Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-11-02
2004-12-14
Darrow, Justin T. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S150000, C713S151000, C713S152000, C713S153000, C713S154000, C713S152000, C709S221000, C709S229000
Reexamination Certificate
active
06832321
ABSTRACT:
TECHNICAL FIELD
This application relates to a public network access server having a user-configurable firewall.
BACKGROUND
The computer system
100
illustrated in
FIG. 1
represents a typical hardware setup for executing software that allows a user to perform tasks such as communicating with other computer users, accessing various computer resources, and viewing, creating, or otherwise manipulating electronic content—that is, any combination of text, images, movies, music or other sounds, animations, 3D virtual worlds, and links to other objects. The system includes various input/output (I/O) devices (mouse
103
, keyboard
105
, display
107
) and a general purpose computer
100
having a central processor unit (CPU)
121
, an I/O unit
117
and a memory
109
that stores data and various programs such as an operating system
111
, and one or more application programs
113
. The computer system
100
also typically includes some sort of communications card or device
123
(e.g., a modem or network adapter) for exchanging data with a network
127
via a communications link
125
(e.g., a telephone line).
As shown in
FIG. 2
, a user of a computer system
129
can access a public network
131
(e.g., the Internet) via an access server
133
(such as an Internet service provider or “ISP”). Among other things, this enables computer system
129
to send and receive data from other computers (not shown in
FIG. 2
) that are connected to the public network
131
(referred to as “outside” computers). For example, one of the outside computers can act as a host of a web site from which the computer system
129
can view web pages using a “browser” program (e.g., an Internet browser such as Netscape Communicator version 4.7, which is commercially available from Netscape Communications Corporation of Mountain View, Calif.) running on the computer system
129
.
By connecting to a public network
131
such as the Internet, however, the computer system
129
can become vulnerable to attacks from outsiders (sometimes referred to as “hackers” or “crackers”) who use the public network
131
to attempt to gain unauthorized access to computers connected thereto. After gaining unauthorized access to a computer system
129
, such outsiders often view, copy, alter, delete, and/or redistribute data and programs that reside on the computer system
129
.
The threat to users who access the Internet using dial-up modem connections (referred to as “dial-up connections”) over conventional plain old telephone service (POTS) lines typically has been relatively low. A user employing such a dial-up connection typically is assigned a temporary “IP address.” An IP (Internet Protocol) address is a worldwide unique identifier that identifies a particular computer or other network device on the Internet. For example, as shown in
FIG. 3
, a user can access the Internet
141
via a modem
143
connected to a computer
145
by dialing into an access server
147
using a POTS line. The access server
147
includes a terminal server
149
having multiple “ports.” Several dial-up modems (not shown in
FIG. 3
) are connected to the ports of the terminal server
149
in order to receive data transmitted by the user's modem
143
. The terminal server
149
is connected to a dial-up host computer
151
(e.g., a computer workstation running a variant of the UNIX operating system). The dial-up host computer
151
is connected to the Internet
141
, typically via a high-speed connection
153
(e.g., a T1 connection). The access server
147
and the high-speed connection
153
typically are maintained by an ISP.
A different temporary IP address is typically assigned to the user's computer
145
each time the user dials into the access server
147
. The IP address that is assigned to the user's computer
145
is temporary since the user typically disconnects the computer
145
from the access server
147
when the user is not accessing the Internet. This allows the ISP to re-use the IP address previously assigned to the user's computer
145
as the temporary IP address of another computer that subsequently dials into the access server
147
.
Because the IP address of the user's computer
145
may change each time the user dials into the access server
147
, it is difficult for an outsider successfully to use hacking techniques that require knowledge of the IP address of the user's computer. For example, one cannot telnet into a user's computer
145
without knowing the computer's IP address.
Recently, high-speed alternatives to conventional dial-up Internet connections have become increasingly popular. These high-speed alternatives include digital subscriber lines (“DSL”) and cable modem connections, which typically allow users to use their telephone lines for voice transmissions simultaneously with data connections. As a result, many users of these new high-speed connections do not disconnect their computers from the Internet when they are not actively accessing the Internet. Remaining persistently connected in this manner enables users to avoid the overhead (delay and effort) associated with reconnecting to the Internet that they otherwise would encounter each time they accessed the Internet. As a result, many Internet service providers are assigning fixed (i.e., non-temporary) IP addresses to computers that make use of such high-speed “always connected” Internet connections. However, because the use of permanent IP addresses facilitates certain hacking techniques, the security advantages associated with the use of temporary IP addresses are lost when fixed IP addresses are used.
One way in which enterprises such as businesses and educational institutions have protected their networks and computers (which typically are assigned fixed IP addresses) is to employ a “firewall.” A firewall is a system for controlling access to the enterprise's network and/or computers (referred to as the “internal” network and computers) by other computers (referred to as “outside” computers) that attempt to access the internal networks and computers through a public network. The purpose of a firewall is to allow network elements to be attached to, and thereby access, a public network without rendering the network elements susceptible to unauthorized access from the public network. A successful firewall allows the network elements (e.g., routers, computers, servers, etc.) to communicate with the public network elements without rendering the network elements susceptible to attack or unauthorized inquiry over the public network. Such firewalls use known techniques such as “packet filtering” and “application gateways” for determining which data packets to forward to the inside networks and computers.
Firewalls that are employed to protect networks and computers used in business and educational settings typically implement a security policy that determines how each internal user of the firewall-protected network can access the public network. Typically, these security policies implement a “one-size-fits-all” approach in which all users of a certain type are assigned the same access rights to the public network. A one-size-fits-all approach often is desirable in such institutional settings since such an approach is generally simpler to implement, maintain, and audit and such institutions are generally in a position to impose such an approach on users of their networks and computers.
Most Internet service providers, however, traditionally have not employed firewalls to protect their users' computers from attacks originating from the Internet. Users who access the Internet via dial-up connections typically do not need such security measures due to the security advantages associated with the use of temporary IP addresses. Moreover, most ISPs do not wish to, and/or are not in a position to, impose on their users a one-size-fits-all security policy of the type conventionally associated with the use of firewalls. Instead, ISPs have typically left it up to their users to implement some type of firewall on t
America Online Inc.
Darrow Justin T.
Fish & Richardson P.C.
McArdle Joseph M
LandOfFree
Public network access server having a user-configurable... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Public network access server having a user-configurable..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Public network access server having a user-configurable... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3330632