Barnes, Todd A. (Snohomish, WA, US)
Bouche, Paul F. (Bellevue, WA, US)
Bougetz, Thomas P. (Bothell, WA, US)
Gosselin, Tracy A. (Renton, WA, US)
Grieve, Mark G. (Bellevue, WA, US)
Langdon, Brent A. (Redmond, WA, US)
Allison, Robert C. (Kirkland, WA, US)
Nikkel, Michael S. (Redmond, WA, US)
Rosove, Stuart (Bellevue, WA, US)
Plaque It!
Sponsored by: Flash of Genius |
| 5317568 | Method and apparatus for managing and facilitating communications in a distributed hetergeneous network | May, 1994 | Bixby et al. | 370/401 |
| 5347633 | System for selectively intercepting and rerouting data network traffic | September, 1994 | Ashfield et al. | 395/200.68 |
| 5377323 | Apparatus and method for a federated naming system which can resolve a composite name composed of names from any number of disparate naming systems | December, 1994 | Vasudevan | 395/200.56 |
| 5425028 | Protocol selection and address resolution for programs running in heterogeneous networks | June, 1995 | Britton et al. | 370/389 |
| 5522045 | Method for updating value in distributed shared virtual memory among interconnected computer nodes having page table with minimal processor involvement | May, 1996 | Sandberg | 395/200.45 |
| 5586121 | Asymmetric hybrid access system and method | December, 1996 | Moura et al. | 370/404 |
| 5606668 | System for securing inbound and outbound data packet flow in a computer network | February, 1997 | Shwed | 713/201 |
| 5648965 | Method and apparatus for dynamic distributed packet tracing and analysis | July, 1997 | Thadani et al. | 370/241 |
| 5742769 | Directory with options for access to and display of email addresses | April, 1998 | Lee et al. | 395/200.36 |
| 5781801 | Method and apparatus for receive buffer management in multi-sender communication systems | July, 1998 | Flanagan et al. | 710/56 |
| 5796944 | Apparatus and method for processing data frames in an internetworking device | August, 1998 | Hill et al. | 709/250 |
| 5842040 | Policy caching method and apparatus for use in a communication device based on contents of one data unit in a subset of related data units | November, 1998 | Hughes et al. | 710/11 |
| 5864683 | System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights | January, 1999 | Boebert et al. | 709/249 |
| 5884033 | Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions | March, 1999 | Duvall et al. | 709/206 |
| 6173364 | Session cache and rule caching method for a dynamic filter | January, 2001 | Zenchelsky et al. | 711/118 |
| 6178505 | Secure delivery of information in a network | January, 2001 | Schneider et al. | 713/168 |
| 6832256 | Firewalls that filter based upon protocol commands | December, 2004 | Toga | 709/229 |
| EP0658837 | June, 1995 | Method for controlling computer network security | ||
| WO/1996/005549 | February, 1996 | APPARATUS AND METHOD FOR RESTRICTING ACCESS TO A LOCAL COMPUTER NETWORK |
IBM Corp., “Enforced Separation of Roles In A Multi-User Operating System,” IBM Technical Disclosure Bulletin, vol. 34, No. 7B, pp. 120-122 (Dec. 1991).
J. Bruce Dawson, “Intrusion Protection for Networks,” BYTE(Apr. 1995).
Jim Reid, “Open Systems Security: Traps and Pitfalls,” Computer & Security14:496-517 (1995).
S.M. Bellovin and W.R. Cheswick, “Network Firewalls,” IEEE Communications Magazine, No. 9 New York, US (1994).
D. Brent Chapman, Network (In)Security Through IP Packet Filtering, USENIX Symposium Proceedings, UNIX Security III, Baltimore, Maryland, Sep. 14-16, 1992.
D. Brent Chapman and Elizabeth D. Zwicky, Building Internet Firewalls, Chapters 6 & 8 (O'Reilly & Associates, Inc., 1995).
Chris Hare and Haranjit Siyan, Internet Firewalls and Network Security, Chapter 5 (New Riders Publishing, 2d Ed. 1996).
RELATIONSHIP TO OTHER APPLICATIONS
This application claims the benefit of U.S. Provisional Application No. 60/040,424 filed Mar. 11, 1997. The subject matter of Provisional Application Ser. No. 60/040,424 is incorporated herein by reference.
1. A computer-readable medium having computer-executable components for managing communication of data packets between an intranetwork and an internetwork, the intranetwork connecting a plurality of computers via a communications medium, the internetwork connecting a plurality of intranetworks via communications media, the computer-readable medium having computer-executable components comprising: (a) a graphical user interface for allowing an administrator of a computer connected to the intranetwork to input: (i) user information identifying each user of a computer connected to the intranetwork; (ii) mapping information mapping each identified user to at least one computer connected to intranetwork; and (ii) user policies for each identified user governing the communication of data packets between the identified user and the internetwork; (b) a database for storing the user information, mapping information and user policies for each identified user provided by the administrator using the graphical user interface; (c) a filter executive for optimizing the user policies for each identified user stored in the database into a set of rules for each identified user; and (d) a filter engine for filtering data packets communicated between the intranetwork and the internetwork according to the set of rules for each identified user optimized by the filter executive and the mapping information for each identified user.
2. The computer-readable medium of claim 1, wherein the mapping information for each identified user includes: (a) a computer-to-user mapping which identifies a login name of the identified user and a computer name of the computer to which the identified user is assigned; and (b) a computer-to-address mapping which identifies the computer name of the computer to which the identified user is assigned and the internetwork protocol address of the computer.
3. The computer-readable medium of claim 2, wherein the filter engine filters data packets by: for each data packet communicated between the intranetwork and the internetwork, (a) scanning the mapping information for each identified user for an internetwork protocol address of a mapped computer assigned to an identified user that matches an address of a computer from which the data packet was sent; (b) comparing the data packet to the set of rules for the identified user assigned to the mapped computer; and (c) if the data packet matches at least one rule of the set of rules, returning a filter result for the at least one rule, wherein the filter result indicates whether the filter engine is to deny delivery of the data packet.
4. The computer-readable medium of claim 3, wherein the filter engine further filters the data packet by returning a default result for the at least one rule, if the data packet does not match as least one rule of the set of rules, wherein the default result indicates whether the filter engine is to deny delivery of the data packet.
5. The computer-readable medium of claim 4, wherein the filter engine also returns a default result if an internetwork protocol address of a mapped computer is not found that matches the address of the computer from which the data packet was sent.
6. The computer-readable medium of claim 5, wherein the filter result and the default result further indicate whether the filter engine is to log the data packet.
7. The computer-readable medium of claim 5, wherein the filter result and the default result further indicate whether the identified user assigned to the mapped computer whose internetwork protocol address matches the address of the computer from which the data packet was sent, is to be notified that the data packet has matched at least one rule of the set of rules.
8. The computer-readable medium of claim 2, wherein each user policy input by the administrator for each identified user comprises at least one the following: (a) a file type policy indicating whether a file having a particular file extension may be communicated between the identified user and the internetwork; (b) an application protocol policy indicating whether a particular application protocol may be used to transfer data between the identified user and the internetwork; (c) a site policy indicating whether the identified user may communicate with a particular computer site located in the internetwork; and (d) a quota policy indicating how much data may be communicated between the identified user and the internetwork during a given time interval.
9. The computer-readable medium of claim 8, wherein the database periodically calculates a quota violation for each identified user having a quota policy, wherein the quota violation indicates whether an excessive amount of data has been communicated between the identified user and the internetwork, and wherein the quota violation for each identified user having a quota policy is calculated by: (a) summing a total number of data bytes in each data packet communicated between the identified user and the internetwork during a given time interval; and (b) comparing the summation of data bytes to the quota policy for the identified user.
10. The computer-readable medium of claim 2, wherein the graphical user interface further allows the administrator to organize the identified users into a hierarchy of groups having a root group containing all identified users and a plurality of subgroups, each subgroup containing at least one identified user.
11. The computer-readable medium of claim 10, wherein the graphical user interface further allows the administrator to input at least one user policy as a group policy, wherein the group policy is applied against a group of the hierarchy such that each identified user contained in the group inherits the group policy.
12. The computer-readable medium of claim 11, wherein if the group policy inherited by the identified user conflicts with a user policy for the identified user, the database resolves the conflict such that only one of the user policy and the group policy is applied against the user.
13. The computer-readable medium of claim 12, wherein the database prepares the user and group policies inputted by the administrator for optimization by the filter executive by: (a) collecting all of the inputted user policies for each identified user; (b) collecting all of the inputted group policies inherited by each identified user; and (c) storing each group policy and each user policy for each identified user as an individual user policy to be applied directly against the identified user.
14. The computer-readable medium of claim 13, wherein the filter executive optimizes the individual user policies into the set of rules for each identified user by defining each rule of the set of rules from at least one corresponding individual user policy stored in the database, wherein each rule dictates how the filter engine is to filter a data packet which matches the rule.
15. The computer-readable medium of claim 14, wherein each rule in the set of rules for each identified user comprises at least one of the following: (a) a file extension rule, which dictates how the filter engine should filter a matching data packet communicated between the identified user and the internetwork containing information from a file having a particular file extension; (b) an application protocol rule, which dictates how the filter engine should filter a matching data packet communicated between the identified user and the internetwork using a particular application protocol; and (c) a combined site and protocol rule, which dictates how the filter engine should filter a matching data packet communicated between the identified user and a particular internetwork site using a particular application protocol.
16. The computer-readable medium of claim 2, wherein the graphical user interface further allows the administrator to input system policies for all identified users governing the communication of data packets between all identified users and the internetwork.
17. The computer-readable medium of claim 16, wherein the system policies include system default policies, and wherein the system default policies include: (a) an enable logging policy indicating whether the filter engine is to log a data packet which the filter engine has allowed to be delivered between the intranetwork and the internetwork; (b) a simulate rule enforcement policy indicating whether the filter engine is to simulate filtering of a data packet in accordance with the set of user rules for each identified user; and (c) a violation message policy indicating whether the filter engine is to send a message to the identified user indicating whether how the filter engine has filtered a data packet.
18. The computer-readable medium of claim 17, wherein the filter executive optimizes the system default policies into a set of system default rules for all identified users by: (a) defining a log-on-off rule from the enable logging policy which dictates whether the filter engine is to log a data packet which the filter engine has allowed to be delivered between the intranetwork and the internetwork; (b) defining a log-no-block rule from the simulate rule enforcement policy which dictates whether the filter engine is to simulate filtering of a data packet in accordance with the set of user rules for each identified user by logging and delivering the data packet regardless of how the filter engine filtered the data packet; and (c) defining a notify-no-notify rule from the violation message policy which dictates whether the filter engine is to send a message to the identified user indicating how the filter engine filtered a data packet.
19. The computer-readable medium of claim 18, wherein the system polices further include global network protocol policies, wherein each global network protocol policy indicates whether a particular network protocol may be used to transfer data between all of the identified users of the plurality of computers connected to the intranetwork and the internetwork.
20. The computer-readable medium of claim 19, wherein the filter executive optimizes the global network protocol policies into a set of inbound and outbound global network protocol rules for all identified users by: (a) defining an inbound global network protocol rule from each global network protocol policy which dictates how the filter engine should filter a data packet communicated from the internetwork to an identified user using a particular network protocol; and (b) defining an outbound global network protocol from each global network protocol policy which dictates how the filter engine should filter a data packet communicated from an identified user to the internetwork using a particular network protocol.
21. The computer-readable medium of claim 20, wherein the system policies further include time schedule policies, wherein each time schedule policy indicates a time schedule during which data may be communicated between all of the identified users and the internetwork using a particular application protocol.
22. The computer-readable medium of claim 21, wherein the filter executive optimizes the time schedule policies into a set of timer rules for all identified users by defining a timer rule from each time schedule policy which dictates how the filter engine should filter a data packet communicated between the identified user and the internetwork during a particular time interval using a particular application protocol.
23. The computer-readable medium of claim 2 having a further computer-executable component comprising a naming service manager for updating the mapping information for each identified user inputted by the administrator using the graphical user interface.
24. The computer-readable medium of claim 23, wherein the naming service manager updates the mapping information by: (a) collecting updated computer-to-user mappings as the identified user logs in to and logs out of computers connected to the intranetwork; and (b) replacing outdated computer-to-user mappings used by the filter executive with the updated computer-to-user mappings collected from the at least one naming service agent.
25. The computer-readable medium of claim 23, wherein the naming service manager updates the mapping information for each identified user by: (a) collecting updated computer-to-address mappings as the address of the at least one computer to which the identified user is assigned changes; and (b) replacing outdated computer-to-address mappings used by the filter executive with the updated computer-to-address mappings collected from the at least one naming service agent.
26. The computer-readable medium of claim 1, wherein a plurality of administrators are allowed to input user information, mapping information and user policies using the graphical user interface, and wherein each administrator is assigned an administration level which determines what type of user information, mapping information and user policies the administrator is allowed to input using the graphical user interface.
27. An apparatus for managing communication of data packets between an intranetwork and an internetwork, the intranetwork connecting a plurality of computers via a communications medium, the internetwork connecting a plurality of intranetworks via communications media, the apparatus comprising: (a) a storage medium for storing: (i) a database which includes user information, mapping information and policies for each user of a computer connected to the intranetwork, wherein the user information identifies each user, wherein the mapping information maps each user to a computer connected to the intranetwork, and wherein the policies govern the communication of data packets between each user and the internetwork; (ii) a filter executive which optimizes the user policies for each user stored in the database into a set of rules for each user; and (iii) a filter engine which filters data packets communicated between the intranetwork and the internetwork according to the set of rules for each user optimized by the filter executive and the mapping information for each user; and (b) a processing unit electronically coupled to the storage medium for executing program instructions which maintain the database, implement the filter executive and implement the filter engine.
28. The apparatus of claim 27, wherein the mapping information mapping each user to a computer connected to the intranetwork includes: (a) a computer-to-user mapping which identifies a login name of the user and a computer name of the computer to which the user is assigned; and (b) a computer-to-address mapping which identifies the computer name of the computer to which the user is assigned and the internetwork protocol address of the computer.
29. The apparatus of claim 28, wherein the processing unit executes program instructions which cause the filter engine to filter data packets by: for each data packet communicated between the intranetwork and the internetwork, (a) scanning the mapping information for each user for an internetwork protocol address of a mapped computer assigned to an user that matches an address of a computer from which the data packet was sent; (b) comparing the data packet to the set of rules for the user assigned to the mapped computer; and (c) if the data packet matches at least one rule of the set of rules, returning a filter result for the at least one rule, wherein the filter result indicates whether the filter engine is to deny delivery of the data packet.
30. The apparatus of claim 29, wherein the processing unit executes program instructions which cause the filter engine to further filter the data packet by returning a default result for the at least one rule, if the data packet does not match as least one rule of the set of rules, wherein the default result indicates whether the filter engine is to deny delivery of the data packet.
31. The apparatus of claim 30, wherein the filter engine also returns a default result if an internetwork protocol address of a mapped computer is not found that matches the address of the computer from which the data packet was sent.
32. The apparatus of claim 31, wherein the filter result and the default result further indicate whether the filter engine is to log the data packet.
33. The apparatus of claim 31, wherein the filter result and the default result further indicate whether the user assigned to the mapped computer whose internetwork protocol address matches the address of the computer from which the data packet was sent, is to be notified that the data packet has matched at least one rule of the set of rules.
34. The apparatus of claim 28, further comprising an input device for allowing an administrator to input the user information, the mapping information and the policies for each user.
35. The apparatus of claim 34, wherein the input device further allows the administrator to organize the users into a hierarchy of groups having a root group containing all users and a plurality of subgroups, each subgroup containing at least one user.
36. The apparatus of claim 35, wherein the input device further allows the administrator to input at least one user policy against each user, wherein the user policy governs the communication of data packets between the user and the internetwork.
37. The apparatus of claim 36, wherein the input device further allows the administrator to input at least one a group policy, wherein the group policy is applied against a group of the hierarchy such that each user contained in the group inherits the group policy, and wherein the group policy governs the communication of data packets between each user contained in the group and the internetwork.
38. The apparatus of claim 37, wherein if the group policy inherited by the user conflicts with a user policy for the user, the database resolves the conflict such that only one of the user policy and the group policy is applied against the user.
39. The apparatus of claim 37, wherein the processing unit executes program instructions which cause the filter executive to optimize the user policies and the group policies into the set of rules for each user by defining each rule of the set of rules from at least one corresponding individual user policy stored in the database, wherein each rule dictates how the filter engine is to filter a data packet communicated between the user and the internetwork which matches the rule.
40. The apparatus of claim 39, wherein each user policy and each group policy from which each user rule is defined comprise at least one of the following: (a) a file type policy indicating whether a file having a particular file extension may be communicated between the user and the internetwork; (b) an application protocol policy indicating whether information transferred using a particular application protocol may be communicated between the user and the internetwork; (c) a site policy indicating whether the information may be communicated between the user and a particular computer site located in the internetwork; and (d) a quota policy indicating how much information may be communicated between the user and the internetwork during a given time interval.
41. The apparatus of claim 40, wherein the processing unit executes program instructions which cause the filter executive to establish a set of user rules for each user comprises: (a) defining a file extension rule from each file type policy, wherein the file extension rule dictates whether a data packet containing information from a file having a particular file extension may be communicated between the user and the internetwork; (b) defining an application protocol rule from each application protocol policy, wherein the application protocol rule dictates whether a data packet communicated using a particular application protocol may be communicated between the user and the internetwork; and (c) a combined site and protocol rule from each site policy and application protocol policy, wherein the combined site and protocol rule dictates whether a data packet may be communicated between the identified user and a particular computer site located in the internetwork.
42. The apparatus of claim 41, wherein the input device further allows the administrator to input a set of system default policies applied against all users contained in the root group of the system hierarchy, wherein each system default policy indicates whether certain information may be communicated between any of the users contained in the root group and the internetwork.
43. The apparatus of claim 42, wherein the processing unit executes program instructions which cause the filter executive to establish a set of system default rules for all users contained in the root group of the system hierarchy from the set of system default policies, wherein the set of system default rules dictate whether a data packet containing said information may be communicated between any of the users contained in the root group and the internetwork.
44. The apparatus of claim 43, wherein the input device further allows the administrator to input a set of global network policies applied against all users contained in the root group of the system hierarchy, wherein each global network policy indicates whether certain information may be communicated between any of the users contained in the root group and the internetwork using a particular network protocol.
45. The apparatus of claim 44, wherein the processing unit executes program instructions which cause the filter executive to establish a set of global network protocol rules for all users contained in the root group of the system hierarchy from the set of global network policies, wherein the set of global network rules dictate whether a data packet containing said information may be communicated between any of the users contained in the root group and the internetwork using the particular network protocol.
46. The apparatus of claim 45, wherein the input device further allows the administrator to input a set of time schedule policies applied against all users contained in the root group of the system hierarchy, wherein each time schedule policy indicates a time schedule during which certain information may be communicated between any of the users contained in the root group and the internetwork using a particular application protocol.
47. The apparatus of claim 46, wherein the processing unit executes program instructions which cause the filter executive to establish a set of timer rules for all users contained in the root group of the system hierarchy from the set of time schedule policies, wherein the set of timer rules dictate whether a data packet containing said information may be communicated between any of the users contained in the root group and the internetwork during the time schedule using the particular application protocol.
48. The apparatus of claim 28, wherein the database further stores a naming service manager for updating the mapping information for each user inputted by the administrator using the input device, and wherein the processing unit executes program instructions to implement the naming service manager.
49. The apparatus of claim 48, wherein the processing unit executes program instructions causing the naming service manager to update the mapping information by: (a) collecting updated computer-to-user mappings; and (b) replacing outdated computer-to-user mappings used by the filter executive with the updated computer-to-user mappings collected from the at least one naming service agent.
50. The apparatus of claim 49, wherein the processing unit executes program instructions causing the naming service manager to update the mapping information by: (a) collecting updated computer-to-address mappings; and (b) replacing outdated computer-to-address mappings used by the filter executive with the updated computer-to-address mappings collected from the at least one naming service agent.
51. A method for managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising: (a) establishing one or more policies for each user of the plurality of computers; (b) optimizing the one or more policies so as to establish a set of user rules for each user, the user rules governing the communication of information between the user and the internetwork, wherein at least one of the user rules comprises a rule based on a usage quota for a user; (c) identifying each user of the plurality of computers connected to the intranetwork;
52. The method of claim 51, wherein each user is mapped to at least one computer by: (a) identifying the at least one computer by host name and address; and (b) assigning the identified at least one computer to the user.
53. The method of claim 52, further adding each user to a system hierarchy of groups including a root group and a plurality of subgroups, wherein the root group contains each user and wherein each subgroup contains at least one user.
54. The method of claim 53, further comprising applying at least one user policy against each user, wherein the user policy indicates whether certain information may be communicated between the user and the internetwork.
55. The method of claim 54, further comprising applying at least one group policy against a group of the system hierarchy such that each user contained in the group of the system hierarchy inherits the group policy, wherein the group policy indicates whether certain information may be communicated between the user and the internetwork.
56. The method of claim 55, wherein establishing a set of user rules for each user comprises: (a) defining a user rule from each user policy applied against the user, wherein the user rule dictates whether a data packet of information may be communicated between the user and the internetwork; and (b) defining a user rule from each group policy inherited by the user wherein the user rule dictates whether a data packet of information may be communicated between the user and the internetwork.
57. The method of claim 56, wherein the user policy from which the user rule is defined comprises at least one of the following: (a) a file type policy indicating whether a file having a particular file extension may be communicated between the user and the internetwork; (b) an application protocol policy indicating whether information transferred using a particular application protocol may be communicated between the user and the internetwork; (c) a site policy indicating whether the information may be communicated between the user and a particular computer site located in the internetwork; and (d) a quota policy indicating how much information may be communicated between the user and the internetwork during a given time interval.
58. The method of claim 57, wherein establishing a set of user rules for each user comprises: (a) defining a file extension rule from each file type policy, wherein the file extension rule dictates whether a data packet containing information from a file having a particular file extension may be communicated between the user and the internetwork; (b) defining an application protocol rule from each application protocol policy, wherein the application protocol rule dictates whether a data packet communicated using a particular application protocol may be communicated between the user and the internetwork; and (c) a combined site and protocol rule from each site policy and application protocol policy, wherein the combined site and protocol rule dictates whether a data packet may be communicated between the identified user and a particular computer site located in the internetwork.
59. The method of claim 56, further comprising applying a set of system default policies applied against all users contained in the root group of the system hierarchy, wherein each system default policy indicates whether certain information may be communicated between any of the users contained in the root group and the internetwork.
60. The method of claim 59, further comprising establishing a set of system default rules for all users contained in the root group of the system hierarchy from the set of system default policies, wherein the set of system default rules dictate whether a data packet containing said information may be communicated between any of the users contained in the root group and the internetwork.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73. The method of claim 51, wherein the information comprises an electronic mail.
74. A method of managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising: establishing one or more policies for each user of the plurality of computers; optimizing the one or more policies so as to establish a set of user rules for each user, the user rules governing the communication of information between the user and the internetwork; identifying each user of the plurality of computers connected to the intranetwork; mapping each user to at least one computer connected to the intranetwork, thereby defining mapping information for each user; querying a NETBIOS server for an IP address of a computer operated by each user; and filtering information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user and the mapping information for each user.
75. The method of claim 74, further comprising mapping each user to said IP address of each user.
76. A system for managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the system comprising: means for establishing one or more policies for each user of the plurality of computers; means for optimizing the one or more policies so as to establish a set of user rules for each user, the user rules governing the communication of information between the user and the internetwork, wherein at least one of the user rules comprises a rule based on a usage quota for a user; means for identifying each user of the plurality of computers connected to the intranetwork; means for mapping each user to at least one computer connected to the intranetwork; and means for filtering information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user.
77. A method of managing communication of information between a user of a computer and an intranetwork, wherein the intranetwork is coupled to an internetwork that connects a plurality of intranetworks, the method comprising: establishing one or more policies for the user; optimizing the one or more policies so as to establish a set of user rules for the user, the user rules governing the communication of information between the user and the internetwork; identifying the user of the computer connected to the intranetwork; mapping the user to the computer connected to the intranetwork as the user logs onto the intranetwork, thereby defining mapping information for each user; and filtering the information communicated between the user and the internetwork according to the set of user rules for the user and the mapping information for each user.
78. The method of claim 77, wherein the set of user rules comprises a file type policy indicating whether a file having a particular file extension may be communicated between the user and the internetwork.
79. The method of claim 77, wherein the mapping comprises determining an IP address of the user as the user logs onto the intranetwork.
80. The method of claim 77, wherein the filtering comprises: intercepting a data packet containing information as the data packet is communicated between the user and the internetwork; determining that transmission of the data packet to the user should be denied if the information matches at least one of the rules in said set of user rules for the user.
81. The method of claim 77, further comprising storing in a database an identifier associated with each of said plurality of users, an identifier of the at least one computer mapped to each of said plurality of users, and the set of user rules for each user.
82. The method of claim 77, further comprising updating the mapping information for each user as the address of the at least one computer to which the user is assigned changes.
83. An apparatus for managing communication of data packets between an intranetwork and an internetwork, the intranetwork connecting a plurality of computers via a communications medium, the internetwork connecting a plurality of intranetworks via communications media, the apparatus comprising: (a) a storage medium for storing: a database which includes user information, mapping information and policies for each user of a computer connected to the intranetwork, wherein the user information identifies each user, wherein the mapping information maps each user to an IP address of a computer connected to the intranetwork, and wherein the policies govern the communication of data packets between each user and the internetwork; a filter executive which optimizes the user policies for each user stored in the database into a set of rules for each user; and a filter engine which filters data packets communicated between the intranetwork and the internetwork according to the set of rules for each user optimized by the filter executive and the mapping information for each user; and (b) a processing unit electronically coupled to the storage medium for executing program instructions which maintain the database, implement the filter executive and implement the filter engine.
84. A method of managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising: identifying each user of the plurality of computers connected to the intranetwork; mapping each user to at least one computer connected to the intranetwork; establishing a set of user rules for each user governing the communication of information between the user and the internetwork, wherein at least one set of user rules comprises a usage quota rule; and filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user.
85. A method of managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising: (a) identifying each user of the plurality of computers connected to the intranetwork; (b) mapping each user to at least one computer connected to the intranetwork; (c) establishing a set of user rules for each user governing the communication of information between the user and the internetwork, wherein at least one set of user rules comprises a rule based on a usage quota for a user; (d) storing in a database an identifier associated with each user, the at least one computer mapped to each identified user, and the set of user rules for each user; and (e) filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user.
86. The method of claim 85, wherein the usage quota is based on a time period during which the user may access the internetwork.
87. The method of claim 85, wherein the usage quota is based on an amount of data that may be transferred to the user.
88. A method of managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising: (a) identifying each user of the plurality of computers connected to the intranetwork; (b) mapping each user to at least one computer connected to the intranetwork; (c) adding each user to a system hierarchy of groups including a root group and a plurality of subgroups, wherein the root group contains each user and wherein each subgroup contains at least one user; (d) establishing a set of user rules for each user governing the communication of information between the user and the internetwork, wherein at least one of the sets of user rules comprises a rule based on a usage quota for a user; (e) filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user, wherein the filtering comprises applying a set of global network policies against all users contained in the root group of the system hierarchy, wherein each global network policy indicates whether certain information may be communicated between any of the users contained in the root group and the internetwork using a particular network protocol.
89. The method of claim 88, further comprising applying at least one user policy against each user, wherein the user policy indicates whether certain information may be communicated between the user and the internetwork.
90. The method of claim 88, wherein the mapping comprises mapping each user to said IP address of each user.
91. The method of claim 88, further comprising applying at least one rule against one of the plurality of subgroups such that each user in the one of the plurality of subgroups inherits the rule.
FIELD OF THE INVENTION
This invention generally relates to managing the communication of data packets transmitted via an intranetwork or an internetwork and more particularly to monitoring, logging and blocking data packets transmitted via an intranetwork or internetwork.
BACKGROUND OF THE INVENTION
Communication networks are well-known in the computer communications field. By definition, a network is a group of computers and associated devices that are connected by a communications facilities or links. Network connections can be of a permanent nature, such as via cables, or can be of a temporary nature, such as connections made through telephone or other communication links. Networks vary in size, from a local area network (LAN) consisting of a few computers and related devices, to a wide area network (WAN) which interconnects computers and LANs that are geographically dispersed. An internetwork, in turn, is the joining of multiple computer networks, both similar and dissimilar, by means of gateways or routers that facilitate data transfer and conversion from various networks. A well-known abbreviation for internetwork is “internet.” As currently understood, the capitalized term “Internet” refers to the collection of networks and routers that use a Transmission Control Protocol/Internet Protocol (TCP/IP) to communicate with one another.
A representative section 40 of the Internet is shown in FIG. 1 (Prior Art) in which a plurality of local area networks (LANs) 44 are connected by routers 42 . The routers 42 are generally special purpose computers used to interface one LAN to another. Communication links within the LANs may be twisted wire pair, or coaxial cable, while communication links between networks may utilize 56 Kbps analog telephone lines, 1 Mbps digital T-1 lines and/or 45 Mbps T-3 lines. It will be appreciated that the Internet comprises a vast number of such interconnected networks and routers and that only a small, representative section of the Internet is shown in FIG. 1 .
The Internet has recently seen explosive growth by virtue of its ability to link computers located throughout the world. In conjunction, the number of information services available on the Internet has grown significantly. For example, such services include electronic mail, Usenet (a collection of news groups dedicated to specific topics, Gopher (an information retrieval system created by the University of Minnesota), bulletin boards and the World Wide Web (WWW). Information provided by these services are transferred via the Internet using communication protocols that are designed specifically for the requirements of the particular service and used on top of TCP/IP to transfer information. For example, hypertext documents provided by the World Wide Web are transferred using a protocol known as HyperText Transfer Protocol (HTTP). Electronic mail can be transferred using the Simple Mail Transfer Protocol (SMTP), the Post Office Protocol-Version 2 (POP 2 ) or the Post Office Protocol-Version 3 (POP 3 ). Although HTTP, SMTP, POP 2 and POP 3 are mentioned here, those of ordinary skill in the art will appreciate that these protocols are only a representative sample of the plethora of protocols used to transfer information via the Internet and that new protocols and services are being added to the Internet each day.
In summary, the Internet is a conduit of information and services to any one of the smaller LANs or WANs belonging to it. The proliferation of information and services on the Internet has created the need for a method and apparatus to manage the communication of the information and services between the Internet and its member intranetworks. The method and apparatus for managing such communication should be capable of monitoring and logging the transmission of data packets between the intranetwork and the Internet. In addition, the method and apparatus should be capable of setting rules for the users of computers connected to the intranetwork that deny or allow access to certain Internet resources, e.g., denying or allowing access to certain WWW sites, denying or allowing retrieval of files from the Internet having certain file extensions, and denying or allowing the transfer of data to destinations in the intranetwork based on the type of protocol used to transfer the data. As described in the following, the present invention provides a method and apparatus that meet these criteria and solves other shortcomings in the prior art.
SUMMARY OF THE INVENTION
In accordance with the present invention, a network management program is provided that manages the communication of data packets between an intranetwork and an internetwork. The intranetwork includes a plurality of computers connected via a communications medium. The internetwork includes a plurality of computers connected by other communications media. An operator of a computer connected to the intranetwork inputs vital information regarding users of computers connected to the intranetwork, mapping information regrading computers connected to the intranetwork, and policies to be applied against those users and computers, using a graphical user interface. The GUI communicates the vital user information, mapping information and policies to a database which stores and organizes the vital user information, mapping information and policies. A filter executive optimizes the policies stored in the database into a set of rules for each user and passes the rules to a filter engine. The filter engine filters all outbound data packets transmitted from the intranetwork to the internetwork and verifies all inbound data packets from the internetwork according to the rules provided by the filter executive.
In accordance with other aspects of the present invention, the filter executive also communicates the mapping information stored in the database to a naming service manager which further updates the mapping information and returns the updated mapping information to the filter executive. Consequently, the filter executive filters the data packets according to the most recent mapping information.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing aspects and many of the attendant advantages of this invention will become more readily appreciated as the same becomes better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:
FIG. 1 (Prior Art) is a block diagram of a representative portion of the Internet;
FIG. 2 is a pictorial diagram of a plurality of client computers and servers interconnected to form a local area network (LAN) as that typically connected to the Internet as shown in FIG. 1;
FIG. 3A is a schematic block diagram of the several components of a network server shown in FIG. 2 that is used to store a network access program that manages intranetwork and internetwork activity in accordance with the present invention;
FIG. 3B is a schematic block diagram of the several components of a client computer shown in FIG. 2 that are used to store and implement certain portions of the network management program;
FIG. 3C is a schematic block diagram of the several components of a server shown in FIG. 2 that is used to store and implement certain portions of the network access program;
FIG. 4 is a block diagram illustrating the distribution of a plurality of components comprising the network management program among the client computers and servers shown in FIG. 2;
FIG. 5 is a flow chart illustrating the logic used by a graphical user interface (GUI) component of the network management program;
FIG. 6 is a main window produced by the GUI into which an operator inputs vital information regrading the user of each computer connected to the LAN shown in FIG. 2, mapping information regarding each such user to each such computer, and policy information to be applied against each such user;
FIGS. 7A through 7C are a flow chart illustrating the logic used by the GUI to process the vital, mapping and policy information input via the main window shown in FIG. 6;
FIGS. 8A through 8Q are various other windows produced by the GUI for inputting vital, mapping and policy information;
FIGS. 9A through 9D are block diagrams illustrating a plurality of tables stored by a database component of the network management program for organizing the vital, mapping and policy information provided by the GUI;
FIGS. 10A and 10B are a flowchart illustrating the logic used to update protocol policy tables stored in the database;
FIGS. 11A and 11B are a flowchart illustrating the logic used to update file type policy tables in the database;
FIG. 12 is a flowchart illustrating the logic used to update site policy tables in the database;
FIGS. 13A-13C are a flowchart illustrating the logic used to update quota tables in the database;
FIG. 14 is a flowchart illustrating the logic used to build a user policy table in the database;
FIGS. 15A through 15C are a flowchart illustrating the logic used by a filter executive component of the network management program to process and optimize the vital, mapping and policy information stored in the database;
FIG. 16 is a flowchart illustrating the logic used by the filter executive to initialize a filter engine component of the network management program;
FIG. 17 is a block diagram illustrating a plurality of rule sets defined by the filter executive of the network management program based on the policy information stored in the database;
FIG. 18 is a flowchart illustrating the logic used to define a set of rules, including corporate rules, global network protocol rules, user rules and timer rules, for each user of a computer connected to the LAN shown in FIG. 2;
FIG. 19 is a flowchart illustrating the logic used to define a set of site rules for each user of a computer connected to the LAN shown in FIG. 2;
FIG. 20 is a flowchart illustrating the logic used to define a set of timer rules for each user connected to the LAN shown in FIG. 2;
FIG. 21 is a flowchart illustrating the logic used by the filter engine component of the network management program to process Internet protocol (IP) packets communicated between the Internet shown in FIG. 1 and the LAN shown in FIG. 2;
FIG. 22 is a flowchart illustrating the logic used by the filter engine to filter IP packets communicated between the Internet shown in FIG. 1 and the LAN shown in FIG. 2 in accordance with the rules defined by the filter executive;
FIG. 23 is a flowchart illustrating the logic used to log IP packets communicated between the Internet shown in FIG. 1 and the LAN shown in FIG. 2 into a log table;
FIG. 24 is a flowchart illustrating the logic used to resolve the log table formed in accordance with FIG. 23;
FIGS. 25A and 25B are block diagrams illustrating a plurality of tables stored by the database for organizing logging information;
FIG. 26 is a flowchart illustrating the logic used to calculate quota violations based on the amount of data communicated between the Internet shown in FIG. 1 and the LAN shown in FIG. 2;
FIG. 27 is a flowchart illustrating the logic used to notify users of the computers connected to the LAN shown in FIG. 2 of actions taken by the filter engine;
FIG. 28A is a block diagram illustrating a host mapping table used by the naming service manager to maintain naming service information in accordance with the present invention;
FIG. 28B is a block diagram of a transaction container which stores the mapping information as it is communicated between the naming service agent, the naming service manager, and the naming service application;
FIGS. 29A and 29B are a flow chart illustrating the logic used by the naming service manager to collect, maintain and serve mapping information in accordance with the present invention;
FIG. 30 is a flow chart illustrating the logic used by a naming service agent to gather mapping information regarding the computers connected to the LAN shown in FIG. 2;
FIG. 31 is a flow chart illustrating the logic used by a first specific naming service agent upon initialization to process mapping information indicating that a user has logged into or out of a computer connected to the LAN shown in FIG. 2;
FIG. 32 is a flow chart illustrating the logic used by the first specific agent after initialization to process mapping information indicating that a user has logged into or out of a computer connected to the LAN shown in FIG. 2;
FIG. 33 is a flow chart illustrating the logic used by a second specific naming service agent upon initialization to process mapping information indicating that an IP address for a computer connected to the LAN shown in FIG. 2 has changed;
FIGS. 34A and 34B are a flow chart illustrating the logic used by the second specific agent after initialization to process mapping information indicating that an IP address for a computer connected to the LAN has changed;
FIG. 35 is a flow chart illustrating the logic used by a naming service application to register with the naming service manager;
FIG. 36 is a flow chart illustrating the logic used by the naming service application to process mapping information served by the naming service manager;
FIG. 37 is a flow chart illustrating the logic used by the naming service manager to process mapping information indicating that an IP address for a computer connected to the LAN shown in FIG. 2 has become obsolete;
FIG. 38 is a flow chart illustrating the logic used by the naming service manager to process mapping information indicating that a new IP address has been assigned to a computer connected to the LAN shown in FIG. 2;
FIG. 39 is a flow chart illustrating the logic used by the naming service manager to process mapping information indicating that a network user has logged out of a computer connected to the LAN shown in FIG. 2; and
FIGS. 40A and 40B are a flow chart illustrating the logic used by the naming service manager to process mapping information indicating that a network user has logged into a computer connected to the LAN shown in FIG. 2 .
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
As previously described and shown in FIG. 1, the Internet 40 is a collection of local area networks (LANs) 44 , wide area networks (WANs) 46 , and routers 42 that use the Transmission Control Protocol/Internet Protocol (TCP/IP) to communicate with each other. FIG. 2 illustrates in more detail a LAN 44 such as that typically connected to the Internet 40 . In the actual embodiment of the present invention depicted in FIG. 2, the LAN 44 is a bus network interconnecting various clients and servers. The LAN 44 shown in FIG. 2 can be formed of various coupling media such as glass or plastic fiberoptic cables, coaxial cables, twisted wire pair cables, ribbon cables, etc. In addition, one of ordinary skill in the art will appreciate that the coupling medium can also include a radio frequency coupling media or other intangible coupling media. In view of the availability of preinstalled wiring in current commercial environments, twisted wire pair copper cables are used to form the LAN 44 in the actual embodiment of the present invention described herein.
As shown in FIG. 2, the computers interconnected by the LAN 44 include a plurality of client computers 52 , some of which have been equipped with certain components of the present invention and some of which have not. Those client computers equipped with at least a graphical user interface component of the present invention are known as “administrative clients” 54 . In the actual embodiment of the present invention described herein, operators of the administrative clients are organized into three hierarchical levels of administration, namely, a system administrator, a mid-level administrator and a manager. The system administrator is capable of setting specific policies for the users of the LAN 44 regarding what type of services and information each user may have access to on the Internet 40 . The mid-level administrator and manager, on the other hand, have more limited capabilities, as will be described in more detail below.
The LAN 44 also includes a domain controller server 60 that keeps track of which users are logged into which client computers 52 and which administrative computers 54 at any given time. For example, when a user logs in to a client computer 52 , the user is said to have started a “session” with the LAN 44 . The domain controller server 60 captures a record of this session and stores the logic name of the user and the computer name or “host name” of the computer logged into by the user.
The LAN 44 is insulated from the Internet 40 by a firewall server 48 which tracks and controls the flow of all data packets passing through it using the TCP/IP protocol, i.e., all internet protocol or “IP” packets. The firewall 48 protects the LAN 44 from malicious inbound IP packet traffic, but does not allow users of the LAN 44 to dynamically select to which information and services on the internet the users of the LAN 44 may have access.
All inbound IP packet traffic from the Internet 40 passing through the firewall 48 and all outbound IP packet traffic from the LAN 44 passes through a network server 50 equipped with a network operating system that coordinates this transfer of data packets. In one actual embodiment of the present invention, the network operating system installed on the network server 50 is Microsoft Windows NT. However, those of ordinary skill in the art will recognize that various other suitable network operating systems may be used, including the UNIX based network operating systems.
The present invention provides a method and apparatus that enables the network server 50 to manage the communication of IP packets between the LAN 44 and the Internet 40 . Using an administrative computer 54 , a system administrator, mid-level administrator or manager can set specific rules for the users of the computers connected to the LAN 44 regarding what type of services and information on the Internet 40 to which any user may have access. Thus, if a rule denies a user access to a particular service or type of information, any IP packets from that user requesting access for that service or that type of information will not be allowed to pass through the network server 50 to its intended destination in the Internet 40 or the LAN 44 .
Relevant Network Server Administrative Computer and Domain Controller Server Components
FIG. 3A depicts several of the key components of the network server 50 . It will be appreciated by those of ordinary skill in the art that the network server 50 includes many more components than those shown in FIG. 3 A. However, it is not necessary that all of these generally conventional components be shown in order to disclose an illustrative embodiment for practicing the present invention. As shown in FIG. 3A, the network server 50 is connected to the LAN 44 via a network interface 66 . Those of ordinary skill in the art will appreciate that the network interface 66 includes the necessary circuitry for connecting the network server 50 to the LAN 44 and the tirewall server 48 , and is constructed for use with the TCP/IP protocol, the bus network configuration of LAN 44 and a particular type of coupling medium.
The network server 50 also includes a processing unit 62 , a display 64 and a mass memory 68 . The mass memory 68 generally comprises a random access memory (RAM), read only memory (ROM), and a permanent mass storage device, such as a hard disk drive, tape drive, optical drive, floppy disk drive, or combination thereof. The mass memory 68 stores the program code and data necessary for managing IP packet traffic in accordance with the present invention. More specifically, the mass memory 68 stores a network management program 80 formed in accordance with the present invention for managing the flow of IP packet traffic passing through the network server 50 . As will be described in more detail below, the network management program 80 comprises a graphical user interface 70 , a rules and logging database 72 , a naming service manager 74 , filter executive 76 , and a filter engine 78 .
The graphical user interface (GUI) 70 is a display format that enables operators of the administrative clients 54 to choose commands, start programs, and select options provided by the network management program 80 by pointing to pictorial representations and lists of menu items on the display using a computer input device, such as a mouse or keyboard. As will be described in more detail below, the options and commands provided by the GUI 70 to the operator of the administrative client depends upon the level of administration provided to that operator by the network management program 80 , i.e., whether the operator is a system administrator, a mid-level administrator or a manager. Using the GUI 70 , the operator provides information and sets policies for the users of the LAN 44 regarding what types of services and information to which the user may have access on the Internet 40 . The GUI 70 transmits the information provided and the policies set by the operator for each user to a rules and logging database 72 .
The rules and logging database 72 is a relational database stored in mass memory 68 consisting of the tables shown in FIGS. 9A-9D and FIGS. 25A and 25B which are used by the network management program 80 to manage IP packet traffic passing through the network server 50 . In the actual embodiment of the invention described herein, the database 72 is a relational database managed and controlled using the structured query language (SQL). SQL is used in accordance with the present invention in querying, searching, sorting, updating and managing the database 72 . Those of ordinary skill in the are will recognize, however, that any kind of database, e.g., file, sequential, object-oriented, etc., could be use to implement the present invention. In addition, access languages other than SQL could be used to manage and control the database 72 without departing from the scope of the present invention.
As will be described in more detail below in connection with FIGS. 9A-9D, the tables of the database 72 store information about each user of the LAN 44 and the policies set for each user via the GUI 70 . The tables shown in FIGS. 25A and 25B, on the other hand, store information regarding each IP packet received and logged by the network server 50 in accordance with the present invention. Although the database 72 is stored in mass memory 68 of the network server 50 in the actual embodiment of the present invention described herein, those of ordinary sill in the art will recognize that in other embodiments the database 72 may be stored in memory of any other suitable computer connected to the LAN 44 .
The filter executive 76 is the component of the network management program 80 that provides communication and policy processing between the database 72 and a filter engine 78 that actually filters the IP packets passing through the network server 50 . The filter executive 76 loads the policies for each user collected by the database 72 , optimizes them into a set of rules for each user, and provides the optimized rules to the filter engine 78 .
The filter engine 78 filters all IP packets passing through the network server 50 using the rules for each user provided by the filter executive 76 . The contents of the IP packets contain the information necessary to determine if the IP packets comply with the rules in effect. If an IP packet does not comply, the IP packet may be discarded by the filter engine 78 and thus, prevented from reaching its intended destination. In addition, the filter engine 78 may log the filtered packet and notify the user of the action taken by it.
Finally, the network management program 80 stored in mass memory 68 of the network server 50 includes a naming service manager 74 that collects and maintains mapping information which identifies and correlates users of the LAN 44 to the clients computers connected to the LAN 44 currently being utilized by those users. More specifically, the naming service manager 74 dynamically correlates or “maps” a user's login name and domain name to the computer name (or “host name”) and Internet protocol (IP) address of the computer currently, or in some cases formerly, utilized by the user. One of ordinary skill in the art will recognize that the IP address is the four-part number that uniquely identifies a computer connected to the Internet 40 . As will be described in more detail below, the naming service manager 74 collects mapping information, i.e., login names, domain names, computer names and IP addresses, from the filter executive 76 and other agents located on the LAN 44 and correlates the information into a current computer-to-user assignment mapping for each user of the LAN 44 . The naming service manager 74 then provides the filter executive 76 with updated mapping information so that the filter executive 76 can transfer the updated mapping information to the filter engine 78 along with the user rules. Consequently, as a user logs into and out of the LAN 44 , the filter engine 78 begins or ceases to filter IP packets passing through to network server 50 for the user accordingly.
Now that the network server 80 and the components of the network management program 80 that are implemented by the network server 50 have been described in more detail, the relevant components of the administrative clients 54 will be discussed. FIG. 3B depicts several of the key components of the administrative computers 54 which are used to define the set of rules to be applied to users of the LAN 44 in order to manage LAN activity in accordance with the present invention. Those of ordinary skill in the art will appreciate that the administrative clients 54 include many more components than those shown in FIG. 3 B. However, it is not necessary that all of these generally conventional components be shown in order to adequately disclose an exemplary embodiment for practicing the present invention. The administrative clients 54 are connected to the LAN 44 via a network interface 56 similar to the network interface 66 of the network server 50 . Each administrative computer 54 also includes a processing unit 55 , a display 58 , and a memory 57 . The memory 57 comprises a conventional disk, read-only memory, and random access memory for storing the network operating system 82 and the GUI 70 of the network management program 80 . In the actual embodiment of the present invention described herein, the administrative computer 54 is not equipped with any of the remaining components of the network management program 80 . Only GUI 70 is required in order to enable an operator of the administrative computer 54 to input information regarding users and set policies for users. The information and policies are then passed by the GUI 70 to the rules and logging database 72 located at the network server 50 for further processing.
As for the remaining client computers 52 connected to the LAN 44 , these client computers 52 are not installed with any of the components of the network management program 80 . Therefore a detailed description of the electronic components of the client computers 52 is not required to adequately disclose an exemplary embodiment of the present invention. However, in accordance with the present invention, any IP packets transmitted by the client computers 52 , and hence, any requests for services and/or information made by the user of a client computer 52 from the Internet 40 are still filtered by the filter engine 78 as they pass through the network server 50 .
FIG. 3C depicts several of the key components of the domain controller server 60 . As noted above, the domain controller server 60 keeps track of which users are logged into which computers at any given time. For example, when a user logs into a computer and the computer begins actively communicating with the LAN 44 , the computer is said to have started a “session” with the LAN 44 . The domain controller server 60 captures a record of this session and stores the login name of the user, and the computer name and IP address of the computer logged into by the user.
The domain controller server 60 comprises a network interface 67 , similar to the network interface 65 of the administrative computer 54 , that connects the domain controller server 60 to the LAN 44 . In addition, the domain controller server includes a processing unit 61 , display 63 and mass memory 69 similar to those found in the network server 50 . However, mass memory 69 of the domain controller server 60 stores either a domain controller agent 75 or a host agent 77 that can be used in conjunction with the naming service manager 74 of the network access program 80 to maintain updated and accurate user mapping information for each user of the LAN 44 at any given time. As will be described in more detail below, the domain controller agent 75 collects dynamic user login and logout information. The host agent 77 , on the other hand, collects current IP address assignments for the computers connected to the LAN 44 . The domain controller agent 75 and host agent 77 periodically transmit the collected information to the naming service manager 74 . Although both the domain controller agent 75 and the host agent 77 are shown in FIG. 3C, it will be appreciated that only one or the other is normally employed. For example, if dynamic user-to-computer mapping and computer-to-IP address mapping is desired, the domain controller agent 75 is employed. However, if user-to-computer assignments are to remain static or permanent, but updates to IP address assignments are still desired, the host agent 77 is employed. Although the host agent 77 is described herein as being located on the domain controller server 60 , those of ordinary skill in the art will recognize that the host agent may be located on any suitable computer connected to the LAN 44 .
The Network Management Program
FIG. 4 is a block diagram of the component parts of the network management program 80 as distributed among the various computers and servers connected to the LAN 44 . The GUI 70 of each administrative computer 54 and the network server 50 communicate the information and policies input by the operators of those computers to the rules and logging database 72 located on the network server 50 via the LAN 44 . These policies are stored and processed by the rules and logging database 72 , which then passes the user policies along to the filter executive 76 along with mapping information for each user. The filter executive 76 optimizes the policies into a set of rules for each user and passes the rules and user mapping information to the filter engine 78 . The filter engine 78 filters all outbound IP packets transmitted from the LAN 44 to the Internet 40 and verifies all inbound IP packets from the Internet 40 according to the rules provided to the filter engine 78 by the filter executive 76 . As this occurs, the naming services manager 74 provides the filter executive 76 with updated mapping information which the filter executive then passes on to the filter engine 78 so that the filter engine begins and ceases filtering of IP packets dynamically as users log into and out of the LAN 44 .
Now that the overall distribution of the component parts of the network management program 80 have been generally described, the operation of the network management program 80 will be described in more detail.
Information Gathering and Policy Setting
FIG. 5 is a flow chart illustrating the logic used by the GUI 70 of the network management program 80 to determine which network options are to be presented to the operator of the administrative computer 54 , depending upon the system administration level of the operator. As described below, the network management options are displayed in a main window 84 generated by the GUI 70 on the display 58 of the administrative computer.
As shown in FIG. 6, the main window 84 provides the operator with certain information regarding all identified users of the LAN 44 and numerous policy setting options for defining what information and services will be available to those users. In this regard, the main window 84 includes a user list 88 that identifies all users of the LAN 44 . For example, if the present invention were used in a corporate environment, the LAN 44 would comprise the corporation's private intranetwork and each user of the LAN 44 would be an employee of the corporation. Thus, the user list 88 would identify each employee of the corporation. In accordance with the present invention, users can be assigned an administrative access level, such as system administrator, mid-level administrator, or manager. If a “three-key” icon 89 appears beside a user's name in the user list 88 of the main window 84 , the user is a system administrator. Accordingly, a “two-key” icon 87 indicates a mid-level administrator, and the “one-key” icon 85 indicates a manager.
Users are added, modified, or deleted in the user list 88 by using the user add, edit, or delete tool bar buttons 90 a, 90 b, and 90 c, respectively. For example, a user can be added to the user list 88 , and their administrative access level defined, by selecting the user add tool bar button 90 a as will be described in more detail below. Those of ordinary skill in the art will also appreciate that the user add, edit and delete options may also be selected from a “pull-down” user menu 90 d.
In accordance with yet other aspects of the present invention, all users of the LAN 44 can be organized into groups in a hierarchical fashion. In this regard, the main window 84 includes a group hierarchy 86 in which the root of the hierarchy is a group containing all of the users identified in the user list 88 . As with any hierarchy, the root group containing all users can be subdivided into various subgroups or “children,” each child group can further be divided into subgroups, i.e., “grandchildren,” and so on. Again, using the corporate environment as an illustrative example, the root group of the hierarchy would be the “corporate group.” The corporate group can be subdivided into subgroups corresponding to various departments of the corporation, e.g., the finance department, information system department, marketing department and sales department, as shown in FIG. 6 . Accordingly, the employees of each of those departments comprise the users belonging to those subgroups.
As will be described in more detail below, the operator of an administrative client 54 with an access level of system administrator, mid-level administrator or manager can add, modify, and delete subgroups of the root group or “corporate group” using the group add, edit, and delete toolbar buttons 92 a, 92 b, and 92 c or group pull-down menu 92 d. Once a subgroup is defined, users are added as members to the subgroup by selecting a user to group toolbar button 91 .
Once the users of the LAN 44 have been defined and added to groups, depending upon the administration level of the operator of the administrative computer 54 , i.e., system administrator, mid-level administrator or manager, the operator can set certain policies using the GUI 70 and apply those policies broadly against groups or individually against users to control user or group access to Internet resources. In the exemplary embodiment of the present invention described herein, the operator can apply protocol policies, site policies, file type policies, quota policies, and time scheduling policies via the main window 84 generated by the GUI 70 . These policies are more specifically described below.
Protocol Policy
Internet resources, such as WWW servers, electronic mail servers, Usenet readers and Telnet servers, use universally known protocols and port numbers to communicate via the Internet. For example, electronic mail is commonly sent via the Internet using SMTP via port number 25 , POP 2 via port number 106 , or POP 3 via port number 110 . Using the GUI 70 , system administrators, mid-level administrators and managers can establish a policy to deny or allow access to such resources by denying or allowing the transmission of IP packets to the protocols used to transmit them. This “protocol policy” can then be applied broadly against a group (thus, specifically against each user belonging to the group) and individually against particular users.
Site Policy
The WWW is a vast collection of interconnected hypertext documents written in the HyperText Markup Language (HTML) that are electronically stored at “web sites” throughout the Internet 40 . A web site is a server connected to the Internet 40 that has mass storage facilities for storing hypertext documents and that runs administrative software for handling requests for those documents. Using the GUI 70 , a system administrator, mid-level administrator or manager can establish a site policy to deny or allow such requests from users of the LAN 44 by identifying the site by either its unique IP address or its fully qualified domain name. As noted above in connection with protocol policies, site policies can also be applied broadly against a group or individually against specific users.
File Type Policy
Information is often retrieved from the Internet resources mentioned above in the form of a file, such as an executable (.exe) file or an archive (.zip) file. Using the GUI 70 , a system administrator, mid-level administrator or manager can set a file type policy to prevent users from downloading certain types of files from the Internet 40 by identifying the file extension, e.g., .exe or .zip, of the file type being denied. As noted above in connection with the protocol and site policies, file type policies can be applied broadly against groups or individually against specific users.
Quota Policy
During the course of any given day, each of the users of the LAN 44 will transmit and receive millions of bytes of data contained in IP packets. Quotas can be set specifying how many megabytes of data can be transmitted and received by any user during any given time period. In the actual embodiment of the present invention described herein, this time period is twenty-four hours. Such quota policies ensure that the LAN 44 operates at optimum efficiency and that users do not violate acceptable on-line usage policies. As noted above in connection with the protocol, site and file policies, quota policies can be applied broadly against groups or individually against specified users.
Time Schedule Policy
Finally, using the GUI 70 , system administrators (but not mid-level administrators or managers) can establish time schedule policies denying users access information communicated via certain protocols during specified hours of the day. For example, a system administrator can allow electronic mail only during the hours of 8 a.m. until 10 a.m., by blocking access to the electronic mail protocols (e.g., SMTP, POP 2 , and POP 3 ) all other hours of the day. As opposed to protocol, site, file type and quota policies, time schedule policies can only be applied to the root or corporate group, rather than against users individually or against subgroups of the corporate group. However, since the time schedule policies are applied to the corporate group, the time schedule policies are inherited by all subgroups of the corporate group and all users belonging to the corporate group and its subgroup.
Returning to FIG. 5, the logic employed by the GUI 70 to display the main window 84 from which system administrators, mid-level administrators and managers can input information and set policies begins in a block 200 and proceeds to a block 202 in which the current operator logs into the administrative computer 54 . In a block 204 , the logic determines if the password entered by the user is valid. If not, the logic returns to block 202 , and the user makes another login attempt. However, if the user enters a valid password, the logic proceeds to a block 206 where the administrative access level for the user, i.e., system administrator, mid-level administrator or manager, is found by querying the database 72 . If the logic determines in a decision block 208 that the current operator in a system administrator, the main window 84 is displayed on the display 58 of the operator's administrative computer 54 with all network management program 80 options available in block 210 . However, if the user is not a system administrator, the logic proceeds from block 208 to a decision block 212 where it determines if the user is a mid-level administrator. If so, the main window 84 will be displayed with certain options blocked, namely, corporate default options, protocol add/edit/delete options, and the time scheduling options.
If the operator is neither a system administrator nor a mid-level administrator, the logic proceeds to a decision block 215 where it determines if the operator is a manager. If so, the main window 84 is displayed with the corporate default options, time scheduling options, user add/edit/delete options, computer add/edit/delete options, and protocol options blocked. The logic then ends in 218 .
If the operator logged into the administrative computer 54 is not a system administrator, mid-level administrator or manager, then the operator is not allowed to set policies or input information using the GUI 70 , and the GUI 70 is exited in block 217 .
FIGS. 7A, 7 B and 7 C illustrate the logic implemented by the GUI 70 to process the options selected by the operator of the administrative computer 54 from the main window 84 . It will be appreciated, however, that each option selected from the main window 84 causes the rules and logic database 72 to be updated with the information provided by the operator. The tables comprising the database 72 are illustrated in FIGS. 9A and 9B and will be referred to during the discussion of FIGS. 7A-7C.
The logic begins in FIG. 7A in a block 220 and proceeds to a decision block 222 where it determines if the operator has selected the corporate default option from a File pull-down menu 83 in the main window 84 . As noted above, the corporate default option is only made available in the main window 84 to system administrators. Those of ordinary skill in the art will recognize that to mid-level administrators and managers, the corporate default option will appear “greyed out” in the main window 84 and any attempts to select this option by such operators will be ignored by the GUI 70 . When the system administrator selects the corporate default option from the main window 84 , a corporate default window 102 as shown in FIG. 8A, is generated by the GUI 70 on the display 58 of the administrative computer 54 being used by the system administrator. From the corporate default window 102 , the system administrator can set the following default options that apply to the corporate group by selecting or clearing the corresponding check box.
Transaction Load Interval
The system administrator can select how frequently the filter engine 78 transfers logged IP packets to the rules and logging database 72 from the transaction time pull-down menu 180 . When the system administrator enters a value for the transaction load interval, the value is stored in the database 72 in the transaction load interval field in a corporate default table 110 shown in FIG. 9 A.
Allow Network Protocols
If the system administrator selects the Allow Network Protocols check box in the corporate default window 102 , IP packets communicated using a predefined list of network protocols are allowed to pass through the filter engine 78 unconditionally. As opposed to application protocols, network protocols are those used by the computers and servers connected to LAN 44 for intranetwork communication. It will be appreciated that network protocols will normally be allowed to pass through the filter engine 78 in order to conserve space in the database 72 . If the system administrator selects the Allow Network Protocols check box, the block network services flag of the corporate default table 110 is set. Otherwise, the block network services flag is cleared.
Allow Undefined Protocols
If the system administrator selects the Allow Undefined Protocols check box in the corporate default window 102 , IP packets communicated using any application protocol that has not been previously defined by the network management program 80 and for which no record is stored in the database 72 are allowed to pass through the filter engine 78 . If the Allow Undefined Protocol check box is selected, the pass through flag is set in the corporate default table 110 . Otherwise, the flag is cleared.
Enable Logging
When the Enable Logging check box is selected in the corporate default window 102 , all IP packets permitted by the filter engine 78 to pass through to their intended destination are also logged by the filter engine 78 . When the system administrator selects the Enable Logging check box, a log-on-off flag in the corporate default table 110 of the database 72 is set. Otherwise, the log-on-off flag is cleared.
Simulate Rule Enforcement
When the Simulate Rule Enforcement check box is selected by the system administrator, all IP packets passing through the filter engine 78 are logged as though the protocol, site, file type and quota policies described above were being enforced, although in reality they are not. When the Simulate Rule Enforcement check box is selected, a log-no-block flag is set in the corporate default table 110 . Otherwise, the log-no-block flag is cleared.
Send Violation Messages
If the system administrator selects the Send Violation Messages check box, violation messages will be sent to users of the LAN 44 when the policies or quotas set for that user have been violated. When the Send Violation Messages check box is selected, a notify flag is set in the computer default table 110 . Otherwise, the notify flag is cleared.
Returning to FIG. 7A, once the system administrator has selected or cleared all of the desired corporate default check boxes in the corporate default widow 102 and the corporate default table 110 in the database 72 has been updated accordingly in block 226 , the logic proceeds to a block 228 where the system administrator is allowed to add, edit or delete network protocols to a list of network protocols, which by default are not blocked by the filter engine 78 .
The system administrator may add, edit or delete network protocols by selecting a network protocols button 182 in the corporate default window 102 . If selected, the GUI 70 will generate a maintain network protocols window 101 as shown in FIG. 8B on the display 58 of the system administrator's administrative computer 54 . To add a network protocol to the list of network protocols shown in the maintain network protocols window, the system administrator selects an Add button. The GUI 70 will then generate an add network protocol window 113 as shown in FIG. 8 C. To add a network protocol to the network protocol list, the system administrator inputs the information requested in the add network protocol window 113 , i.e., the name of the protocol, the port number associated with the protocol, and the commonly known alias for the protocol, and selects a log traffic check box to indicate that IP packets transferred via the network protocol are to be logged. Finally, the operator selects the Apply button. A record is then added to a global network protocols table 112 in the database 72 shown in FIG. 9A for the newly added protocol.
The record added to the global network protocols table 112 includes a global protocol ID identifying the record itself, a global protocol name of the network protocol, the commonly known port number for the protocol. In addition, a log flag is set or cleared to indicate whether or not IP packets transmitted using the network protocol are to be logged, and an access flag is set or cleared to indicate whether or not IP packets transmitted using the network protocol are allowed to pass through the filter engine 78 . Finally, a notify flag is set or cleared to indicate whether or not a user is to be notified of the action taken by the filter engine 78 when filtering an IP packet transmitted using the network protocol. It will be appreciated that if the log traffic check box is selected by the system administrator, the log flag is set. Otherwise, it is cleared. In addition, the access flag is set to the same value as block network services flag and the notify flag is set to the same value as the notify flag in the corporate default table 110 . Finally, a rule type code is set to indicate that the rule to be defined from the policy is a network protocol rule.
Returning to FIG. 8B, if the system administrator wishes to edit a network protocol listed in the maintain network protocols window, the system administrator highlights the desired protocol and selects the Edit button. The add network protocol window 113 is generated by the GUI 70 once again, and the system administrator can enter the updated information for the network protocol. The corresponding record for the network protocol will then be updated by the database 72 in the global network protocols table 112 .
If the system administrator wishes to delete a network protocol from the network protocol list shown in the maintain network protocols window, the system administrator highlights the desired network protocol and selects the Delete button. The database 72 then deletes the corresponding record for the network protocol from the global network protocols table 112 . Returning to FIG. 7A, once the global network protocols table 112 is updated in block 230 , the