EP2347367A1 - Plattform für ein computernetzwerk - Google Patents

Plattform für ein computernetzwerk

Info

Publication number
EP2347367A1
EP2347367A1 EP09747895A EP09747895A EP2347367A1 EP 2347367 A1 EP2347367 A1 EP 2347367A1 EP 09747895 A EP09747895 A EP 09747895A EP 09747895 A EP09747895 A EP 09747895A EP 2347367 A1 EP2347367 A1 EP 2347367A1
Authority
EP
European Patent Office
Prior art keywords
application
information system
data
computer network
users
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP09747895A
Other languages
English (en)
French (fr)
Inventor
Vincent Garnier
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of EP2347367A1 publication Critical patent/EP2347367A1/de
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6272Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database by registering files or documents with a third party

Definitions

  • the present invention relates to a computer network platform whose infrastructure comprises an information system comprising servers and databases, most of which are unstructured, transiting through this network, as well as terminals from which users create , modify or consult the centralized data of this information system.
  • Each information system document is identified by its file name and transits into the network and is stored in the same information system as data.
  • data is a representation of information in a conventional form intended to facilitate its processing.
  • the Internet an international communication network between different entities that are generally distant, such as computers, cameras, printers, servers, and using a communication protocol as a language to communicate,
  • the intranet an internal network of a company, which operates on the technological model of the Internet, and - the extranet, zone of a restricted access intranet but accessible from outside the company provided that it has an identifier and a password.
  • proxies In addition, currently available tools such as proxies, firewalls or the use of encryption technologies theoretically designed to address these contingencies, and which are supposed to effectively secure access to information system data exchanging between users, represents a significant cost of investment in data security of a company or an individual without offering effective protection. Indeed, these tools do not ensure a physical rupture of the communication protocol between the database and the users.
  • the main task of a firewall is to control traffic between different trusted zones by filtering the data flows that pass through it. It operates according to rules pre-established by the network administrator.
  • a proxy relays requests between a client and a server. Specifically, the user identifies himself using an identifier and a password, then according to rules also determined in advance by the only network administrator, the user or not passes a screen. fire that filters communications according to the port used.
  • the ports can be assimilated to doors associated with a service or a network application and giving access or not to the operating system of the client machine in a client / server model, that is to say giving access or not to the terminals users and at the same time the data they contain. For each port, a number is assigned, this number is coded on 16 bits, which explains that there is a maximum of 65,536 ports (2 16 ) per computer.
  • the encryption technologies they only encode the information according to a pre-established algorithm, so it is enough to appropriate the algorithm to decode the information.
  • the present invention adopts a new vision of the computer network which instead of being based on the workstation of the user by controlling its actions by the assignment of rights, is based on access to data grouped within a central information system, which makes it much easier to protect.
  • a single document is created by a user who places it in the centralized information system. It then assigns usage rights on this document to other users.
  • the object of the present invention is to propose a solution that overcomes these drawbacks without affecting the quality of service.
  • the present invention essentially relates to a computer network platform for managing and sharing mostly unstructured data transiting through this network and whose infrastructure includes an information system comprising a one or more databases and / or data servers, as well as terminals from which users create, modify or consult the data of the information system, characterized in that the information system comprises unique data intended to be shared, and is isolated from the user terminals by an application that manages the accessibility to the said information system and / or the securing of the unique data it contains by physically breaking the network protocol used for communication between the information system and user terminals.
  • This computer network platform enables the centralization of unique data, especially the unstructured data of a company that usually occupies a large space on enterprise servers due to their scattering and duplication.
  • Unique data means data that has not been previously duplicated and that is present in the information system, for example in the form of a single document.
  • the data security policy is here based on the data itself and not only on their transfer through one or more computer networks.
  • This computer network platform also allows secure and easy access to these data by disregarding a three-dimensional architecture formed by the three existing network models and reframing all the security around the data.
  • the application could be described as a "dynamic proxy" because it does not have pre-established security rules but on the contrary has security rules established on demand for each document contained in the information system. This leads to a simplification of the architectures thanks to this application interposed between the database of the information system and the terminals of the users wanting to have access to it.
  • the communication network uses the TCP / IP protocol suite, that is to say that it is based on the TCP protocol for Transmission Control Protocol and on the Internet protocol. IP for "Internet Protocol”. It is clear that the invention is not limited to these particular types of communication protocols.
  • the physical disruption of the network protocol is managed by the application which controls two independent and physically separate sub-applications from each of the network connections, concretely one of the so-called inner sub-applications (I). is in permanent relationship with the internal network of the information system, and the other so-called external sub-application (E) is in permanent relationship with the said external network to which are connected all the terminals of the users.
  • the passage of data between the two sub-applications that is managed by the application uses the on-the-fly rewrite or parsing technique.
  • the editing of the documents contained in the information system is independent of the software or programs installed on the users' terminals.
  • This confers an independence of the software of the workstation for a greater user efficiency and makes it possible in particular to users with different software on their workstation and whose formats are not usually compatible with each other, to work on the same document with a different file format on each of their machines.
  • the platform frees itself from the content of the workstation of the user terminals.
  • the user terminals are only used for their graphical interface and computing capacity, the unique data being stored only in the information system.
  • the information system does not contain a workstation.
  • Access to the database of the information system is therefore only through the application, direct access is not possible.
  • the application is also the only way to directly access the unique data stored in the information system.
  • This unique data generates a single document.
  • the application is therefore the only one able to manage the contents of the information system.
  • the guardian identifies each user: he asks them for the key of the safe of the vault to which they have a right of access, identifies the rights of the user according to the color of the key that is given to him, control (by antivirus) if necessary, the documents brought by a user intended to integrate a safe in the vault. This key can be returned to him in the case of a boot rental by analogy to a space allowance in the information system.
  • the guard (application) is the only one to enter the vault (information system), he then takes the key of the user and goes to find the contents of the corresponding safe that is in the vault.
  • the guard (application) can only open the vault (s) (files) whose customer has the key (rights) and only those ones.
  • the guard (application) then returns the contents of the chests (files) to the user. Depending on the key color that has been given to him, the guardian assigns a right to modify the document or only to consult. Once the task of the user is complete, the guard (application) takes the document that he will recheck (by antivirus) before putting it back into his respective safe inside the vault. The user then leaves the bank with his key and this key can be removed at any time by the user who gave it to him. At no time could the user have direct access to the documents inside the vaults in the vault.
  • the protocols and / or services provided by the application are independent of the type of use, such as roaming, mobile, from a fixed station or in public spaces.
  • the platform can support all kinds of computer network techniques such as for example wifi TM or 3G. It is understood that these examples are cited here as non-exhaustive and that the use of any other network technique is perfectly conceivable.
  • the application uses only open ports by default by an operating system installed on the terminals, preferably only ports 80 for HTTP (HyperText Transfer Protocol),
  • Locator of the application.
  • the implementation of the application is greatly simplified since it is sufficient to open these three ports on all terminals to be able to communicate with the application. It should be noted that these three ports are by default open regardless of the operating system used on the workstation user terminals, so users can easily communicate with the application while having other open ports necessary for other local applications.
  • the information system contains at least one unique document whose viewing rights and / or access and / or modification for / by each user are given by the user who created the document.
  • the application manages a temporary storage space, preferably FTP, created in the sub-application (E) when ordering data transfer from a terminal to the application and / or when creation of data directly from the application, and cleared as soon as the data has reached the information system.
  • a temporary storage space preferably FTP
  • This temporary storage space can be advantageously constituted by an FTP (File Transfer Protocol) cache, capable of storing large volumes of information, the application then taking the information contained in this FTP cache to deposit it in the file. information system by rewriting it on the fly. The information is then accessible only from the application. It is thus protected from the rest of the network.
  • FTP File Transfer Protocol
  • the temporary storage space is monitored by at least one antivirus but preferably two. This reduces the chances of infection of the database in the information system. This check is carried out systematically when a contributor sends data to the temporary storage space of the application, but of course this does not prevent users from carrying out a control of the data on their computer. working with their own antivirus.
  • the application comprises a graphical interface.
  • This interface replaces the operating system, is user-friendly, simple and intuitive and does not require any special training for the user.
  • the graphical interface of the platform application is in the form of a universal secure data sharing solution with a preferably multilingual workspace and accessible from any of the terminals of the users distributed around the world and connected to the application.
  • the graphical interface is multilingual for easier access from anywhere in the world, and it is multi-server, multi-base, multi-site and multi-address book to facilitate the assignment of rights .
  • This platform is therefore universal and easily accessible to all potential users.
  • an internet browser acts as operating system for the graphical interface.
  • the present invention also relates to an assembly comprising a plurality of platforms interconnectables them and with an infrastructure as described above.
  • FIG. 1 shows the block diagram of the platform.
  • Figure 2 shows an example of application of this platform.
  • the users 6 can indifferently connect to the application 3 from the web 4 (World Wide Web) or from the corporate intranet 5 that has an Internet connection using the TCP / IP protocol suite.
  • Each of the workstations 8 of these two networks is open on the ports 80, 443 and 21.
  • These workstations 8 are connected via the Internet and its suite of TCP / IP protocols to application 3 and in particular to the external subapplication (E) which comprises a network card 9 enabling it to communicate with the user.
  • E external subapplication
  • an FTP cache 1 1 for temporarily storing data that can occupy a large volume
  • the universal sharing solution serving as a graphical interface 10 of the application 3.
  • the external sub-application (E) is physically separated from the inner sub-application (I) by a break 12 of the TCP / IP protocol suite.
  • the inner sub-application (I) comprises one or more network cards 1 3 which enable it to communicate according to the TCP / IP protocol suite with all the storage resources 14 of the information system 2 via their respective network cards.
  • the information system 2 thus contains all the storage resources 14 of the information system 2; these include databases (DATA), and / or local servers that are unitary or grouped together in a computer clean room. However, it does not contain a workstation.
  • DATA databases
  • FIG. 2 We now consider the concrete case illustrated in Figure 2 where a contributor working from a design office 15 in France wants to create a document 20, but above all wants to share it with its collaborators 16 in China without it scattering in a multitude of files and providing that they can modify it; the various modifications appearing in a single final document 20 contained in the information system 2 managed by the same application 3.
  • the contributor 6 has several possibilities: the French contributor connects to the application 3 of the company from the address bar of his Internet browser by entering the address specific to the hosting server of his company or any other hosting server 17, 18 through which he wants to share documents, such as for example the hosting server of Chinese employees, the French contributor is connects to the application 3 through a hypertext link that sent him his company on his mail if it activated the service, the French contributor was created as a contact in the address book of a other user 6, the contributor wishing to share a document then receives an electronic message informing him of this creation as well as a direct link to the application 3 for which he has been assigned.
  • the contributor accesses the homepage of the graphical interface 10 of the application 3 offering him the solution of sharing an iversel of the information of the document.
  • the administrator of each application can also define the contexts of the application (graphic charts, layouts, page contents, translations, ). The contributor then has the possibility to change the language of the text of the graphical interface 10. In order to access the services of the application
  • the next step is to share this document, the contributor assigns the rights of use of this document 20 to other users 6 listed in his address book, such as Chinese collaborators or he will have created or imported in this same address book. It can then assign editing rights to some users, while it only affects viewing rights to others.
  • the publication consists in transferring by parsing the information created in the FTP cache 1 1 from the sub-application (E) to a storage area of the information system 2 via the network card 13 of the sub-application. (I).
  • This arrangement ensures the physical break 12 of the TCP / IP protocol suite 7 between the information system 2 and the various user terminals 8.
  • the application 3 takes the information from (E) to deposit it in (I)
  • the information becomes "dead” and not accessible outside the application 3
  • the FTP cache 11 is also cleaned by the user.
  • application 3 at the time when the application 3 takes the data from (E) to deposit it in (I).
  • the French contributor can then disconnect from the application 3. It should be noted that a published document is visible only by the users 6 who have been authorized by the creator of the document 20.
  • the Chinese users log in from their workstation 8 to the enterprise application 3 in one of the same ways as for the contributor.
  • the user 6 then logs on to his account using an identifier and a password assigned to him by the administrator of this application 3 of the company. Once logged in each user 6 sees the documents for which rights have been given to him and only those.
  • the rights for each file appearing in one of these three forms are color-coded to immediately indicate the user's rights to a file.
  • Five distinct colors are preferably used to identify the different types of files that are hierarchically ranked in descending order of power on the file:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)
EP09747895A 2008-09-26 2009-09-22 Plattform für ein computernetzwerk Ceased EP2347367A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0805305A FR2936628B1 (fr) 2008-09-26 2008-09-26 Plate-forme de reseau informatique
PCT/FR2009/051779 WO2010034928A1 (fr) 2008-09-26 2009-09-22 Plate-forme de reseau informatique

Publications (1)

Publication Number Publication Date
EP2347367A1 true EP2347367A1 (de) 2011-07-27

Family

ID=40565330

Family Applications (1)

Application Number Title Priority Date Filing Date
EP09747895A Ceased EP2347367A1 (de) 2008-09-26 2009-09-22 Plattform für ein computernetzwerk

Country Status (4)

Country Link
US (1) US20110321163A1 (de)
EP (1) EP2347367A1 (de)
FR (1) FR2936628B1 (de)
WO (1) WO2010034928A1 (de)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130086467A1 (en) * 2011-10-03 2013-04-04 Google Inc. System for sending a file for viewing on a mobile device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005085971A1 (en) * 2004-03-01 2005-09-15 Qinetiq Limited Threat mitigation in computer networks

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4558413A (en) * 1983-11-21 1985-12-10 Xerox Corporation Software version management system
GB2272312A (en) * 1992-11-10 1994-05-11 Ibm Collaborative working in a network.
AU6161594A (en) * 1993-02-26 1994-09-14 Taligent, Inc. Collaborative work system
EP0622930A3 (de) * 1993-03-19 1996-06-05 At & T Global Inf Solution Teilung der Anwendungen für Rechneranordnung mit Zusammenarbeit.
US6204847B1 (en) * 1995-07-17 2001-03-20 Daniel W. Wright Shared virtual desktop collaborative application system
US6233600B1 (en) * 1997-07-15 2001-05-15 Eroom Technology, Inc. Method and system for providing a networked collaborative work environment
US6584466B1 (en) * 1999-04-07 2003-06-24 Critical Path, Inc. Internet document management system and methods
WO2001052473A1 (en) * 2000-01-14 2001-07-19 Critical Path, Inc. Secure management of electronic documents in a networked environment
JP2002007233A (ja) * 2000-06-16 2002-01-11 Ionos:Kk 通信路のスイッチ接続制御装置
US20020147607A1 (en) * 2001-02-14 2002-10-10 Sarvajit Thakur Automated INS application filing system
US20040229199A1 (en) * 2003-04-16 2004-11-18 Measured Progress, Inc. Computer-based standardized test administration, scoring and analysis system
US20060010323A1 (en) * 2004-07-07 2006-01-12 Xerox Corporation Method for a repository to provide access to a document, and a repository arranged in accordance with the same method
US20060075391A1 (en) * 2004-10-05 2006-04-06 Esmonde Laurence G Jr Distributed scenario generation
US20060101028A1 (en) * 2004-10-21 2006-05-11 Banks Lanette E Method and apparatus for efficient electronic document management
US20060184784A1 (en) * 2005-02-16 2006-08-17 Yosi Shani Method for secure transference of data
US8868628B2 (en) * 2005-12-19 2014-10-21 International Business Machines Corporation Sharing computer data among computers
US20070255861A1 (en) * 2006-04-27 2007-11-01 Kain Michael T System and method for providing dynamic network firewall with default deny
US20090313113A1 (en) * 2008-06-13 2009-12-17 Dye Thomas A Business method and process for commercial establishments to advertise directly into proprietary closed circuit networks

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005085971A1 (en) * 2004-03-01 2005-09-15 Qinetiq Limited Threat mitigation in computer networks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of WO2010034928A1 *

Also Published As

Publication number Publication date
WO2010034928A1 (fr) 2010-04-01
FR2936628A1 (fr) 2010-04-02
FR2936628B1 (fr) 2011-04-01
US20110321163A1 (en) 2011-12-29

Similar Documents

Publication Publication Date Title
CN104767834B (zh) 用于加速计算环境到远程用户的传送的系统和方法
US20070143357A1 (en) System and method for efficient replication of and access to application specific environments and data
WO2002007020A2 (en) Information communication system
WO2008085202A1 (en) File sharing through multi-services gateway device at user premises
EP2643961A1 (de) Kommunikation zwischen zwei webanwendungen
US8595106B2 (en) System and method for detecting fraudulent financial transactions
EP1704700B1 (de) Verfahren und system zum betreiben eines computernetzwerks, das für inhaltsveröffentlichungen bestimmt ist
EP1590938A2 (de) Dynamisches system und verfahren zur sicherung eines kommunikationsnetzwerks mittels mobilen agenten
EP2807815B1 (de) System und verfahren zur steuerung einer dns-anfrage
US20050033596A1 (en) Web-accessible, single-tier host-server-side computer programming application and the backend supporting business processes that represent a turnkey solution to "enable the turnkey activation of affordable, private, secure, scalable, sophisticated and extensible hierarchical communication networks for a plurality of American communities comprised of a plurality of members who may use any internet service provider (ISP) and who may use any relevant web browsing client in any relevant PC operating system to access the capability."
WO2004040873A2 (fr) Architecture informatique en reseau multi-etages
WO2010034928A1 (fr) Plate-forme de reseau informatique
CN108900543A (zh) 管理防火墙规则的方法和装置
EP3644146B1 (de) Computer intrusion recording gerät
FR3093258A1 (fr) Procede de protection d’un reseau prive d’ordinateurs
EP2618285B1 (de) Gesichertes IT-Netzsystem für die Verwaltung von personenbezogenen Daten
FR2809255A1 (fr) Procede et appareil de fourniture et d'administration de services sur le reseau internet
EP1834467A1 (de) Zugangssteuerungsverfahren
WO2002025508A2 (fr) Systeme d'accuse de reception automatique de courrier electronique
EP2472818B1 (de) Datenverarbeitungsverfahren zur Kontrolle des Zugriffs auf Internetinhalte
FR2835132A1 (fr) Procede, systeme et dispositif pour securiser l'acces a un serveur
Walther et al. CYA: Securing Exchange Server 2003 and Outlook Web Access
Schultz Sidewinder Security Server 4.0
Edwards Security gets easier, cheaper
DiDio Novell remote security freebie now for sale

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20110321

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

AX Request for extension of the european patent

Extension state: AL BA RS

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20121214

REG Reference to a national code

Ref country code: DE

Ref legal event code: R003

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20141120

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: G06F0021240000

Ipc: G06F0021000000

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: G06F0021240000

Ipc: G06F0021000000

Effective date: 20150504