GB2432276A - Connecting to the internet - Google Patents

Connecting to the internet Download PDF

Info

Publication number
GB2432276A
GB2432276A GB0523101A GB0523101A GB2432276A GB 2432276 A GB2432276 A GB 2432276A GB 0523101 A GB0523101 A GB 0523101A GB 0523101 A GB0523101 A GB 0523101A GB 2432276 A GB2432276 A GB 2432276A
Authority
GB
United Kingdom
Prior art keywords
internet
computer system
user
connection
router
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0523101A
Other versions
GB2432276B (en
GB0523101D0 (en
Inventor
Stephen Mark Burns
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
EDUCENTRIC Ltd
Original Assignee
EDUCENTRIC Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by EDUCENTRIC Ltd filed Critical EDUCENTRIC Ltd
Priority to GB0523101A priority Critical patent/GB2432276B/en
Publication of GB0523101D0 publication Critical patent/GB0523101D0/en
Publication of GB2432276A publication Critical patent/GB2432276A/en
Application granted granted Critical
Publication of GB2432276B publication Critical patent/GB2432276B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9535Search customisation based on user profiles and personalisation
    • G06F17/30867
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/2898Subscriber equipments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L29/06823
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A router arrangement 50 and method for enabling a user on a first computer system 20 to connect to the internet. A router arrangement 50 is configured to receive a first wide area network (WAN) connection 240 from a first computer system 20, form a second WAN connection 260 with a second computer system 40 configured to allow restricted access to the internet, and route internet traffic from the first computer system 20 through the second computer system 40 over the first 240 and second 260 WAN connections so that the user has restricted access to the internet. Enables children to access the Internet via their school's computer system, which will typically have up-to-date content filtering and monitoring software. A firewall may be used to protect the system from unauthorised traffic.

Description

<p>--2432276</p>
<p>CONNECTING TO THE INTERNET</p>
<p>Field of the Invention</p>
<p>The present invention relates to an apparatus and method for connecting to the internet.</p>
<p>Background of the Invention</p>
<p>Home computers are widely used to connect to the Internet. The most commonly used method of connection is by either using a telephone modem, an ADSL modem or cable modem to connect the home computer to an internet service provider (ISP) . In order to make this connection, the home user typically uses a user name and password to gain access to the services provided by the ISP. A copy of the user name and password are usually stored on the home computer itself after entering them for a first time. This allows convenient connection without having to supply the user name and password each time the user wishes to connect to the internet. Once connected, the user may have unrestricted access to the internet including email and any available web page or news group service.</p>
<p>Recently, the internet has become a very popular resource amongst all age groups in the community. It is now common for young children to have access to the internet.</p>
<p>Unfortunately, the nature of the internet is that it contains many resources not suitable for all age groups.</p>
<p>For instance, a large number of web sites contain violent or sexually explicit material that may not be suitable for children. Without the supervision of a responsible adult, children may be deliberately or inadvertently exposed to such material. However, it is not always possible to enforce such supervision and so automated systems are required to restrict access to such material, especially for children.</p>
<p>Access to web sites may be restricted to those contained on a "white" list of sites. This list contains all of the sites that are available to a particular computer system. All other sites are not available and may be blocked. Such a system is very restrictive as there may be new web sites that are suitable for viewing, but are not contained on the white list. In this case, access will be denied to such potentially useful web sites. Alternatively, a "black" list of sites may be held which contains the names and location of unsuitable web sites. Again, new websites may be created that contain unsuitable material not contained on the black list which will, nevertheless, become available to the user.</p>
<p>Any list based system may involve storing the lists on the local computer system within the home or may be contained on a central server within the ISP system. Any list will require monitoring or updating to keep them current. User-based lists will allow individual customisation but will involve duplication of effort amongst users as each user will need to maintain a separate list.</p>
<p>Where the lists are held centrally on the ISP server, this may lead to a conflict amongst users of what is suitable for particular groups of people and what is unsuitable. Such preferences may also be along cultural or religious lines,</p>
<p>for example.</p>
<p>A further limitation of list based systems is that one home computer system may be used by several members of a particular family including young children and adults. The restrictions placed on access, therefore, may not meet everybody's requirements with regards to suitability.</p>
<p>Furthermore controls are highly desirable to prevent children having uncontrolled and unmonitored access to interactive internet communication tools such as forums, instant messaging, V0IP internet telephony and Internet video conferencing, since as they are uncontrolled these tools expose children to the risk of grooming by paedophiles.</p>
<p>Additionally, schools are being equipped with online learning management systems and curriculum content that children have access to in the school. It is also desirable to enable children to access these systems and content from home, for example when doing homework, and also to store and retrieve their work stored on school file servers.</p>
<p>There is a need to provide a service such that children at home can access online systems within their schools and receive the same filtering and monitoring controls as they are subject to when physically in school. Furthermore, it is desirable to provide a similar range of applications to any organisation that wishes to provide home internet access for its employers, contractors and partners that will enforce a particular connection path based on user identity.</p>
<p>For example a company may pay for employee home internet access but enforce the same Internet acceptable use policy operating for those employees whether they are using the company network directly from a company office or from the company provided home connection.</p>
<p>It is therefore, desirable to provide a method and apparatus for connecting to the internet that enables suitable access restrictions to be placed on each individual user without unnecessarily restricting any particular user or exposing any particular user to unsuitable material.</p>
<p>Summary of the Invention</p>
<p>Against this background, there is provided, according to a preferred embodiment of the present invention, a router arrangement for enabling a user on a first computer system to connect to the internet, wherein the router arrangement is configured to: (a) receive a first wide area network (WAN) connection from the first computer system; (b) form a second WAN connection with a second computer system configured to allow restricted access to the internet; and (c) route internet traffic from the first computer system through the second computer system over the first and second WAN connections so that the user has restricted access to the internet. The advantage of this is that a user may be protected from unsuitable web sites and other areas on the internet when using their home computer and be afforded the same protection as if they were using a computer within their school or other organisation.</p>
<p>Optionally, the router arrangement may be further configured to: (d) ascertain a user parameter, (e) form a connection between the first computer system and the internet, or route internet traffic from the first computer system through the second computer system over the first and second WAN connections so that the user has restricted access to the internet, depending on the ascertained user parameter. This allows different users to have different access privileges. For example, adults and parents may be allowed unrestricted access to the internet and so their internet traffic does not need to be passed through the school, whereas pupils and other children may always have their internet traffic directed through the school system.</p>
<p>The user parameter may include a user identifier such as a user name and password, user type, such as pupil or adult, and whether or not the user is entitled to perform particular types of actions such as enter chat rooms, play online games, enter secure sites and make credit or debit card payments over the internet, for example. More than one user parameter may be ascertained.</p>
<p>Preferably, the first WAN connection is formed using a first Internet service provider (ISP) . This is a convenient system for gaining access to the system without requiring dedicated telephone lines.</p>
<p>Preferably, the second WAN connection is formed using a second ISP. Such a second ISP may be the ISP already used by a school or local education authority (LEA).</p>
<p>Alternatively, the second ISP may be that same as the first ISP.</p>
<p>Optionally, the router arrangement further comprises a second router configured to connect the second computer system with the second ISP. This may be the router already used by a school to connect to the internet.</p>
<p>Advantageously, the second computer system is configured to restrict access to the internet using a list of internet addresses. This may be by use of white and/or black lists of internet sites. In the case of each list containing an identical internet site entry one of the lists may take priority. The priority list will usually be the white list but may be the black list.</p>
<p>Optionally, the router arrangement may further comprise a first firewall protecting the router arrangement over the first WAN connection. This firewall will protect the router arrangement from undesirable internet traffic.</p>
<p>Preferably, the router arrangement further comprises a second firewall protecting the router arrangement over the second WAN connection.</p>
<p>Advantageously, the user is one of a pupil and parent, and the first server is located within a school. Schools will be careful to monitor available Internet sites. In this way pupils and parents may make use of the carefully monitored and protected internet connection when they use their own home computers.</p>
<p>Optionally, the first firewall may be configured to allow access to predetermined external systems. This allows parents and adults access to their own virtual private network (VPN) systems such as company VPNs and other allowed external systems. The IP address of these systems may be added to the firewall's list or specific predetermined system types may be allowed by default.</p>
<p>Preferably, the second computer system of the router arrangement further comprises: a first computer; a first router; a third firewall associated with the first router for protecting the second computer system over the second WAN connection; and a second router in communication with the first computer. This allows the second computer system of a school, for example, to provide authorised home users with access to its own computer system and internet filtering capabilities and still be protected by a firewall.</p>
<p>The firewall may be configured to allow access only to traffic from the router arrangement. This may be by means of an IP address list, for example. The resources available from the school system may educational material or comprise ongoing student work.</p>
<p>Optionally, the first computer system may be prohibited from forming any other WAN connections. This provides a further safeguard against a pupil or child from making additional internet connections that bypass the restrictions in place by the school system. The home computer may be configured so that the addition of such internet connections requires a password or is removed from the computer's configuration options. Alternatively, software or hardware may be installed to prevent such unauthorised internet connections or the broadband and telephone system may be configured to prevent such unauthorised connections.</p>
<p>Advantageously, the first computer system is one of a home computer, a games console, a PDA, an IP enabled mobile telephone, a smartphone, a digital television and a home entertainment system. Either of these devices may provide protected access to the internet.</p>
<p>In a further aspect of the present invention there is provided a system comprising: the router arrangement as described above; a first computer system configured to enable a user to connect to the internet; and a second computer system configured to allow restricted access to the internet.</p>
<p>In a further aspect of the present invention, there is provided a method for enabling a user on a first computer system to connect to the internet comprising the steps of: (a) providing a router arrangement; forming a wide area network (WAN) connection between the first computer system and the router arrangement; (b) providing a second computer system configured to allow restricted access to the internet; and (c) forming a WAN connection between the router arrangement and a second computer system, wherein the router arrangement is configured to route internet traffic from the first computer system over the first and second WAN connections so that the user has restricted access to the internet.</p>
<p>Optionally, the method further comprises the steps of: (d) ascertaining a user parameter; and (e) forming a connection between the first computer system and the internet, or routing internet traffic from the first computer system over the first and second WAN connections so that the user has restricted access to the internet, depending on the ascertained user parameter.</p>
<p>Advantageously, the first WAN connection is formed using a first internet service provider (ISP) Preferably, the second WAN connection is formed using a second ISP.</p>
<p>Optionally, the second computer system may be configured to restrict access to the internet using a list of internet addresses.</p>
<p>Optionally, the first computer system is prohibited from forming any other WAN connections.</p>
<p>The present invention also extends to a computer program comprising instructions that, when executed on a computer cause the computer to enable a user on a first computer system to connect to the internet, as in the method described above.</p>
<p>The present invention also extends to a computer programmed to perform the method of enabling a user on a first computer system to connect to the internet, as described above.</p>
<p>Brief description of the Figures</p>
<p>The present invention may be put into practice in a number of ways and a preferred embodiment will now be described by way of example only and with reference to the accompanying drawings, in which: -10 -Figure 1 shows a schematic diagram of a system for connecting to the internet; Figure 2 shows a schematic diagram of the physical layout of a system for connecting to the internet; Figure 3 shows a schematic diagram the system f or connecting to the internet, including a logical layout of components; Figure 4 shows a schematic diagram of the system for connection to the internet, including secure connections between components; Figure 5 shows a schematic view of the system for connecting to the internet, including connections made during user logon; Figure 6 shows a schematic view of the system for connecting to the internet, including connections made when connecting a user directly to the internet; Figure 7 shows a schematic view of the system for connecting to the internet, including the connections made when connecting a user to the internet via a school system; and Figure 8 shows a schematic view of the system for connecting to the internet including the connections made when connecting a user to an external network.</p>
<p>-11 -</p>
<p>Detailed description of a preferred embodiment</p>
<p>Figure 1 shows a schematic overview of a system for connecting a user on a home PC or computer, to the internet.</p>
<p>Figure 1 omits various details but demonstrates the basic operation of the system. A home user site 20 is connected to a Virtual Private Network (VPN) core 50 by a two-way connection 240 using an Internet Service Provider (ISP) 220.</p>
<p>The VPN core 50 is also connected to a school system 40 by a separate two-way connection 260. Connection 260 is made over a separate ISP service 30. The school system 40 also has a connection to the internet.</p>
<p>The VPN core 50 allows the home user site 20 to connect to the internet by passing all traffic through the school system 40. Therefore, the school system 40 is able to monitor and / or restrict all internet traffic available to the home user site 20. Any restrictions placed on internet traffic originating within the school system 40 are also placed on that of the home user site 20.</p>
<p>Figure 2 shows a schematic view of a system for connecting a user on a home PC or computer 60, to the internet. Figure 2 contains a schematic representation of the physical hardware required to make the internet connection.</p>
<p>Figure 2 shows two user sites 20 (Home Sites A and B) although any number of user sites may be included in the system. It is expected that several hundred or thousand user sites may be connected to the system. Home site A 20 contains a home PC 60 and a modem 70. The modem is used to -12 -initiate a WAN connection over the public telephone system to an ISP. The modem 70 shown is a Linksys (RTM) cable/ADSL router modem but any suitable modem may be used such as a dial-up modem, a cable modem, a wireless modem or another ADSL modem, for instance. Such a modem 70 may be built into the home PC 60 or may be a stand alone device. The WAN connection to the ISP is formed over the public phone system (not shown) After a connection is made between the user site 20 and the ISP a VPN connection is formed between the user site 20 and a central router system denoted as VPN core 50. The VPN connection is formed over several routers Rl, R2 and R3.</p>
<p>Router Ri has an associated firewall 210, which is used to protect the system 10 from unauthorised traffic entering from the user side of the system 10. Alternatively, home sites 20 may be directly connected with the VPN core 50 using the ISP. The ISP has resources in place to allow access to the VPN core 50. This may be achieved by incorporating the VPN core 50 within the ISP system. The ISP is configured to only carry cable or DSL traffic to or from the VPN core 50 and is configured not to allow direct internet connection with the home user site 20. Therefore, in most cases, the ISP will be predetermined and all home users will use one of these predetermined ISPs.</p>
<p>The VPN core 50 comprises router R6, VPN concentrator 100, router RB and a VPN core PC 55. The VPN concentrator 100 is a 3000 series Cisco (RTM) VPN concentrator running software version 4.7, but any suitable capacity router may be employed. Routers R6 and RB are Cisco (RTM) 2600 routers -13 -but any suitable routers may be used. The VPN core PC 55 is a central server used to administer the system and to perform administrative tasks such as keeping a record of user identifiers, passwords and any access privileges.</p>
<p>Router R8 has an associated firewall 200 to protect the VPN core PC 55 from unauthorised traffic. Both the VPN concentrator 100 and firewall 200 support network address translation (NAT). Policy-based routing may be used to avoid "leaking" of traffic between more than one predetermined ISPs.</p>
<p>A permanent VPN connection is formed between the VPN core 50 and one or more school systems 40. Each school system 40 is configured to allow restricted access to the internet. The VPN core 50 allows user site 20 to connect to the Internet using the restricted internet access of one or more school systems 40.</p>
<p>Two school systems 40 are shown (school A and school B) although any number of schools may be included in the system 10. Each school system 40 comprises a shared resource PC 90, a router R4, R5 for connecting to a Local Education Authority (LEA) system and a Linksys (RTM) VPM Router 80.</p>
<p>The Linksys (RTM) VPN router 80 provides access to the school's own local area network (LAN) and may be replaced by any suitable VPN router. School router R4, R5 may optionally include a firewall 45. School router R4, R5 connects to the LEA network (not shown in this figure) This connection may be by means of a LEA ISP (not shown in this figure), which may be the same ISP as that of the user or a different ISP. Router R3 connect the LEA network to the LEA ISP, which in turn connects to the school router R4, -14 -R5. Ri to RB routers may each optionally include a firewall. In this way, the LEA system 30 is used to connect the school system 40 to the VPN Core 50 and also to the internet. The VPC Core PC 55 maintains control of the connections mentioned above.</p>
<p>The VPC Core 50 may be physically located within an ISP system (not shown in this figure) or at another convenient location.</p>
<p>Figure 3 shows a similar schematic diagram of the system 10 to that shown in Figure 2. However, dash lines 300, 310, 320, 330 illustrate the logical system domains comprising the system 10. Domain 300 encompasses all home user sites 20, the ISP connection (not shown in this figure) and the routers Ri, R7 for connecting to the rest of the system 10. Domain 310 defines the router R2 and associated firewall for connecting the LEA system between the home user domain 300 and the VPN core 50. Domain 320 encompasses the VPN core 50. Domain 330 encompasses all of the school systems 40 and their associated routers. As Figure 3 shows the logical layout of the system the physical location of the devices contained within it may be different.</p>
<p>Figure 4 shows a schematic diagram of the system 10 highlighting the connections made between the various components. The connection denoted by dashed line 240 represents the VPN connection between the home user site 20 and the VPN core 50 via routers Ri, R2 and R6 and terminates on the VPN concentrator 100. This VPN connection allows the home user to be verified and the connection to be configured within the VPN core 50. Once the home user is verified, the -15 -user privileges may be determined in order to configure any further connections to be made. Connection 240 is initiated by the home user when they wish to access the internet. The user may initiate the connection and log on to the system using a general web browser such as Internet Explorer (RTM) or Netscape Navigator (RTM), for example. The advantage of using a general web browser is that minimal additional software is required on the home computer 60 as most home computers will have a web browser already installed.</p>
<p>Alternatively, connection 240 may be initiated by the user using dedicated client software, which may be activated automatically when the user starts their home computer 60.</p>
<p>For web browser initiated sessions, connection 240 may be based on a secure socket layer (SSL) VPN connection. In other words, connection 240 provides a secure site to site tunnel between the home user site 20 and the VPN core 50. A remote desktop facility may be optionally provided on the home PC 60 and so provide additional access to the school system software and resources, where this is allowed. The access within this remote desktop may be controlled by an administrator.</p>
<p>The client software may be Cisco (RTM) VPN software, for example. This software provides basic firewall services and a highly secure connection following authentication of the user. However, such client software must be preinstalled on the home PC or computer 60 prior to use.</p>
<p>The home PC 60 may be configured so that the user cannot make any external connections except to the VPN core, via a predetermined ISP. This will ensure that the user -16 -cannot bypass the system 10 and make any unrestricted connections to the internet. This may be achieved by configuring the start-up script of the computer to launch the client software or web browser and logan screen when the computer is started. Alternatively, the network connection management software may be configured not to allow any user changes, which are restricted to this single external connection. Therefore, only the VPN core 50 specific connections may be made. Such restrictions may be enforced by each user having their own computer logon with various privileges set for each user type. When the user logs on to the computer the client software may be initiated automatically to create the connection between the home PC and the VPN core 50 using the same or associated username and password information.</p>
<p>Connection 260 represents the connection between the VPN core 50 and the school systems 40 using routers R3, R4 and R5 and terminating with the Linksys VPN router 80. This connection allows Internet traffic between the home user site 20 to be directed through the school system 40.</p>
<p>Connection 260 will normally be maintained at all times unless maintenance of the system is required. This connection is also a VPN connection.</p>
<p>Figures 5 to 8 show the connections made during the various stages of connection the user to the internet. The same reference numerals have been used to denote like components, as described with reference to the previous figures.</p>
<p>-17 -Figure 5 shows the connections made during a user logon stage. Isp 220 is used to connect the home user site 20 to router Ri. Router Ri may be physically located within the ISP or within the VPC core 50. Connection 240 is initiated by the user connecting to ISP 220, which in turn connects to the VPN core 50 via router Ri. Connection 240 links the home user site 20 with the VPN concentrator 100. VPN concentrator 100 is shown as two parts in this figure. The VPN core PC 55 is not shown in this figure. Once connection 240 has been made the VPN core 50 verifies the user using a user name and password or other encryption technique. The verification procedure includes determination of the various connection parameters for that particular user. This verification procedure is controlled by the VPN core PC 55 (not shown in this figure) . Such connection parameters may include details of the user type, for example school pupil or parent, associated school and / or LEA and their access rights, including whether or not they may be allowed direct access to the internet or if such access must be restricted in some way. The connection parameters are stored within the VPN core 50.</p>
<p>If the verification step results in the system determining that the user is an adult or parent user (from the user!s connection parameters) , the user may connect to the internet bypassing the school system 40. In this case connection 250 is made between the VPN core 50 and the general internet via routers R8 and R6, as shown in Figure 6. Such a connection is only made after user verification.</p>
<p>Connection 250 may be restricted by a white list and/or a black list defined for parents and adults or may be an unrestricted internet connection. Connection 250 will not -18 -necessarily be made if the verification procedure determines that the user is a pupil or other child. Once connection 250 is made the user is free to access the internet without any further direct interaction with the system 10 until the user logs off or breaks their ISP connection. Once this occurs, the user must remake connection 240 and go through the verification procedure to regain access to the internet.</p>
<p>Figure 7 shows the connections made within the system 10 when the verification step results in the system 10 determining that the user is a pupil or child. The VPN core will then confirm the availability of the school system and the LEA system 30. Once the availability of the school and LEA system 30 is confirmed a connection 260 is made between the VPN core 50 and the general internet, as shown in Figure 7. However, in contrast to connection 250 shown in Figure 6, connection 260 passes through the LEA system 30 including a LEA ISP, and an LEA network, and the school site 40 before connecting to the internet. This allows all internet traffic to be controlled by the school site 40. Any restrictions normally placed on internet access from a pupil or other user located at the school site will be placed on all internet traffic passing through the school site 40. Such restrictions may be in the form of white or black list confirmation or connection specific restrictions. Such connection specific restrictions may for example, include restrictions on access to chat rooms, newsgroups, gaming sites, encrypted systems, secure networks or banking systems.</p>
<p>In this way, the access restrictions placed on a pupil or other child user type using a home PC 60 may be similar -19 -to those placed on a user physically located within the school system. This is because the school system is carrying out access control functions before allowing any through traffic. Any access restriction amendments made by the school will immediately result in similar restriction amendments being imposed on the pupil or child's own internet connection. For instance, a school may determine that a new internet site not present on its white list will be useful and suitable for its pupils and so add the site address to itswhite list. In this case, the web site will immediately become available to a pupil or child on their home PC 60. Additional restrictions may optionally be placed on access by the VPN core 50 and/or the LEA system as required. Such restrictions may for instance, include traffic volume and bandwidth monitoring or restrictions.</p>
<p>Alternatively, the school system itself may impose different restrictions on access based on each individual user or user type. This may require the VPN core 50 to transmit information relating to the user name or type to the school system 40.</p>
<p>Normally, the VPN core 50 will maintain connections will all school sites 40. However, if the Educentric VPC core 50 determines that a pupil or child has logged on to the system but that either the LEA system 30 or the school system 40 is unavailable or unable to be connected, the pupil may either be refused access to the internet or be connected to the internet via connection 250. This is similar to the connection configuration shown in Figure 6.</p>
<p>In this case, the system 10 will impose connection restrictions based on a white or black list stored within -20 -the Educentric VPC core 50. Although this is similar to the method of connecting a parent or adult to the internet a different white or black list may be employed to provide further restrictions on internet connection. Typically, such access will be at least as restrictive as the restrictions place on access by the school system 40. The white or black lists may be a copy of those provide by the LEA to schools.</p>
<p>This allows temporary protected access to the internet until the relevant school system 40 or LEA system 30 becomes available. Once this occurs, the connection to the internet may be routed according to connection 260 as shown in Figure 7. Alternatively, connection 250 may be maintained until the pupil or child user logs off from the system 10.</p>
<p>A method of a user connecting to the internet shall now be described. The user starts up their home PC 60 and opens a browser window. The user navigates to a user logan site or this could be the browser default home page. The user logon site prompts the user for their user name and password. Once entered, the user logon site directs this information to the VPN core 50. The VPN core 50 authenticates the user name and password and determines the user type (pupil or adult). For adult user types a connection 250 is initiated between the VPN core 50 and the general internet. The VPN core 50 may either allow the user unrestricted access to the internet or alternatively restrict access by means of white or black lists stored within the VPN core 50.</p>
<p>-21 -Where the user is determined to be a pupil, the school system 40 is available and a connection 260 to the school system 40 from the VPN core 50 is open, the pupil is connected to the internet through the school system 40, as described above. If the connection 260 to the school system or the school system 40 are unavailable, the pupil will be connected to the internet by connection 250 but access will be restricted by pupil specific white or black lists.</p>
<p>User connections to the internet are maintained until the user logs off.</p>
<p>A home user may require other connections to the internet not available through the school system or through the VPN core 50. For example, a parent or adult may wish to connect to a separate VPN such as an employer VPN. Such connections 260 are shown in Figure 8. Firewall 210 is maintained from within the VPN concentrator 100 and is configured to allow all other VPN traffic to pass through directly. Alternatively, firewall 210 may be configured to allow connections to specific predefined IP addresses only, such as those of each employer. The firewall 210 may be modified using rule lists, for example. In this case it will be necessary to confirm that the employer VPNs are suitably secure before allowing access in order to prevent pupils or children from using these VPNs to gain unrestricted access to the internet.</p>
<p>In addition to external VPN connections, users may require access to other external systems. For example, these external systems may include games console internet connections, such as those required by the X-box (RTM) system, television decoder system access and television -22 -scheduler internet access. The system 10 may detect particular access requests to these external systems and allow access based on connection type or alternatively, firewall 210 may be configured to enable access to specific external systems based on IP address information.</p>
<p>As will be appreciated by the skilled person, details of the above embodiment may be varied without departing from the scope of the present invention, as defined by the appended claims.</p>
<p>For example, the home computer may be a games console, mobile device such as a PDA, an IP enabled mobile telephone, a smartphone, digital television, home entertainment system or other device enabling access to the internet. Instead of the home computer using a modem to connect to an ISP other connection means may be used, which may include using a mobile telephone or fibre optic link, for example.</p>
<p>Alternatively, the Educentric VPC core 50 may connect directly with a school system 40 without passing through the LEA system 30. Such an alternative arrangement may be used where only a limited number of schools are available on the system.</p>
<p>Any number of home user sites 20 may be connected to the system 10 and any number of individual users may use each home user site 20. Furthermore, any number of school systems 40 may be connected to the system.</p>
<p>Each user may be associated with a specific school system 40 50 that pupils can be connected to the internet -23 -using the restrictions of their own particular school. This may be important where schools have particular religious, ethical or other criteria for determining which internet sites are suitable for their own pupils. Additionally, each user may have access to their individual computer account held within their school system. Alternatively, each pupil or child user may be connected to any available school site on a load balancing basis.</p>
<p>Although the system 10 has been described with reference to pupils, children, adults, LEAs and schools the system may be used for other civic and commercial organisations such as libraries, businesses, internet cafés and WiFi hotspots, for example.</p>
<p>Alternatively, all users are directed through the school system 40 to the internet. In this case, it will not be necessary to assess the user type (pupil or parent)</p>

Claims (1)

  1. <p>-24 -CLAIMS: 1. A router arrangement (50) for enabling a user on a
    first computer system (20) to connect to the internet, wherein the router arrangement (50) is configured to: (a) receive a first wide area network (WAN) connection (240) from the first computer system (20) (b) form a second WAN connection (260) with a second computer system (40) configured to allow restricted access to the internet; and (c) route internet traffic from the first computer system (20) through the second computer system (40) over the first (240) and second (260) WAN connections so that the user has restricted access to the internet.</p>
    <p>2. The router arrangement (50) of claim 1 further configured to: (d) ascertain a user parameter, (e) form a connection between the first computer system (20) and the internet, or route internet traffic from the first computer system (20) through the second computer system (40) over the first (240) and second (260) WAN connections so that the user has restricted access to the internet, depending on the ascertained user parameter.</p>
    <p>3. The router arrangement of claim 1 or claim 2, wherein the first WAN connection (240) is formed using a first internet service provider (ISP) (220) 4. The router arrangement (50) of any previous claim, wherein the second WAN connection (260) is formed using a second ISP.</p>
    <p>-25 - 5. The router arrangement of claim 3, further comprising a second router (R4) configured to connect the second computer system (40) with the second ISP.</p>
    <p>6. The router arrangement of any previous claim, wherein the second computer system (40) is configured to restrict access to the internet using a list of internet addresses.</p>
    <p>7. The router arrangement of any previous claim, further comprising a first firewall (210) protecting the router arrangement over the first WAN connection.</p>
    <p>8. The router arrangement of any previous claim, further comprising a second firewall (200) protecting the router arrangement over the second WAN connection (260) 9. The router arrangement of any previous claim, wherein the user is one of a pupil and parent, and the first server is located within a school.</p>
    <p>10. The router arrangement of claim 7, wherein the first firewall (210) is configured to allow access to predetermined external systems.</p>
    <p>-26 - 11. The router arrangement of any previous claim, wherein the second computer system (40) further comprises: a first computer (90) a first router (R4) a third firewall (45) associated with the first router (R4) for protecting the second computer system (40) over the second WAN connection (260); and a second router (80) in communication with the first computer (90) 12. The router arrangement (50) of any previous claim, wherein the first computer system (20) is prohibited from forming any other WAN connections.</p>
    <p>13. The router arrangement (50) of any previous claim, wherein the first computer system (20) is one of a home computer, a games console, a PDA, an IP enabled mobile telephone, a smartphone, a digital television and a home entertainment system.</p>
    <p>14. A system (10) comprising: the router arrangement (50) of any previous claim; a first computer system (20) configured to enable a user to connect to the internet; and a second computer system (40) configured to allow restricted access to the Internet.</p>
    <p>15. A method for enabling a user on a first computer system (20) to connect to the internet comprising the steps of: (a) providing a router arrangement (50); -27 -forming a wide area network (WAN) connection between the first computer system (20) and the router arrangement (50) (b) providing a second computer system (40) configured to allow restricted access to the Internet; and (c) forming a WAN connection between the router arrangement and a second computer system (40) , wherein the router arrangement (50) is configured to route internet traffic from the first computer system (20) over the first and second WAN connections so that the user has restricted access to the internet.</p>
    <p>16. The method of claim 15 further comprising the steps of: (d) ascertaining a user parameter; and (e) forming a connection between the first computer system (20) and the internet, or routing internet traffic from the first computer system (20) over the first and second WAN connections so that the user has restricted access to the internet, depending on the ascertained user parameter.</p>
    <p>17. The method according to claim 15 or claim 16, wherein the first WAN connection is formed using a first internet service provider (ISP) (220) 18. The method according to claim 15, claim 16 or claim 17, wherein the second WAN connection (260) is formed using a second ISP.</p>
    <p>19. The method according to any of claims 15 to 18, wherein the second computer system (40) is configured to restrict access to the internet using a list of internet addresses.</p>
    <p>-28 - 20. The method according to any of claims 15 to 19, wherein the first computer system (20) is prohibited from forming any other WAN connections.</p>
    <p>21. A computer program comprising program instructions that, when executed on a computer cause the computer to perform the method of any of claims 15 to 20.</p>
    <p>22. A computer-readable medium carrying a computer program according to claim 21.</p>
    <p>23. A computer programmed to perform the method of any of claims 15 to 20.</p>
    <p>24. A method for connecting to the internet substantially as herein described with respect to any of the Figures.</p>
    <p>25. Apparatus for connecting to the internet substantially as herein described with respect to any of the Figures.</p>
    <p>239838; HSS HSS</p>
GB0523101A 2005-11-11 2005-11-11 Connecting to the internet Expired - Fee Related GB2432276B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0523101A GB2432276B (en) 2005-11-11 2005-11-11 Connecting to the internet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0523101A GB2432276B (en) 2005-11-11 2005-11-11 Connecting to the internet

Publications (3)

Publication Number Publication Date
GB0523101D0 GB0523101D0 (en) 2005-12-21
GB2432276A true GB2432276A (en) 2007-05-16
GB2432276B GB2432276B (en) 2008-01-30

Family

ID=35516826

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0523101A Expired - Fee Related GB2432276B (en) 2005-11-11 2005-11-11 Connecting to the internet

Country Status (1)

Country Link
GB (1) GB2432276B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008106850A1 (en) 2007-03-06 2008-09-12 Zte Corporation A method and system for controlling network access

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198319A1 (en) * 2004-01-15 2005-09-08 Yahoo! Inc. Techniques for parental control of internet access including a guest mode

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198319A1 (en) * 2004-01-15 2005-09-08 Yahoo! Inc. Techniques for parental control of internet access including a guest mode

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008106850A1 (en) 2007-03-06 2008-09-12 Zte Corporation A method and system for controlling network access
EP2124398A1 (en) * 2007-03-06 2009-11-25 ZTE Corporation A method and system for controlling network access
EP2124398A4 (en) * 2007-03-06 2011-10-05 Zte Corp A method and system for controlling network access

Also Published As

Publication number Publication date
GB2432276B (en) 2008-01-30
GB0523101D0 (en) 2005-12-21

Similar Documents

Publication Publication Date Title
EP1782265B1 (en) System and method for secure network connectivity
US7448078B2 (en) Method, a portal system, a portal server, a personalized access policy server, a firewall and computer software products for dynamically granting and denying network resources
US20140089661A1 (en) System and method for securing network traffic
US20060164199A1 (en) Network appliance for securely quarantining a node on a network
US20080282338A1 (en) System and method for preventing the reception and transmission of malicious or objectionable content transmitted through a network
JP2010027028A (en) Control of website usage via online storage of restricted authentication credential
Liu et al. Firewall policies and VPN configurations
US20220360607A1 (en) Enterprise browser system
US20220021675A1 (en) Method of using dhcp host name to identify a unique device in absense of unique mac address in order to apply network firewall or access control rules
Akin Hardening Cisco Routers: Help for Network Administrators
GB2432276A (en) Connecting to the internet
Johansson et al. Protect your Windows network: from perimeter to data
WO2008139126A1 (en) Connecting to the internet
Cisco CDAT Expert Interface
Cisco Common Configurations
Cisco CDAT Expert Interface
Cisco Common Configurations
Cisco Common Configurations
Cisco Common Configurations
Cisco Common Configurations
Cisco Common Configurations
JP2003044441A (en) Network access control management system
Foley Getting Security Objectives Wrong: A Cautionary Tale of an Industrial Control System
Harrison et al. Microsoft Forefront Threat Management Gateway (TMG) Administrator's Companion
AU2012234904A1 (en) Providing network content

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20101111