Patent Grant
7409482
This invention relates to a computer and a method of controlling network access to or from the computer.
Most computers, such as desktop computers and mobile devices, need to periodically access a network, such as a wide area network (WAN), e.g., the Internet, a local area network (LAN) or other network. Typically, these computers are constantly connected to the network while they are being used. This is particularly true for desktop systems that are hardwired to the network. Mobile devices need to be in the proximity of a wireless access point in order to gain network access. Such wireless access points are becoming increasingly pervasive due to so-called wireless “hot spots” that are springing up in many places, e.g., airports, train stations, cafés, office buildings, homes, etc. Other devices that may connect to wireless access points include sensors, actuators and vending machines.
Computers that are almost constantly network connected have two drawbacks. First, energy is wasted in the network interface card (NIC) whenever the user is not using it. This is a particular concern in mobile devices, such as cellphones and PDAs, and wirelessly connected devices in general, such as sensors. In these devices, the wireless NIC accounts for a significant fraction of the total power budget and therefore may significantly reduce the battery life. Second, a computer that is connected to a network can potentially be attacked from another computer connected to the network. The most likely attack is from network worms, which spread rapidly from one computer to another computer and which are persistent in their attempt to spread. Typically, these worms send short packets (about 1 kBytes) to random network addresses. If a destination computer is connected to the network and its network address matches the address of the worm packet, then the destination computer is likely to become infected if it allows the worm packet to access its network port. The longer a user computer is on the network, the more susceptible it is to such attacks. Also, users often leave their office and home computers running and permanently network connected while they are at home and at work, respectively. Examples of recent network worms include Welchia, Blaster, Slammer and CodeRedll. The Welchia or Blaster worms get into a computer's system, through an RPC call to port 135, where it exploits a bug in a distributed component object model (DCOM). Slammer uses unreliable delivery protocol (UDP) and exploits a weakness in the simple query language (SQL) server. CodeRedll takes advantage of a buffer overflow bug in an Indexing Server.
To get an idea of how much time a client computer station is effectively using the network interface card (NIC) during an 8 hour work day, assume a user accesses 200 webpages and that a typical webpage contains about 250 kBytes (“k” designating 1000, not 1024) of information. Assume further the user replicates 50 email messages, each having a 500 kBytes attachment. The amount of transmitted data is typically much smaller and will be ignored here. Finally, assume the computer is equipped with a wireless NIC, such as a NIC conforming to the 802.11b IEEE standard, which has a maximum effective throughput of about 500 kBytes/s under low contention conditions. Typical download speeds, however, from the Internet and from email servers are commonly much slower, for example, about 50 kBytes/s. Thus, the total time the NIC is engaged with receiving and waiting for data may be calculated as (200[pages]×250[kBytes/page]+50[emails]×500[kBytes/email])/50[kBytes/s]=1,500 seconds or about 5% of an 8 hour work day. A wireless NIC conforming to 802.11g may have a throughput that is 5 times faster than 802.11b NIC. Correspondingly even less than 5% time is spent accessing the network. It may, therefore, be concluded that the amount of time a computer actually spends effectively using the network is quite small compared to the total time the computer is in use. When this is coupled with the observation that network accesses are highly bursty in nature, it is clear that there exist long periods of time during which a computer's NIC can be turned off, thus offering both protection from network attacks and reduced energy consumption.
Thus, there is a need for throttling a computer's access to the network 1) to reduce the window of opportunity for being attacked by another network connected computer, 2) to reduce the rate with which a virus spreads across networks, and 3) to increase the battery life in mobile devices. A present day solution to this problem is that the user manually disables the network interface when it is not needed. This solution, however, suffers from requiring the user's involvement, and is cumbersome.
The present invention shrinks the window of opportunity for a network attack and reduces power consumption by automatically disabling the network interface when it is not needed. Our invention also automatically enables the network interface when the user/system needs access to the network. More specifically, a Network Interface Card (NIC) is automatically disabled when it is deemed no longer needed, such as after a time period of no network activity. In turn, when the user, or the system, needs access to the network, the NIC is automatically re-enabled. In this fashion, the NIC is power managed in much the same way that the display and the hard-drive are managed. Furthermore, the user or IT organization can select a policy that will determine which applications, or processes, are permitted to enable/disable the NIC, what their associated timeout values are, and under what conditions these applications, or processes, may or may not access the network. Networking can be completely shut off if no networking applications are open. The NIC can be either a wired or a wireless interface. There can also be more than one NIC and there can be a mix of wired and wireless NICs.
In a method embodiment of the present invention, access between a computer and a network is controlled. Network requests associated with at least one task running on the computer are detected. In response to a detected network request, the task is enabled to access the network if network access for the task is currently disabled. In response to a lack of recent activity associated with the task on the network, at least one device on the network is prevented from accessing at least one port which is currently open on the computer.
In another embodiment of the method of the present invention, the step of preventing prevents access to all ports of the computer.
In another embodiment of the method of the present invention, the step of preventing access to all ports comprises at least one step selected from the group consisting of: closing all ports on the computer, making a network address of the computer invisible from the network, stopping a DHCP service running on the computer, and disabling at least one NIC associated with the computer.
In another embodiment of the method of the present invention, the step of enabling the task to access the network comprises at least one step selected from the group consisting of: enabling a port on the computer, making a network address of the computer invisible from the network, starting a DHCP service, and enabling a NIC associated with the computer.
In another embodiment of the method of the present invention, a further step determines if the task may access the network and if yes performing the enabling step.
In another embodiment of the method of the present invention, a further step determines if a timeout period has elapsed during which the network has been free of activity associated with the task, and if the timeout period has elapsed, performing the step of preventing.
In another embodiment of the method of the present invention, the network requests are inbound or outbound from the other devices or the task, respectively.
In another embodiment of the method of the present invention, the task is one of a plurality of tasks that run on the computer. A further step filters the requests based on a connectivity policy that allows only requests from selected ones of the tasks to be an input to the enabling step.
In another embodiment of the method of the present invention, the selected tasks are established by one of the group consisting of: a user; automatically; and a combination thereof.
In another embodiment of the method of the present invention, the preventing step is also performed in response to none of the selected tasks currently running on the computer.
In another embodiment of the method of the present invention, further steps comprise enabling access to the network for brief instants without regard to the network requests and querying at least one server connected to the network to determine if attempts have been made to access the computer.
In another embodiment of the method of the present invention, the enabling access to the network for brief instants and querying steps are initiated periodically and/or in response to a request from one of the tasks.
In another embodiment of the method of the present invention, the enabling and preventing steps throttle access of the computer to the network so as to shrink windows of opportunity for the computer to be attacked by other devices connected to the network.
In another embodiment of the method of the present invention, the access between the computer and the network is throttled during a session of the computer with a network server in a DMZ zone so that such access is enabled for a service offered by the network server during the session and is disabled by the preventing step.
In a computer embodiment of the present invention, the computer is operable to control access between the computer and a network. The computer comprises a processor, at least one task that run on the computer and an application that runs on the computer. The application causes the processor to perform the operations of:
In another computer embodiment of the present invention, the operation of preventing prevents access to all ports of the computer.
In another computer embodiment of the present invention, the operation of preventing access to all ports comprises at least one operation selected from the group consisting of: closing all ports on the computer, making a network address of the computer invisible from the network, stopping a DHCP service running on the computer, and disabling at least one NIC associated with the computer.
In another computer embodiment of the present invention, the operation of enabling the task to access the network comprises at least one operation selected from the group consisting of: enabling a port on the computer, making a network address of the computer invisible from the network, starting a DHCP service, and enabling a NIC associated with the computer.
In another computer embodiment of the present invention, the application further causes the processor to perform the operation of determining if the task may access the network and if yes performing the enabling operation.
In another computer embodiment of the present invention, the application further causes the processor to perform the operation of determining if a timeout period has elapsed during which the network has been free of activity associated with the task, and if the timeout period has elapsed, performing the operation of preventing.
In another computer embodiment of the present invention, the network requests are inbound or outbound from the other devices or the task, respectively.
In another computer embodiment of the present invention, the task is one of a plurality of tasks that run on the computer, and wherein the application further causes the processor to perform the operation of filtering the requests based on a connectivity policy that allows only outbound requests from selected ones of the tasks to be an input to the enabling operation.
In another computer embodiment of the present invention, the selected tasks are established by one of the group consisting of: a user; automatically; and a combination thereof.
In another computer embodiment of the present invention, the preventing operation is also performed in response to none of the selected tasks currently running on the computer.
In another computer embodiment of the present invention, the application further causes the processor to perform the operations of enabling access to the network for brief instants without regard to the network requests and querying at least one server connected to the network to determine if attempts have been made to access the computer.
In another computer embodiment of the present invention, the enabling access to the network for brief instants and querying operations are initiated periodically and/or in response to a request from one of the tasks.
In another computer embodiment of the present invention, the enabling and preventing operations throttle access of the computer to the network so as to shrink windows of opportunity for the computer to be attacked by other devices connected to the network.
In another computer embodiment of the present invention, the access between the computer and the network is throttled during a session of the computer with a network server in a DMZ zone so that such access is enabled for a service offered by the network server during the session and is disabled by the preventing step.
In a memory media of the present invention, the memory media controls a computer to control access between the computer and a network. The computer comprises a processor. The memory media stores a program that comprises instructions that control the computer to perform the operations of:
In another memory media embodiment of the present invention, the operation of preventing prevents access to all ports of the computer.
In another memory media embodiment of the present invention, the operation of preventing access to all ports comprises at least one operation selected from the group consisting of: closing all ports on the computer, making a network address of the computer invisible from the network, stopping a DHCP service running on the computer, and disabling at least one NIC associated with the computer.
In another memory media embodiment of the present invention, the operation of enabling the task to access the network comprises at least one operation selected from the group consisting of: enabling a port on the computer, making a network address of the computer invisible from the network, starting a DHCP service, and enabling a NIC associated with the computer.
In another memory media embodiment of the present invention, the application further causes the processor to perform the operation of determining if the task may access the network and if yes performing the enabling operation.
In another memory media embodiment of the present invention, the application further causes the processor to perform the operation of determining if a timeout period has elapsed during which the network has been free of activity associated with the task. If the timeout period has elapsed, the operation of preventing is performed.
In another memory media embodiment of the present invention, the network requests are inbound or outbound from the other devices or the task, respectively.
In another memory media embodiment of the present invention, the task is one of a plurality of tasks that run on the computer, and wherein the application further causes the processor to perform the operation of filtering the requests based on a connectivity policy that allows only requests from selected ones of the tasks to be an input to the enabling operation.
In another memory media embodiment of the present invention, the selected tasks are established by one of the group consisting of: a user; automatically; and a combination thereof.
In another memory media embodiment of the present invention, the preventing operation is also performed in response to none of the selected tasks currently running on the computer.
In another memory media embodiment of the present invention, the application further causes the processor to perform the operations of enabling access to the network for brief instants without regard to the network requests and querying at least one server connected to the network to determine if attempts have been made to access the computer.
In another memory media embodiment of the present invention, the enabling access to the network for brief instants and querying operations are initiated periodically and/or in response to a request from one of the tasks.
In another memory media embodiment of the present invention, the enabling and preventing operations throttle access of the computer to the network so as to shrink windows of opportunity for the computer to be attacked by other devices connected to the network.
In another memory media embodiment of the present invention, the access between the computer and the network is throttled during a session of the computer with a network server in a DMZ zone so that such access is enabled for a service offered by the network server during the session and is disabled by the preventing step.
Other and further objects, advantages and features of the present invention will be understood by reference to the following specification in conjunction with the accompanying drawings, in which like reference characters denote like elements of structure and:
Referring to
Network 108 may be any one, or multiples, of a wired or a wireless communication network, or it could be a combination of wired and wireless networks. Typically, the computers and servers in
Computers 102 and 104 may be any suitable computer such as a large computer or a small computer, such as a personal computer, a notebook computer, a desktop computer, any work station, a mobile device (e.g., a personal digital assistant, a cell phone, a pager and the like), any device with computing capability (e.g., a sensor, an actuator, a vending machine, a control system and the like) or any combination thereof. The term “computer”, as used herein, means any of the foregoing. Computers 102 and 104 may have wired or wireless links to network 108.
Computer 102 is a preferred embodiment of the present invention that contains software for on-demand network access control. Computer 102 includes a processor 110, a network interface card (NIC) 112 and a memory 114 that are interconnected via a bus 116. Memory 114 includes data 118 and software 120. NIC 112 is connected to network 108.
Referring to
ODNAC module 204 includes a connectivity policy 226 that determines which applications are allowed to affect the state of NIC 112 and what their corresponding timeout periods are (control specifications). ODNAC module 204 controls NIC 112 based on connectivity policy 226 to enable and disable the access computer 102 to network 108 to minimize the window-of-opportunity for a network attack and to optimize power savings. Connectivity policy 226 can be set by a user, software 120 or an information technology (IT) organization that will lock the user's preference based on IT policy. ODNAC module 204 uses connectivity policy 226 to control the throttling of NIC 112. This control is sometimes referred to herein as “on-demand network access control” (ODNAC).
In this description, a number of software terms that are used herein are defined as follows:
Still referring to
Periodically, e.g., every second, ODNAC manager 222 queries NCM module 212 for the status of wireless NIC 112, wireless NIC driver 214 and of the network mode. Every time the status of either wireless interface driver 214 or the network mode changes, ODNAC application 222 makes a note of this and informs ODNAC filter driver 220. In this way, ODNAC filter driver 220 is notified if wireless interface driver 214 is on so that ODNAC filter driver 220 can instantly forward requests to TCP/UDP driver 224 so as to eliminate any unnecessary delays of network traffic. In a more optimal solution, NCM module 212 would be configured to asynchronously alert ODNAC application 222 or ODNAC filter driver 220 of status changes in wireless interface driver 214 and in the network mode.
In operating system 202 there are many processes that are able to initiate network requests. In the preferred embodiment, a primary concern is enabling the application-related processes to control the state of wireless interface driver 214. Therefore, as part of configuring ODNAC module 204, the user indicates the name of those processes that are allowed to control the state of wireless interface driver 214. The indicated process (or application) names are stored in connectivity policy 226. The user designated processes contained in connectivity policy 226 are considered valid processes. When ODNAC module 204 is first launched, it interacts with operating system 202 to resolve the list of process names with their associated process identification (PID) numbers.
Referring to
At step 305, it is determined which PID the request is associated with as this information is readily available from operating system 202. Next in step 307, the network port the request is using is logged and mapped with the PID in a PID vs port mapping table (not shown). This information will be used when handling inbound requests in
There may be tasks that a user does not want to be able to affect the state of NIC 112. One very important example of this is a virus. Typically, when a virus executes, the OS 202 assigns a PID to the virus process. But since the name of the virus, in most cases, will not be listed in the connectivity policy 226, the virus will not be able to affect the state of the NIC 112. Thus, a virus can not prevent NIC 112 from getting disconnected. Also, the virus cannot cause a disconnected NIC 112 to be turned on.
Another example is a DHCP (dynamic host control protocol) client service, which is responsible for obtaining and maintaining the IP network address. The DHCP service may renew the IP address at small intervals, say every five minutes. In principle, this action may prevent NIC 112 from ever getting disconnected. This protocol may attempt to access network 108 even after NIC 112 has been disconnected, which would cause NIC 112 to become re-enabled soon after it is disconnected.
Yet another example of a task that should not affect the state of NIC 112 is with respect to applications that are either scheduled to look for updates on network 108 or that automatically look for updates whenever they are launched. This is becoming quite commonplace for applications, e.g., media players, photo applications, software installers, and for operating system 202. The problem is that, say a media player, is launched to play an mpeg movie. Typically, the user is unaware that this application may also automatically perform a network query for updates and offers. Thus, typically, a user would not want such an application to affect the state of NIC 112 since the user only indirectly caused network 108 to be accessed. However, it is important that these applications be given some opportunity to occasionally access network 108. ODNAC module 204 operates to trap a notification that occurs when network timers associated with these applications expire or when the applications are launched. Then when NIC 112 is enabled for other legitimate reasons, callback functions associated with the expired timers are called. Note that the notion of a callback function is well known to anyone skilled in the art of systems programming. If an application is shut down before NIC 112 is enabled, the associated action to call that application's callback function can also be cancelled.
Since a computer becomes disconnected from the network when NIC 112 is disabled, a client computer and any network entities (e.g., a server) with which a computer application has a session must have the capability to handle the lack of connectivity so that the client computer and server are able to seamlessly reconnect when the client computer reconnects to network 108. ODNAC module 204 assumes that client computers and servers have this capability. If a computer application does not have this capability, or if the computer application for other reasons can not operate in a disconnected mode, the computer application can inform ODNAC module 204 to not disconnect the network interface while the application is running.
When NIC 112 is disconnected, other network components can not respond to or connect to the disconnected computer. To enable other network components to communicate with the computer, a daemon process, or task, 230 (
ODNAC module 204 can also throttle services running on servers in a demilitarized zone (DMZ). Typically, a DMZ is a small network of servers inserted as a neutral zone in between a company's private network and the outside public network. It prevents outside users from getting access to computers, such as servers with confidential data, on the private network. Say a client computer station is running an application that requires a service running on a network server located in a DMZ. The security of the computer would then be compromised if the application were allowed to stay connected to the DMZ server because the DMZ server has increased exposure to network attacks and the DMZ server may be able to launch applications on the client computer. Thus, if the DMZ service is allowed to run while the client computer is disconnected from the network, the DMZ server can prepare an attack on the client computer and simply wait until the client computer reconnects to network 108. In this scenario, ODNAC module 204 throttles the session between the client computer and the DMZ server so that the service is disconnected at the same time, or actually just before, the client computer disconnects from the network. Similarly, the DMZ service is re-enabled right after the client computer reconnects to the network.
Although NIC 112 has been shown as a wireless NIC, it will be apparent to those skilled in the art that a wired NIC, such as an Ethernet interface can also be used. Additionally, multiple NICs, which may be either wired or wireless or both, can be used.
It is possible to disconnect the computer from the network in other ways than described above. For example, it may be possible to control the network configuration by erasing the network settings (e.g., the Internet address) and by disabling the DHCP service. To reconnect the computer to the network, the DHCP service is reenabled. The advantage of this is that the wireless interface doesn't have to shut off upon disconnect and it doesn't need to be restarted and synchronize with the access point upon reconnecting to the network, and thus enables for a much faster network reconnect time. This solution does not save power in the NIC.
A similar solution to the previous involves virtualizing the network configuration so that from an external network perspective the computer is invisible and does not respond the external network requests. But internally, the true network configuration is enabled whenever the user needs to access the network, at which point the computer does become visible to the external network. In this fashion, the latency involved in obtaining a new address through DHCP is eliminated.
Yet another way of protecting against network attacks, without actually disconnecting the computer from the network or hiding the network configuration from the external network, is to filter incoming network requests after the IP layer. ICMP packets (used to ping a computer) can then be detected and thrown out so that a network attacker won't know if the computer exists (based on simply ping'ing it.) Secondly, the IP filter could examine the connection state (i.e., port number and IP addresses) of the packet to determine if a local application is currently using the particular connection state. If it is, then the packet is forwarded to the TCP layer. If it is not, then the packet is thrown out. If the packet is indiscriminately forwarded to the TCP layer, it is likely that the TCP layer will respond with an acknowledgement packet to the sender, in which case the sender would know that the computer exists on the network even for an invalid connection state.
The present invention having been thus described with particular reference to the preferred forms thereof, it will be obvious that various changes and modifications may be made therein without departing from the spirit and scope of the present invention as defined in the appended claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5560024 | Harper et al. | Sep 1996 | A |
| 5815732 | Cooper et al. | Sep 1998 | A |
| 5887140 | Itsumi et al. | Mar 1999 | A |
| 5970228 | Nezu | Oct 1999 | A |
| 6230156 | Hussey | May 2001 | B1 |
| 6606163 | Suzuki et al. | Aug 2003 | B1 |
| 6678065 | Hikawa | Jan 2004 | B1 |
| 6735707 | Kapil | May 2004 | B1 |
| 6985886 | Broadbent et al. | Jan 2006 | B1 |
| 6996778 | Rajarajan et al. | Feb 2006 | B2 |
| 20030023774 | Gladstone et al. | Jan 2003 | A1 |
| 20030140251 | Marin et al. | Jul 2003 | A1 |
| 20040042049 | Hulan et al. | Mar 2004 | A1 |
| 20050229018 | De Oliveira Kastrup Pereira et al. | Oct 2005 | A1 |
| Number | Date | Country |
|---|---|---|
| WO 02103498 | Dec 2002 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20060090023 A1 | Apr 2006 | US |
