Electrical computers and digital processing systems: multicomput – Distributed data processing – Client/server
Reexamination Certificate
2000-08-29
2004-09-28
Etienne, Ario (Department: 2157)
Electrical computers and digital processing systems: multicomput
Distributed data processing
Client/server
C709S228000, C709S207000, C709S219000, C709S220000, C709S227000, C709S229000
Reexamination Certificate
active
06799197
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to policy administration for a network of computers. In particular, the present invention provides a method and system for administering pre-set policies to one or more client computers having access to a public network or e-mail by, among other things, sending packages of information between a policy orchestrating server and the client computers over the public network or e-mail with the aid of a secure communication pipe. The client computers that are to be maintained may also be part of one or more distinct wide area networks, or they may be stand-alone computers.
2. Description of the Related Art
Wide area computer networks are often maintained by a system administrator. One of the system administrator's functions is to set policy for and to maintain software on the computers comprising the network. Typically, the system administrator decides, among other things, which software products are to be installed on the client computers and how that software is to be configured. In most wide area networks, the system administrator can communicate with each computer on the network in a secure manner because the computers are connected together with a private communication link. Messages, files, and data can be sent over the private communication link from one or more central servers to each computer on the network, and the computers on the network can use the private communication link to send messages, files, and data to one or more central servers.
Most wide area networks are also set up so that the system administrator can use a central server to configure software on the other computers in the network. The system administrator can issue and control policy for the wide area network and can update and configure software on any or all computers within the network. One typical and routine practice of a computer network system administrator is to periodically update virus scanning software on the computers in the administrator's network.
One of the problems faced by large organizations with multiple locations is that each location often maintains a separate wide area network. Thus, it is difficult for one administrator to: set policy, configure, and maintain every workstation under the organization's control. Moreover, it is of utmost importance that a high level of trust exist between a system administrator and the client computers to be administered. A person or entity successfully impersonating a system administrator can devastate an organization. In order to maintain the high level of security needed, some large organizations maintain dedicated and secure lines between multiple locations so that the system administrator can control all workstations owned or controlled by the organization. Nevertheless, even when dedicated lines are established, there are inevitably a few workstations within an organization, such as laptop computers, that are not connected to the administrator's central server in a secure manner and therefore are not properly maintained and managed. Moreover, the cost of maintaining dedicated lines to small offices where there are few workstations can be prohibitive.
On the other hand, most organizations—even small ones—have computers and networks that are configured to allow users to browse the World Wide Web portion of the Internet. And most mobile users have access to e-mail. Thus, it would be advantageous to use the Internet or e-mail as a means for configuring, setting policy for, and maintaining workstations owned and controlled by an organization. One major drawback, however, is that heretofore there has been no secure way to perform system administration tasks over public networks, such as the Internet, or e-mail systems. Therefore, a secure system and method that allows a system administrator to use the Internet or e-mail to set the policy for all computers owned or controlled by a given organization, regardless of whether all the computers are on the same wide area network, would provide a tremendous benefit in terms of cost and ease of administration.
It is thus an object of the present invention to allow a system administrator to set policy for and to administer software on a plurality of client computers that have access to e-mail or a public network, such as the Internet.
It is also an object of the present invention to allow a system administrator to manage one or more client computers having access to a public network, such as the Internet, or e-mail, regardless of how many diverse wide area networks the client computers may be part of.
Because most wide area networks employ firewalls and other security measures, it would be advantageous to have a system and method that would allow a system administrator to access, and to send information to and from, workstations that are part of secure networks. Thus, it is a further object of the present invention to provide a secure means for sending packages of information to and from a plurality of computers, which may reside on different wide area networks, regardless of the security protocols established by the individual wide area networks of which the computers reside.
SUMMARY OF THE INVENTION
The present invention provides a system and method for using a public network, such as the Internet, or e-mail systems to set policy for and to manage software on a plurality of client computers by sending packages of information between a Policy Orchestrator (“PO”) Server, which is under the control of a system administrator, and one or more of the client computers that contain software known as Policy Orchestrating Agents (“PO Agents”). The PO Server and the PO Agents communicate with each other over a public network, or e-mail, with the aid of a secure communication path known as an SPIPE. The SPIPE allows packages of information to be sent—in a secure manner—between the PO Server and the PO Agents residing on various client computers that are connected to a public network, such as the Internet, or have access to e-mail systems.
In the preferred embodiment the PO Server resides on a HTTP server that preferably contains a software repository for storing software to be installed on the client computers. The PO Server may contain or be interfaced with a Light Weight Data to Access Protocol (“LDAP”) database. The LDAP database is used to store policies set by an administrator for the various client computers containing PO Agents. The policies for each client may be stored in separate files in the LDAP database. Preferably, each PO Agent is assigned a unique identifier and has a public/private encryption key pair. The public key for each PO Agent is provided to the PO Server. This gives the PO Agents the ability to digitally sign packages of information that they may generate before sending the packages to the PO Server. Because the PO Server has the PO Agents public key, it can verify that a package came from an authorized PO Agent and has not been altered while in route to the PO Server. Likewise, the PO Server has a public/private encryption key pair and its public key is distributed to each PO Agent. Thus, the PO Server can also digitally sign packages of information before they are transmitted to a PO Agent and the receiving PO Agent can confirm that a package came from an authorized and trusted PO Server and has not been altered while in route.
As part of a preferred protocol, each PO Agent periodically checks-in with the PO Server. During this routine check-in procedure, the PO Agent sends to the PO Server a package containing, among other things, the current configuration of the client computer on which the PO Agent resides. Preferably, the package contains a header identifying the PO Agent that sent it, data or other information, which may be in the form of files, and a digital signature that was generated using the PO Agents private key.
In general, the packages are capable of containing various types of robust data, including—but not limited to—policies set by a system administrator, such as configurat
Kouznetsov Victor
Melchione Dan
Shetty Satish
Etienne Ario
Hamaty Christopher J.
Networks Associates Technology Inc.
Osman Ramy
Silicon Valley IP Group PC
LandOfFree
Secure method and system for using a public network or email... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Secure method and system for using a public network or email..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Secure method and system for using a public network or email... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3210451