Patent Grant
8122492
Networked computers represent significant targets of opportunity for both recreational and malicious hackers, viruses, worms, scripted attacks, etc. Hacks and hackers are called different things and have different levels of sophistication, but in almost all cases successful hacks gain access to a computer through its network interface. This is particularly true when the network interface is coupled to the Internet. Computers supporting Internet Protocol (IP) and other IP network nodes, are identified by their IP address. Each network interface may support thousands of ports. To help manage security of the network interface, a firewall may be employed to process data arriving for individual ports. Some ports such as port 80, commonly used for HTTP protocol support, may be assigned or opened to allow traffic to pass through to a corresponding service, for example, running on a web server, that manages HTTP traffic. The firewall may close all other ports to restrict outside traffic from gaining access to connected devices on an internal network.
Internet protocol security (IPsec) allows the remote user or machine to be identified and is an additional mechanism for providing security to Internet traffic. A firewall may be programmed to require IPsec security on incoming connections. However, maintaining accurate connection information in a firewall can become tedious and prone to error. Detailed configuration knowledge may be required and the highest levels of protection may require frequent changes to the settings. For example, broad application level exceptions may be authorized because it is too difficult or time-consuming to program a narrower, more appropriate, exception. Furthermore, due to the difficulty of configuring such elaborate settings, firewall configuration is generally statically set, wherein exceptions are configured once and then left unaltered thereafter. This decreases the security of the machine by causing the firewall configuration to not accurately represent the precise security requirements of a machine at a given moment, but instead represent the least restrictive superset of the needed configuration at all times.
Instead of manually entering an allowed IP address or list of remote users to allow for setting a firewall exception, an invitation mechanism may be programmed to extract data about a connection invitation sent to an outside party and to appropriately program the firewall exception. The exception may be specific to the particular connection invitation, and, optionally, for limited duration. The invitation mechanism may be associated with an application, for example, an instant messaging program, or a game. Alternatively, the invitation mechanism may be part of an operating system callable by an application or trapped by the OS itself. The firewall may receive an application handle and an identifier for the outside party, such as cryptographic material. The cryptographic material may be a public-key. The identifier for the outside party may be a handle, or pointer, to the public-key or an equivalent, such as a certificate. The exception may be timed corresponding to the type of application or invitation. For example, an exception for an e-mail-based invitation may be available for a period of hours, whereas an IP-based invitation for a game may be available for a minute or less. By making available the cryptographic material (e.g. public key) for an IPsec connection, the firewall can process the connection without interruption to the application, user, or OS.
Although the following text sets forth a detailed description of numerous different embodiments, it should be understood that the legal scope of the description is defined by the words of the claims set forth at the end of this disclosure. The detailed description is to be construed as exemplary only and does not describe every possible embodiment since describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims.
It should also be understood that, unless a term is expressly defined in this patent using the sentence “As used herein, the term ‘______’ is hereby defined to mean . . . ” or a similar sentence, there is no intent to limit the meaning of that term, either expressly or by implication, beyond its plain or ordinary meaning, and such term should not be interpreted to be limited in scope based on any statement made in any section of this patent (other than the language of the claims). To the extent that any term recited in the claims at the end of this patent is referred to in this patent in a manner consistent with a single meaning, that is done for sake of clarity only so as to not confuse the reader, and it is not intended that such claim term be limited, by implication or otherwise, to that single meaning. Finally, unless a claim element is defined by reciting the word “means” and a function without the recital of any structure, it is not intended that the scope of any claim element be interpreted based on the application of 35 U.S.C. §112, sixth paragraph.
Much of the inventive functionality and many of the inventive principles are best implemented with or in software programs or instructions and integrated circuits (ICs) such as application specific ICs. It is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions and programs and ICs with minimal experimentation. Therefore, in the interest of brevity and minimization of any risk of obscuring the principles and concepts in accordance to the present invention, further discussion of such software and ICs, if any, will be limited to the essentials with respect to the principles and concepts of the preferred embodiments.
The computer 110 typically includes a variety of computer readable media. Computer readable media can be any available media that can be accessed by computer 110 and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by computer 110. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency, infrared and other wireless media. Combinations of the any of the above should also be included within the scope of computer readable media.
The system memory 130 includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) 131 and random access memory (RAM) 132. A basic input/output system 133 (BIOS), containing the basic routines that help to transfer information between elements within computer 110, such as during start-up, is typically stored in ROM 131. RAM 132 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 120. By way of example, and not limitation,
The computer 110 may also include other removable/non-removable, volatile/nonvolatile computer storage media. By way of example only,
The drives and their associated computer storage media discussed above and illustrated in
The computer 110 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 180. The remote computer 180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the computer 110, although only a memory storage device 181 has been illustrated in
When used in a LAN networking environment, the computer 110 is connected to the LAN 171 through a network interface or adapter 170. When used in a WAN networking environment, the computer 110 typically includes a modem 172 or other means for establishing communications over the WAN 173, such as the Internet. The modem 172, which may be internal or external, may be connected to the system bus 121 via the user input interface 160, or other appropriate mechanism. In a networked environment, program modules depicted relative to the computer 110, or portions thereof, may be stored in the remote memory storage device. By way of example, and not limitation,
In
The firewall 300 may support bidirectional data traffic with an external endpoint 303 on the external network 302 via a network interface 310. The network interface 310 may support a series of logical ports known in the use of the standard Internet Protocol (IP). Some logical ports have standard uses assigned by IANA, for example, port 80 (312) is often used for hypertext transfer protocol (http) data, while port 443 (314) is commonly used for hypertext transfer protocol secured (https) data. Other logical ports may be used for unregistered protocols, such as instant messaging (IM) or for games. Logical port 200 (316) is an exemplary logical port.
A traffic manager 318 may couple the internal port 308 and the network interface 310. The traffic manager 318 may be primarily operable to manage traffic from the network 302 inbound to one or more of the internal endpoints 304306. A goal of the traffic manager 318 and the traffic management process is to protect internal endpoints, such as internal endpoints 304306 from malicious attacks or other detrimental access via the application of filtering rules. For example, the traffic manager may pass traffic on open logical ports, such as, logical port 80 (312) and may block traffic on closed logical ports, such as logical port 200 (316).
A port may be opened on an exception basis, for example, the traffic manager 318 may be instructed to pass data traffic directed to a particular endpoint, such as, endpoint 304 that may represent, in one embodiment, a game or IM client. The exception may be authorized for only that application, and for a length of time. Application exceptions may be manually programmed via a management interface to the firewall. However, such programming typically requires detailed knowledge of the firewall 300 and characteristics of the endpoint in question. After use, the exception may need to be manually removed at the end of the exception period as most current firewalls have no intrinsic support for temporary exceptions. The end result may be that exceptions that would be beneficial to a user may not be programmed due to lack of knowledge or time. Alternatively, but perhaps more dangerous, exceptions may be opened for more logical ports than are necessary, those ports may be opened to more remote endpoints than needed, or the exceptions may be applied for an indefinite period of time, creating a hazard from malicious traffic.
Many peer-to-peer network applications are capable of sending invitations to outside entities, for example, another game player. The invitation may carry specific information about the endpoint extending the invitation and will also have certain information about the outside entity. Such information may include an endpoint address, port information and, in some cases, public key information that may have been received out-of-band, for example, via an email or IM or from a central trusted server. In some embodiments, a handle, or pointer, to the public key infrastructure data may be passed, instead of the actual key or certificate. Furthermore, such a handle may be indirect, such as the case where a handle to an contact information datastructure is passed, while that structure in turn holds a handle to the actual cryptographic data. Whether direct or indirect, authenticable identifier of the endpoint may be required for establishing an authenticated and secure connection. The authenticable identifier may be a peer name registered in the group, a verifiable pathname, an endpoint authenticated by a trusted third party, such as a server or server process, or another entity for which trust has been established, such as by exchanging data out-of-band.
An invitation manager 320 may reside inside the firewall 300. In other embodiments, described below, the invitation manager function may be separate from the firewall 300. The invitation manager 320 may support forming, sending, and tracking invitations to peer-to-peer network participants. The invitation manager may serve as a subsystem and present an application program interface (API) allowing internal endpoints, such as internal endpoints 304 and 306 to pass data about an external peer-to-peer network participant and the type of connection desired. The invitation manager 320 may then formulate the request and forward the necessary invitation. For example, when an IPsec connection is required by the internal endpoint, a public key or a nonce may be forwarded to the external peer-to-peer network participant for use in connecting back to the firewall. When no IPsec connection is required, such extra data may not be sent. The invitation manager may also gather information from the invitation and modify the settings in the traffic manager 318 corresponding to the invitation details. This information could be gathered from both the contents of the invitiation, as well as from information about the invitation's intended destination, such as the public key data for the destination.
Data in an invitation to an external endpoint, such as external endpoint 303 offered by an internal endpoint, for example, internal endpoint 304, may be extracted, evaluated, and used to signal the traffic manager 318 to open an exception corresponding to the invitation. For example, an exception on a specific port can be opened for a two minute window for incoming traffic from the specified external endpoint 303 destined for the internal endpoint 304. In addition, when the invitation has the required cryptographic material, such as a public key or a handle pointing to a public key infrastructure (PKI) certificate containing the public key, the exception can be further limited to require an IPsec connection from the specific remote entity before allowing traffic on the designated logical port.
The PeerCollabInviteEndpoint function, shown below, shows an exemplary invitation to join a peer-to-peer group. Invitations may be represented as Unicode strings. Additional information and details about peer-to-peer network group formation and management are freely available on the Internet and are well known to those practicing in the art.
The PeerCollabInviteEndpoint function sends an invitation to a specified peer enpoint to join the sender's Peer Collaboration activity. This call is synchronous and, if successful, obtains a response from the peer endpoint.
Parameters
pcEndpoint
This parameter must not be set to NULL.
pcInvitationRequest
ppResponse
The PEER_ENDPOINT structure contains the address and friendly name of a peer endpoint.
Members:
address: PEER ADDRESS structure that contains the IPv6 network address of the endpoint
pwzEndpointName: Zero-terminated Unicode string that contains the specific displayable name of the endpoint.
Remarks
A peer “endpoint” describes a contact's presence location—the unique network address configuration that describes the currently available instance of the contact within the peer collaboration network. A single contact can be available at multiple endpoints within the peer collaboration network.
A peer watching a contact can query any of the endpoints associated with that contact for specific peer presence, application, or object updates.
The PEER_INVITATION_REQUEST structure contains a request to initiate or join a peer collaboration activity.
Members
applicationId
applicationData
pwzMessage
The PEER_INVITATION_RESPONSE structure contains a response to an invitation to join a peer collaboration activity.
Members
action: PEER INVITATION RESPONSE TYPE enumeration value that specifies the action the peer takes in response to the invitation.
pwzMessage: Set to NULL. This member is written exclusively by the Peer Collaboration Infrastructure.
hrExtendedInfo: Reserved.
In one embodiment, at block 506, information extracted from the invitation may be compared to a list of known endpoint machines, users, groups of users or applications, henceforth referred to as entities or network endpoints. The list may be an allow list, that is, a list of entities that are to be allowed for connection. Other criteria may also apply, such as, a limited duration exception windows or it is mandatory that the remote entity be authenticated or that the connections be encrypted. In another exemplary embodiment, the list may be a disallow list, signifying entities for which connections are never allowed. In some cases, both lists may exist and be checked before determining the setting for the firewall 300, but in such cases the disallow list would likely take precedent, and the allow list may include special conditions for allowing connections to those designated network endpoints. The lists may be maintained at the invitation manager 320 or 424, but may also be maintained in the listener 422 or even in the traffic manager 318418. The lists may be maintained by a network administrator, or in some less formal cases, a parent wishing to exercise control over instant messaging or gaming activities of their child. In most cases, the allow and disallow lists are restricted to be modifiable only by the administrator of the system, be that the network administrator or the parent.
When the information has been extracted from the invitation, and any comparisons to allow or disallow list made, a setting for the firewall may be determined at block 508. To establish the setting, a determination at block 510 may be made based on the information generated at block 508. When the determination is to deny access, the ‘deny’ branch from block 510 may be followed to block 512, where a setting is made with the traffic manager 318418 to deny access from the identified external endpoint, by identifying an IP address, a peer name, or cryptographic credentials. When the determination is made to allow access without requiring an authenticated and secure connection, the ‘no cryptographic matter’ branch from block 510 may be followed to block 514 and the traffic manager 318418 may be set to open a general application exception for allowing traffic from external endpoints.
An example of an authenticated and secure connection is the IP secure or IPsec connection. Authentication may include the process of establishing the identity of the other party, often through use of public key infrastructure credentials. Securing the connection may include development of session keys for use by both parties to encrypt traffic helping to ensure that messages are passed untampered and are not readable by external parties monitoring message traffic.
Additionally, based on the application itself, a valid period of time may be set for the external endpoint to attempt to connect. As mentioned above, a game or IM application connection invitation may be valid for a fairly short, for example one minute. An e-mail based invitation may be valid for a longer period, such as several hours.
When it is determined that enough information is present to support an IPsec connection, or if a general setting or an allow list entry requires an IPsec connection, the ‘Require IPsec’ branch from block 510 may be followed to block 516. At block 516, and exception may be programmed for a specific external endpoint and the required cryptographic matter to support establishment of the IPsec connection, for example, a public key or handle, may be forwarded to the traffic manager 318418.
As peer-to-peer networking becomes more pervasive the need to control such connections will become more critical for both successful peer-to-peer connections and the security of endpoints participating on those connections. As such, the ability to monitor and appropriately react to invitations sent to external endpoints will have a significant and positive impact on the spread of peer-to-peer networking from a novelty for file sharing to a tool supporting all aspects of personal, enterprise, and academic computing.
Although the forgoing text sets forth a detailed description of numerous different embodiments of the invention, it should be understood that the scope of the invention is defined by the words of the claims set forth at the end of this patent. The detailed description is to be construed as exemplary only and does not describe every possibly embodiment of the invention because describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims defining the invention.
Thus, many modifications and variations may be made in the techniques and structures described and illustrated herein without departing from the spirit and scope of the present invention. Accordingly, it should be understood that the methods and apparatus described herein are illustrative only and are not limiting upon the scope of the invention.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5606668 | Shwed | Feb 1997 | A |
| 5802591 | Yachida | Sep 1998 | A |
| 5835726 | Shwed et al. | Nov 1998 | A |
| 5919258 | Kayashima et al. | Jul 1999 | A |
| 5968176 | Nessett et al. | Oct 1999 | A |
| 5974549 | Golan | Oct 1999 | A |
| 5987611 | Freund | Nov 1999 | A |
| 6003084 | Green et al. | Dec 1999 | A |
| 6003133 | Moughanni et al. | Dec 1999 | A |
| 6009469 | Mattaway et al. | Dec 1999 | A |
| 6009475 | Shrader | Dec 1999 | A |
| 6088804 | Hill et al. | Jul 2000 | A |
| 6131163 | Wiegel | Oct 2000 | A |
| 6149585 | Gray | Nov 2000 | A |
| 6154775 | Coss et al. | Nov 2000 | A |
| 6212558 | Antur et al. | Apr 2001 | B1 |
| 6219706 | Fan et al. | Apr 2001 | B1 |
| 6253321 | Nikander et al. | Jun 2001 | B1 |
| 6347376 | Attwood et al. | Feb 2002 | B1 |
| 6466976 | Alles et al. | Oct 2002 | B1 |
| 6480959 | Granger et al. | Nov 2002 | B1 |
| 6496935 | Fink et al. | Dec 2002 | B1 |
| 6513122 | Magdych et al. | Jan 2003 | B1 |
| 6611875 | Chopra et al. | Aug 2003 | B1 |
| 6631466 | Chopra et al. | Oct 2003 | B1 |
| 6636898 | Ludovici et al. | Oct 2003 | B1 |
| 6643776 | Boden | Nov 2003 | B1 |
| 6697810 | Kumar et al. | Feb 2004 | B2 |
| 6721890 | Shrikhande | Apr 2004 | B1 |
| 6792615 | Rowe et al. | Sep 2004 | B1 |
| 6931529 | Kunzinger | Aug 2005 | B2 |
| 6938155 | D'Sa et al. | Aug 2005 | B2 |
| 6941474 | Boies et al. | Sep 2005 | B2 |
| 6944183 | Iyer et al. | Sep 2005 | B1 |
| 6976177 | Ahonen | Dec 2005 | B2 |
| 7016901 | Eikenbery | Mar 2006 | B2 |
| 7024460 | Koopmas et al. | Apr 2006 | B2 |
| 7120931 | Cheriton | Oct 2006 | B1 |
| 7290145 | Falkenthros | Oct 2007 | B2 |
| 7308711 | Swander et al. | Dec 2007 | B2 |
| 7567560 | Balasubramaniyan | Jul 2009 | B1 |
| 7761708 | Swander et al. | Jul 2010 | B2 |
| 20010013049 | Ellis, III et al. | Aug 2001 | A1 |
| 20020038371 | Spacey | Mar 2002 | A1 |
| 20020097724 | Halme et al. | Jul 2002 | A1 |
| 20020143855 | Traversat et al. | Oct 2002 | A1 |
| 20020162026 | Neuman et al. | Oct 2002 | A1 |
| 20020194049 | Boyd | Dec 2002 | A1 |
| 20030005328 | Grewal et al. | Jan 2003 | A1 |
| 20030028806 | Govindarajan et al. | Feb 2003 | A1 |
| 20030084331 | Dixon et al. | May 2003 | A1 |
| 20030084334 | Miyao et al. | May 2003 | A1 |
| 20030110379 | Ylonen et al. | Jun 2003 | A1 |
| 20030120809 | Bellur et al. | Jun 2003 | A1 |
| 20030233568 | Maufer et al. | Dec 2003 | A1 |
| 20040003290 | Malcolm | Jan 2004 | A1 |
| 20040037268 | Read | Feb 2004 | A1 |
| 20040078600 | Nilsen et al. | Apr 2004 | A1 |
| 20040148439 | Harvey et al. | Jul 2004 | A1 |
| 20040168150 | Ziv | Aug 2004 | A1 |
| 20040177273 | Ghaffar | Sep 2004 | A1 |
| 20040205211 | Takeda et al. | Oct 2004 | A1 |
| 20040250131 | Swander et al. | Dec 2004 | A1 |
| 20040250158 | Le Pennec et al. | Dec 2004 | A1 |
| 20050005165 | Morgan et al. | Jan 2005 | A1 |
| 20050010816 | Yu et al. | Jan 2005 | A1 |
| 20050022010 | Swander et al. | Jan 2005 | A1 |
| 20050022011 | Swander et al. | Jan 2005 | A1 |
| 20050079858 | Rosen et al. | Apr 2005 | A1 |
| 20050091068 | Ramamoorthy et al. | Apr 2005 | A1 |
| 20050138380 | Fedronic et al. | Jun 2005 | A1 |
| 20050182967 | Phillips et al. | Aug 2005 | A1 |
| 20050198384 | Ansari et al. | Sep 2005 | A1 |
| 20050204402 | Turley et al. | Sep 2005 | A1 |
| 20050229246 | Rajagopal et al. | Oct 2005 | A1 |
| 20050262554 | Brooks et al. | Nov 2005 | A1 |
| 20050283823 | Okajo et al. | Dec 2005 | A1 |
| 20060015935 | Dixon et al. | Jan 2006 | A1 |
| 20060062238 | Mahendran et al. | Mar 2006 | A1 |
| 20060101266 | Klassen et al. | May 2006 | A1 |
| 20060253901 | Roddy et al. | Nov 2006 | A1 |
| 20070118893 | Crawford | May 2007 | A1 |
| 20070174031 | Levenshteyn et al. | Jul 2007 | A1 |
| 20070261111 | Roberts | Nov 2007 | A1 |
| 20070271361 | Abzarian et al. | Nov 2007 | A1 |
| Number | Date | Country |
|---|---|---|
| 0910197 | Apr 1999 | EP |
| 1024627 | Aug 2000 | EP |
| 1119151 | Jul 2001 | EP |
| 1484860 | Dec 2004 | EP |
| 2005-217757 | Aug 2005 | JP |
| WO03090034 | Oct 2003 | WO |
| WO2004010659 | Jan 2004 | WO |
| WO2007136811 | Nov 2007 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20070250922 A1 | Oct 2007 | US |
