Systems and methods for remote rogue protocol enforcement

US 7,756,981 B2
Filed: 11/03/2006
Issued: 07/13/2010
Est. Priority Date: 11/03/2005
Status: Active Grant

First Claim

Patent Images

1. A system configured to enforce message protocol policy, the system comprising:

a virtual private network agent residing within a remote client;

a user agent residing within the remote client, the user agent comprising,a communications monitoring element executing on a computing device and configured to examine a communications connection between the remote client and an external message server to determine if an attribute of the external message server matches a restricted server attribute, wherein both the remote client and the external message server reside outside an enterprise network comprising a virtual private network gateway and a protocol inspection gateway; and

a communications controller element configured to work in conjunction with the communications monitoring element to,block instant message communications between the remote client and the external message server when the attribute of the external message server matches the restricted server attribute unless the instant message communications between the remote client and the external message server and route the blocked instant message communications via the virtual private network agent to the enterprise network, andallow direct communication between the remote client and the external message server by bypassing the virtual private network agent when the attribute of the external message server does not match the restricted server attribute;

wherein the virtual private network gateway is configured to communicate with the virtual private network agent to receive the instant message communications routed thereto, wherein the virtual private network gateway is further configured to receive the routed instant message communications from the virtual private network agent via tunneling,and wherein the protocol inspection gateway is configured to,receive the instant message communications from the virtual private network gateway routed to the enterprise network,inspect a message protocol associated with the routed instant message communications to determine if the message protocol matches a protocol definition file, andwhen a match occurs, apply applying a policy enforcement rule associated with the protocol definition file that overrides aspects of the message protocol associated with the routed instant message communications.

View all claims

28 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user agent residing within a remote client and configured to enforce message protocol policy is disclosed. The user agent includes a communications monitoring element that examines a communications connection between the client and an external message server to determine if the message server matches a restricted server attribute. The user agent also includes a communications controller element that works with the communications monitoring element to block communications between the client and the message server when the message server matches a restricted server attribute unless the communications are monitored by a protocol inspection gateway. The gateway intercepts the communications between the client and the message server and inspects a message protocol associated with the intercepted communications to determine if the message protocol matches a protocol definition file, and when a match occurs, apply a policy enforcement rule that overrides aspects of the message protocol associated with the intercepted communications.

111 Citations

View as Search Results

25 Claims

1. A system configured to enforce message protocol policy, the system comprising:
- a virtual private network agent residing within a remote client;
  
  a user agent residing within the remote client, the user agent comprising,a communications monitoring element executing on a computing device and configured to examine a communications connection between the remote client and an external message server to determine if an attribute of the external message server matches a restricted server attribute, wherein both the remote client and the external message server reside outside an enterprise network comprising a virtual private network gateway and a protocol inspection gateway; and
  
  a communications controller element configured to work in conjunction with the communications monitoring element to,block instant message communications between the remote client and the external message server when the attribute of the external message server matches the restricted server attribute unless the instant message communications between the remote client and the external message server and route the blocked instant message communications via the virtual private network agent to the enterprise network, andallow direct communication between the remote client and the external message server by bypassing the virtual private network agent when the attribute of the external message server does not match the restricted server attribute;
  
  wherein the virtual private network gateway is configured to communicate with the virtual private network agent to receive the instant message communications routed thereto, wherein the virtual private network gateway is further configured to receive the routed instant message communications from the virtual private network agent via tunneling,and wherein the protocol inspection gateway is configured to,receive the instant message communications from the virtual private network gateway routed to the enterprise network,inspect a message protocol associated with the routed instant message communications to determine if the message protocol matches a protocol definition file, andwhen a match occurs, apply applying a policy enforcement rule associated with the protocol definition file that overrides aspects of the message protocol associated with the routed instant message communications.
- View Dependent Claims (2, 3, 4, 5, 19, 20, 21, 22)
- - 2. The system as recited in claim 1, wherein the restricted server attribute comprises one or more internet protocol (IP) addresses of one or more instant messaging servers.
  - 3. The system recited in claim 1, wherein applying the policy enforcement rule comprises terminating a communication connection associated with the routed instant message communications.
  - 4. The system recited in claim 1, wherein applying the policy enforcement rule comprises recording information associated with the routed instant message communications.
  - 5. The system recited in claim 1, wherein applying the policy enforcement rule comprises creating a log comprising information associated with the routed instant message communications and any related communications.
  - 19. The user agent of claim 1, wherein the restricted server attribute comprises a message server type.
  - 20. The user agent of claim 1, further comprising a system configuration file for identifying one or more restricted server attributes.
  - 21. The user agent of claim 20, wherein the system configuration file is stored on the remote client.
  - 22. The user agent of claim 1, wherein the communications monitoring element is configured to receive the restricted server attribute from a computing device on the enterprise network.

6. A system for enforcing message protocol policy for a remote client, the system comprising:
- a virtual private network agent residing within a remote client, the virtual private network agent configured to function as a communications proxy for the remote client;
  
  a user agent executing on a computing device and residing within the remote client, the user agent configured to examine every communications connection established between the remote client and an external message server to determine whether an attribute of the external message server matches a restricted server attribute, and the user agent being further configured to,when a match occurs, route to the virtual private network agent instant messages to be transmitted between the remote client and the external message server, andwhen a match does not occur, allow direct communication between the remote client and the external message server by bypassing the virtual private network agent; and
  
  an enterprise network communicatively connected to the remote client and the external message server, wherein both the remote client and the external message server reside outside the enterprise network, the enterprise network including,a virtual private network gateway configured to communicate with the virtual private network agent to receive the instant messages routed thereto, wherein the virtual private network gateway is further configured to receive the routed instant messages from the virtual private network agent via tunneling; and
  
  a protocol inspection gateway communicatively connected to the virtual private network gateway and the external message server, the protocol inspection gateway configured to,receive the instant messages from the virtual private network gateway,inspect a message protocol associated with each received instant message to determine if the message protocol matches a protocol definition file, andwhen a match occurs, apply a policy enforcement rule associated with the protocol definition file that overrides aspects of the message protocol associated with the received instant message.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 23)
- - 7. The system of claim 6, wherein the restricted server attribute comprises one or more internet protocol (IP) addresses of one or more instant messaging servers.
  - 8. The system of claim 6, wherein applying the policy enforcement rule comprises terminating a communication connection associated with the received instant messages.
  - 9. The system of claim 6, wherein applying the policy enforcement rule comprises recording information associated with the received instant messages.
  - 10. The system of claim 6, wherein applying the policy enforcement rule comprises creating a log comprising information associated with the intercepted instant messages and any related messages.
  - 11. The system of claim 6, wherein at least one of the remote client and the external message server is communicatively coupled to the enterprise network via a public internet.
  - 12. The system of claim 6, wherein the virtual private network agent and the virtual private network gateway comprise a virtual private network.
  - 13. The system of claim 6, wherein functionalities of the virtual private network gateway and the protocol inspection gateway are integrated into one network gateway device.
  - 23. The system of claim 6, wherein the direct communication between the remote client and the external message server comprises an unsecured communications connection.

14. A method for enforcing message protocol policy for a remote client, the method comprising:
- establishing a communication connection between a remote client and an external message server, wherein both the remote client and the external message server are located outside an enterprise network;
  
  inspecting, with a user agent executing on a computing device of the remote client, the communications connection between the remote client and the external message server to determine if a selected attribute of the external message server matches a restricted server attribute;
  
  when a match occurs, (i) blocking instant messages to be sent via the communications connection between the remote client and the external message server (ii) fill routing the blocked instant messages with a virtual private network agent of the remote client to a virtual private network gateway via tunneling, and (iii) communicating the routed instant messages from the virtual private network gateway to a protocol inspection gateway within the enterprise network, wherein the protocol inspection gateway is configured to,inspect a message protocol associated with the routed instant message to determine if the message protocol matches a protocol definition file, andwhen a match occurs, apply a policy enforcement rule associated with the protocol definition file that overrides aspects of the message protocol associated with the routed instant message, andwhen a match does not occur between the selected attribute of the external message server and the restricted server attribute, allowing direct communication between the remote client and the external message server by bypassing the virtual private network agent and the virtual private network gateway.
- View Dependent Claims (15, 16, 17, 18, 24, 25)
- - 15. The method of claim 14, wherein the restricted server attribute comprises one or more internet protocol (IP) addresses of one or more instant messaging servers.
  - 16. The method of claim 14, wherein applying the policy enforcement rule comprises terminating a communication connection associated with the routed instant messages.
  - 17. The method of claim 14, wherein applying the policy enforcement rule comprises recording information associated with the routed instant messages.
  - 18. The method of claim 14, wherein applying the policy enforcement rule comprises creating a log comprising information associated with the routed instant messages and any related messages.
  - 24. The method of claim 14, additionally comprising maintaining a list on the remote client of one or more restricted server attributes.
  - 25. The method of claim 24, additionally comprising updating the list when the remote client accesses the enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Quest Software, Inc.
Inventors
Lee, Lisa, Shastri, Vijnan, Tran, Trung
Primary Examiner(s)
Avellino; Joseph E
Assistant Examiner(s)
Zuniga; Jackie

Application Number

US11/556,470
Publication Number

US 20070112957A1
Time in Patent Office

1,348 Days
Field of Search

709227-229, 709223-226
US Class Current

709/227
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/046   comprising network manageme...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/20   for managing network securi...

Systems and methods for remote rogue protocol enforcement

First Claim

28 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for remote rogue protocol enforcement

First Claim

28 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links