein the IP table is torn down after the user has logged out.
  - 20. The system of claim 1, wherein after a predetermined amount of time has elapsed after authentication, the user is automatically logged out.
  - 21. The system of claim 1, wherein after a predetermined amount of time of inactivity by the authenticated user has elapsed, the user is automatically logged out.

22. A method for filtering communications, comprising:
- establishing a communication tunnel between a tunneling front end node and a client access point, wherein packets transmitted through the communication tunnel are encapsulated;
  
  authenticating a user of a user device in communication with the client access point whereby the user is allowed to access to the wide area network after a successful authentication through the communication tunnel;
  
  determining how to handle transmissions to and from the authenticated user according to a plurality of filtering rules associated with the authenticated user;
  
  passing at least some of the transmission received by the tunneling front end node from the user of the user device to at least one of a plurality of filter nodes according to the filtering rules;
  
  the filter nodes sending transmissions of the authenticated user to the wide area network according to the filtering rules associated with the authenticated user;
  
  the filter nodes receiving transmissions from the wide area network destined to the authenticated user;
  
  the filter nodes filtering the transmissions received from the wide area network according to the filtering rules associated with the authenticated user; and
  
  forwarding the transmissions to the authenticated user via the communications tunnel.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The method of claim 22, further comprising receiving at a worker node one or more messages from one or more of nodes, wherein the messages contain information concerning activity or status of the one or more nodes, the worker node generating one or more jobs in response to a received message and sending each generated job to a job dispatcher node.
  - 24. The method of claim 23, further comprising receiving at the job dispatcher node the generated jobs sent by the worker node, assigning the generated job to one of the nodes, and sending a message to the node instructing it to perform the assigned jobs.
  - 25. The method of claim 24, wherein the jobs include parallel-type jobs and sequential-type jobs.
  - 26. The method of claim 25, wherein the job dispatching sends the message for a pending parallel-type job to the assigned node as soon as the assigned node indicates no other job with a status of processing is currently assigned to that node.
  - 27. The method of claim 25, wherein the job dispatching node sends the message for a pending sequential-type job to the assigned node when the assigned node has only one job with a status of processing.
  - 28. The method of claim 24, wherein the messages comprise SOAP messages.
  - 29. The method of claim 22, wherein the filter nodes include one or more web filter nodes receiving at least HTTP packets;
    - one or more mail filter nodes receiving at least packets conforming to at least one electronic mail message format; and
      
      one or more instant message filters receiving at instant messaging format packets.
  - 30. The method of claim 22, wherein the communication tunnel between the tunneling end node and client access point comprises at least one of a OpenVPN tunnel, a PPTP tunnel, and a LISP tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GateSecure S.A.
Original Assignee
GateSecure S.A.
Inventors
Beyer, Sascha, Gasnier, Bertrand, Muszynski, Bartosz, Rami, Fabian

Application Number

US14/095,387
Publication Number

US 20150156183A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/02   for separating internal fro...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/145   the attack involving the pr...

SYSTEM AND METHOD FOR FILTERING NETWORK COMMUNICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

87 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR FILTERING NETWORK COMMUNICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links