WO2010033129A1 - Procédé, appareil et logiciel pour un filtre de paquet multiphase pour un accès à internet - Google Patents

Procédé, appareil et logiciel pour un filtre de paquet multiphase pour un accès à internet Download PDF

Info

Publication number
WO2010033129A1
WO2010033129A1 PCT/US2008/077221 US2008077221W WO2010033129A1 WO 2010033129 A1 WO2010033129 A1 WO 2010033129A1 US 2008077221 W US2008077221 W US 2008077221W WO 2010033129 A1 WO2010033129 A1 WO 2010033129A1
Authority
WO
WIPO (PCT)
Prior art keywords
filtering
request
filter system
protocol
user
Prior art date
Application number
PCT/US2008/077221
Other languages
English (en)
Inventor
Stefan Kassovic
Original Assignee
Ur2G, Inc.
Guardyen Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ur2G, Inc., Guardyen Inc. filed Critical Ur2G, Inc.
Priority to PCT/US2008/077221 priority Critical patent/WO2010033129A1/fr
Publication of WO2010033129A1 publication Critical patent/WO2010033129A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload

Definitions

  • the present invention pertains or relates to a firewall, and in particular to a multi -phase packet filter for secure and controlled access to the Internet.
  • An alternative type of filtering relates to situations where the site is a portal for an application, such as games or chat rooms.
  • the application may utilize multiple protocols, such as TCP or UDP.
  • the filtering tends to be more complex, and may involve blocking one or more protocols in order to prevent use of the application. It may also involve blocking particular ports associated with the type of application. For example, IM games are associated with a particular port, as are chat rooms.
  • Software solutions to certain of these issues include: Net Nanny from ContentWatch, Inc., CIBERsitter from Solid Oak Software, Inc., and CyberPatrol from CyberPatrol, LLC.
  • a firewall is in general software within a router, i.e., located between a private network or machine and the internet gateway for the private device or network.
  • a request for information from the internet is routed through the firewall, and information received from the internet is first received at the firewall before being transmitted or distributed to the private device or network.
  • the communication protocols used are specific to the site or application.
  • the firewall of patent 6,925,572 has two simple phases: the first phase is verification that the protocol is allowed and that the length of the request does not exceed the allowed maximum for the command.
  • phase 2 which is a specialized phase particular to the protocol of the request, the request is filtered to verify one or more of: the source, the destination, and the content of the request.
  • the firewall of patent no. 6,925,572 is specifically designed to prevent private or local networks from malicious attacks from the Internet, and is particularly useful in a commercial or business environment. It is not installed on individual computers since it is on the router, but is difficult to configure and not user- friendly.
  • TGPF Time Gate Packet Filter
  • TGPF Time Gate Packet Filter
  • TGPF Time Gate Packet Filter
  • TGPF Time Gate Packet Filter
  • TGPF Time Gate Packet Filter
  • Fig. 1 illustrates a functional diagram of a standard configuration of a computer network including the TGPF of the present invention.
  • Fig. 2 illustrates a functional diagram of alternate current and projected configurations of a computer network including the TGPF of the present invention.
  • Fig. 3 is a flow diagram of the multi phase filtering of the present invention.
  • Fig. 4 is a flow diagram of the time phase filtering.
  • Fig. 5 illustrates an exemplary configuration of the TGPF as it controls access to different types of data flow.
  • Fig. 6a illustrates an exemplary configuration of the TGPF for family usage.
  • Fig. 6b illustrates exemplary settings corresponding to the family gate configuration.
  • Fig. 7 is a flow chart showing the usage and modification of the menu.
  • Fig. 8a shows a front view of the hardware components of the inventive box.
  • Fig. 8b shows the programming screen interface of the inventive box.
  • the inventive system relates to a firewall with multi-phase filtering, Typically a firewall is located between a user computer or an internal network such as a Local Area Network (LAN) and an external network such as the Internet that can pose risks to the internal network.
  • the firewall of the present invention is generally used to provide controlled and secure access to the Internet. It may also be used to segment networks into secured and unsecured portions, or to apply different levels of security or policy to different parts of the network.
  • the inventive filter/firewall system is a stand-alone unit which does not impact the operation of the PC which may be connected on the LAN. It does not require technical expertise to install or operate or configure: the user performs a simple configuration on the box itself.
  • a second advantage of the inventive system is a time filtering configuration, which will be described hereinafter.
  • the inventive system can be used, for a specific computer or for the complete LAN of a house or other small environment, i.e., for several computers. Configuring the system is accomplished according to the following process:
  • the user selects or provides a set of specific sites to be subject to blocking, such as YouTube or MySpace or FaceBook.
  • the user further selects a set of categories subject to blocking, such as computer games, chat rooms, etc.
  • the user further enters a time schedule which determines which sites or categories will be blocked from which computers during which time periods. This may include daily or weekly periods, e.g., children may be permitted different periods for internet access during the weekend than during the weekdays.
  • the user subscribes to a service which maintains and updates a list of sites and protocols/ports subject to blocking, according to pre-defined categories.
  • the user can add or subtract specific sites whenever necessary, and user-defined categories may be implemented.
  • Fig. 1 illustrates a functional diagram of a standard configuration of a computer network 100, wherein a plurality of users, i.e. computers, 105 may be accessing web site 110 on Internet 115.
  • the local network encompassing users 105 utilizes router 120, and the Internet connection is accomplished via modem or DSL connection 125.
  • the filter of the present invention hereinafter referred to a Time Gate Packet Filter (TGPF), 130, may be connected between router 120 and modem/DSL 125.
  • TGPF Time Gate Packet Filter
  • Several possible alternate configurations are shown in Fig. 2, for example, positioning a plurality of TGPF' s between the router and the users, or adding the router with or without WiFi capability to the TGPF, or having the TGPF function as a router.
  • Accessing a Web Site 1 10 can be accomplished directly through a communication means such as a direct connection, an intranet, a local Internet Service Provider (ISP), or through an on-line service provider such as CompuServe, Prodigy, AOL, etc., or using wireless devices using services such as AT&T or Verizon or DSL.
  • a communication means such as a direct connection, an intranet, a local Internet Service Provider (ISP), or through an on-line service provider such as CompuServe, Prodigy, AOL, etc., or using wireless devices using services such as AT&T or Verizon or DSL.
  • ISP Internet Service Provider
  • CompuServe CompuServe
  • Prodigy Prodigy
  • AOL etc.
  • wireless devices such as AT&T or Verizon or DSL.
  • Each user will generally have a display device such as a monitor and an input device such as a keyboard.
  • This display and input device could be a PDA such as a Blackberry.
  • the users 105 contact Web site 110 using an informational processing system (Client) capable of running an HTML-compliant Web browser such as Internet Explorer, Netscape Navigator, Lynx, etc.
  • An informational processing system capable of running an HTML-compliant Web browser such as Internet Explorer, Netscape Navigator, Lynx, etc.
  • a typical system that is used is a personal computer with an operating system such as Windows 95, 98, or ME, NT, 2000, Mclntosh, or Linux, running a Web browser.
  • the exact hardware configuration of computer used by the Users 105, the operating system or the Web browser configuration is not central to this invention. Any HTML-compatible Web browser is within the scope of this invention and its claims.
  • User 105 can also access the Internet through voice and e-mail, as well as by any other standard or new form of communication.
  • the system will enable different modes of input devices for interaction such as keyboard, touch-screen, fax, audio, cell phones, pda, etc., and will output information on appropriate displays such as video terminals, e-mail, fax, audio, cell phones, etc.
  • Output can include a screen, a graphical user interface, hardcopy, facsimile, e-mail, messaging or other communication with any humanly or machine discernable data and/or artifacts.
  • the data processing system for the current invention includes a computer processor for processing data, storage for storing data on a storage medium, and communication means for transferring data in a secure environment.
  • the system can be set up to be run on a computing device. Any general purpose computer with an appropriate amount of storage space is suitable for this purpose.
  • the computing device can be connected to other computer devices through a communication interface such as the Internet, a Wide Area Network (WAN), telephone network, or a private Value Added Network (VAN).
  • a communication interface such as the Internet, a Wide Area Network (WAN), telephone network, or a private Value Added Network (VAN).
  • the storage and databases for the system may be implemented by a single database structure at an appropriate site, or by a distributed database structure that is distributed across an intra or an Internet network.
  • TGPF is a standalone box that does not require a computer to configure, is self-contained, and has an embedded Open-Source Operating System.
  • UI User Interface
  • a driver is created to interface the LCD display on the stand-alone box with the system board of the box to allow configuration of the TGPF box. It is not necessary to use a computer, through the web browser or the serial port, to set it up. Furthermore, no software needs to be installed on the user's computer, which allows a user without technical expertise to set up and configure the inventive system.
  • Fig. 3 is a flow diagram of the five phase filtering of a preferred embodiment of the present invention.
  • Phase 0 (step 300) is an optional filtering phase which determines, based on the user configuration, whether the source computer IP address or MAC address is allowed to use the inside interface. If this condition is not met the request is dropped. For example, using this filter, parents' computers may be allowed to use Internet, while the childrens' computers are not allowed, or are allowed with limitations.
  • Phase 1 is, for an outgoing source request from the LAN for access to a specific protocol/port resident on an "inside" interface, i.e., on the PC on the LAN, based on apparatus connectivity and system considerations: If the specific protocol/port is not specifically listed as allowed, it is blocked. If this condition is not met the request is dropped.
  • Phase 2 allows specific sites to be blocked by the user, such as MySpace or YouTube, as was mentioned earlier. There may be "blacklisted" IP addresses/URL's which are not allowed.
  • the filter phase comprises: if the site is denied by the blacklist then drop, else allow request. In other words, if the site is not blacklisted the request is allowed. This can apply to both incoming and outgoing requests.
  • Phase 3 determines, based on the user configuration, whether the protocol being requested is allowed on a particular port, either independently, or according to its group/category. In other words, does the protocol/port being requested correspond to a group prohibited by the filter as configured by the user, or a specific prohibited protocol? If this condition exists the request is dropped except for specially designated cases, as described below.
  • This filtering phase allows certain classes of sites or applications which may use certain protocols or protocol groups to be blocked, such as chat rooms.
  • the blocking mechanism completely blocks port/protocol combinations within categories according to the user configuration, and allows only certain particularly specified combinations within those categories. For example, if protocol/port combinations corresponding to games are blocked, the user can select certain specific games or specific game categories to be allowed, such as the educational game category in general, or MathBlaster in specific. This filter applies to both incoming and outgoing requests.
  • Phase 4 determines, based on the 24 hour clock and a weekly schedule, as set up by the user, whether the time and day of the request permits access of the requested protocol/port or site. If this condition is not met the request is dropped.
  • the functioning of the time phase filtering involves uploading the rules for a time period each time the time period changes.
  • An exemplary software program implementing this operates according to the flow chart of Fig. 4:
  • a request is received.
  • step 405 the weekday status of the system is determined. If yes (i.e., it is a weekday), go to step 410. If no (i.e., it is a weekend), go to step 415.
  • step 410 it is determined if the time of day of the system falls within the period of the current weekday rules as configured by the user. If yes, loop back to the beginning. The time can be checked at user- determined intervals. If no, go to step 420, where a new period weekday rules file is loaded.. In step 415, it is determined if the time of day of the system falls within the period of the current weekend rules as configured by the user. If yes, loop back to the beginning. If no, go to step 425. In step 425, a new period weekend rules file is loaded. After both step 420 and 425, go to step 430: 1) Drop all existing filter rules; 2) Apply new rules from the appropriate new period rules file. This includes dropping all traffic from the host and networks contained in the blacklist, and accepting the protocol/ports as defined in the new period rules file.
  • Phase 5 (step 320): If all of the conditions of phases 1-4 are met, the connection request is allowed and packets are passed without modification.
  • Fig. 5 illustrates an exemplary configuration of the TGPF as it controls access to different types of data flow.
  • TGPF 500 is positioned between user computer 505 and internet 510.
  • Outgoing data 515 including authorized ports for such protocols as UDP, TCP pass through TGPF 500, but outgoing ports 520, not authorized for UDP and TCP, are dropped.
  • the games category of protocols/ports is blocked.
  • Http white- list symbol 522 indicates that http is allowed for all ports.
  • outgoing Web sites or IP addresses 525 in this case www, myspace.com, are dropped for all ports, i.e., blacklisted. This may apply to all computers in the network, or could be configured for each computer.
  • Incoming data 530 including authorized ports for UDP, TCP, pass through TGPF 500, but incoming port 535, not authorized for UDP and TCP, is dropped.
  • Blacklist symbol 540 indicates that FTP is blocked for all ports.
  • Fig. 6a illustrates an exemplary configuration for family usage.
  • Other potential types of configurations include business gate configuration and school gate configuration. All of the configurations limit access based on time period, type of service protocol/port combination, URL's, and may include the particular computer.
  • the hours corresponding to the different time periods are synchronized to a clock, generally the internal system clock, and set by the user or automatically. The user does not need to know the details of the blocking mechanisms, the user simply configures the box according to the categories or specific sites to be blocked.
  • Fig. 6b illustrates exemplary settings corresponding to the family gate configuration of Fig. 6a.
  • Fig. 7 is a flow chart showing the menu flow.
  • Fig.' s 8a and 8b show the hardware components of the inventive box.
  • Fig. 8a shows rectangular control box 800 with display screen 805 (a preferred embodiment of the invention utilizes a touch screen) wherein the menu may appear as shown in Fig. 8b.
  • Other types of inputs for programming the box may be used.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention porte sur un filtre de paquet à porte temporelle (TGPF) pour contrôler un flux de données et un accès Internet dans un petit environnement. Le TGPF est autonome, simple à utiliser, ne nécessite pas d'expertise informatique et ne nécessite pas d'installation de logiciel. Le TGPF utilise un filtrage multiphase pour contrôler un accès au réseau sur la base : des types de sites, des sites spécifiques, des types de services auxquels on peut accéder, d’une source et d’une destination, d’une heure de la journée et d’un jour de la semaine.
PCT/US2008/077221 2008-09-22 2008-09-22 Procédé, appareil et logiciel pour un filtre de paquet multiphase pour un accès à internet WO2010033129A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2008/077221 WO2010033129A1 (fr) 2008-09-22 2008-09-22 Procédé, appareil et logiciel pour un filtre de paquet multiphase pour un accès à internet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2008/077221 WO2010033129A1 (fr) 2008-09-22 2008-09-22 Procédé, appareil et logiciel pour un filtre de paquet multiphase pour un accès à internet

Publications (1)

Publication Number Publication Date
WO2010033129A1 true WO2010033129A1 (fr) 2010-03-25

Family

ID=42039771

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2008/077221 WO2010033129A1 (fr) 2008-09-22 2008-09-22 Procédé, appareil et logiciel pour un filtre de paquet multiphase pour un accès à internet

Country Status (1)

Country Link
WO (1) WO2010033129A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2962572A1 (fr) * 2010-07-12 2012-01-13 Softathome Procede de controle parental etendu d'un reseau domestique, et passerelle mettant en œuvre un tel procede.
US20140075497A1 (en) * 2012-09-13 2014-03-13 Cisco Technology, Inc. Early Policy Evaluation of Multiphase Attributes in High-Performance Firewalls

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020026507A1 (en) * 2000-08-30 2002-02-28 Sears Brent C. Browser proxy client application service provider (ASP) interface
US20050060435A1 (en) * 2003-09-17 2005-03-17 Sony Corporation Middleware filter agent between server and PDA
US6925572B1 (en) * 2000-02-28 2005-08-02 Microsoft Corporation Firewall with two-phase filtering

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6925572B1 (en) * 2000-02-28 2005-08-02 Microsoft Corporation Firewall with two-phase filtering
US20020026507A1 (en) * 2000-08-30 2002-02-28 Sears Brent C. Browser proxy client application service provider (ASP) interface
US20050060435A1 (en) * 2003-09-17 2005-03-17 Sony Corporation Middleware filter agent between server and PDA

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2962572A1 (fr) * 2010-07-12 2012-01-13 Softathome Procede de controle parental etendu d'un reseau domestique, et passerelle mettant en œuvre un tel procede.
US20140075497A1 (en) * 2012-09-13 2014-03-13 Cisco Technology, Inc. Early Policy Evaluation of Multiphase Attributes in High-Performance Firewalls
US9100366B2 (en) * 2012-09-13 2015-08-04 Cisco Technology, Inc. Early policy evaluation of multiphase attributes in high-performance firewalls
US9306955B2 (en) 2012-09-13 2016-04-05 Cisco Technology, Inc. Early policy evaluation of multiphase attributes in high-performance firewalls

Similar Documents

Publication Publication Date Title
US20080276311A1 (en) Method, Apparatus, and software for a multi-phase packet filter for internet access
US10652745B2 (en) System and method for filtering access points presented to a user and locking onto an access point
AU2014203463B2 (en) Method and system for managing a host-based firewall
EP1949644B1 (fr) Acces a distance a des ressources
EP1859354B1 (fr) Systeme de protection d'identite dans un environnement de reseau
US20160269445A1 (en) Cloud-based network security and access control
US7308703B2 (en) Protection of data accessible by a mobile device
EP1767031B1 (fr) Système et méthode servant à la configuration automatique d'un appareil mobile
CN1781099A (zh) 在公共热点中的客户终端的自动配置
CN101969413A (zh) 一种家庭网关
EP3286658A1 (fr) Dispositif de sécurité et de gestion internet
US20040243707A1 (en) Computer firewall system and method
TW200837603A (en) Virtual firewall
US20200162326A1 (en) Methods and systems for dhcp policy management
WO2010033129A1 (fr) Procédé, appareil et logiciel pour un filtre de paquet multiphase pour un accès à internet
US9912697B2 (en) Virtual private network based parental control service
US20150074775A1 (en) System and Method To Enhance Personal Server Security Using Personal Server Owner's Location Data
WO2015025373A1 (fr) Appareil oa approprié pour fournir un service de sécurité de gestion, et procédé de fourniture de service de sécurité utilisant ledit appareil oa
Cisco Operating the System
Cisco Setting Up the Cisco Secure ACS HTML Interface
EP2078382B1 (fr) Portail d'administration
Herzog et al. Security issues in e-home network and software infrastructures
Ahir DIPLOMA THESIS ASSIGNMENT
Rudolf et al. SECURE WAN COMMUNICATION FOR TELEWORKERS. A CASE STUDY.
Hammel Running remote applications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08823172

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08823172

Country of ref document: EP

Kind code of ref document: A1