Method and system for controlling network access

Description

TECHNICAL FIELD OF THE INVENTION

Embodiments of the present invention relate generally to network access control and network protocol control.

BACKGROUND

The communication of data over networks has become an important, if not essential, way for many organizations and individuals to communicate. The Internet is a global network connecting millions of computers in which any computer connected to the Internet can potentially receive data from and send data to any other computer connected to the Internet. The Internet provides a variety of methods with which to communicate data, one of the most ubiquitous of which is the World Wide Web. Other methods for communicating data over the Internet include e-mail, usenet newsgroups, telnet, FTP, audio streams, and video streams.

Users typically access the Internet either through a computer connected to an Internet Service Provider (“ISP”) or computer connected to a local area network (“LAN”) provided by an organization, which is in turn, connected to the ISP. The network service provider provides a point of presence to interface with the Internet backbone. Routers and switches in the backbone direct data traffic between the various ISPs.

As the number of networked devices has increased so, too, has the amount and nature of network traffic. One unfortunate side effect is the evolution of destructive or unauthorized access to the data or operations of networked devices. While the option of simply removing all network access from an abusive or abnormal client remains, business etiquette often predicates the need to constrain a client's access, rather than to remove it. Additionally, when a client device is inadvertently tainted or “infected” by a software virus or worm, the user of the client device may be unaware that the device is abnormally affecting the network. As a result, various methods to detect and limit abnormal or abusive use of network resources or connected devices have resulted in a need to establish a controlled environment in a network in order that abusive or abnormal clients can be constrained.

SUMMARY OF THE INVENTION

Embodiments of the current invention present methods for confining a network client's network access to a specific region of the network.

Embodiments of the present invention allow a service provider to use the network access gateway to constrain a network client's level of network access in a way that can inform the user of the problem and still allow the user access to a limited set of network destinations that may be helpful in resolving the problem (e.g. apply anti-virus software vendors, operating system or security patches, etc.).

Embodiments of the present invention can also be used for other purposes relevant to a network access gateway such as allowing free access to chosen network content, but requiring additional payment or authorization for unrestricted access. An example of this is a public wireless network at a venue that wishes to provide free information about the venue via its own website or affiliated websites, yet requires payment for clients desiring general access to the Internet from the venue.

Embodiments of the present invention may make use of network firewall rule technology, configured to recognize clients by identity or membership in a group. Once classified, traffic from a client can then be subjected to a particular list of access rules, or “walled garden”, by which network access is allowed.

A network access gateway can support any number of these walled gardens and can dynamically move clients in and out of these walled gardens based on any status information it maintains, discovers, or is notified about from an external source.

Embodiments of the present invention may offer the technical advantages of a way to reduce the negative effects of virus and worm infections at remote venues, thus helping to preserve the service levels expected by users and to maintain control of a network. Users can also be notified of computer infections and offered a means to seek resolution without requiring direct support from the service provider. Additionally the present invention may offer a dynamic means of selectively allowing clients limited access to content based on identity or membership in a group.

BRIEF DESCRIPTION OF THE FIGURES

A more complete understanding of the present invention and the advantages thereof may be acquired by referring to the following description, taken in conjunction with the accompanying drawings in which like reference numbers indicate like features and wherein:

FIG. 1 is a diagrammatic representation of an example network in which embodiments of the present invention are employed.

FIG. 2 is an example listing of gateway configuration details that specify per-client behavior, according to one embodiment of the present invention.

DETAILED DESCRIPTION

The following applications are hereby fully incorporated by reference herein in their entirety: U.S. application Ser. No. 10/683,317, filed Oct. 10, 2003, entitled “SYSTEM AND METHOD FOR PROVIDING ACCESS CONTROL,” by Richard MacKinnon, Kelly Looney, and Eric White; U.S. Provisional Application No. 60/551,698, filed Mar. 10, 2004, entitled “SYSTEM AND METHOD FOR BEHAVIOR-BASED FIREWALL MODELING,” by Patrick Turley which converted into U.S. application Ser. No. 11/076,719, filed Mar. 10, 2005, entitled “SYSTEM AND METHOD FOR BEHAVIOR-BASED FIREWALL MODELING,” by Richard MacKinnon, Kelly Looney, and Eric White; U.S. Provisional Application No. 60/551,754, filed Mar. 10, 2004, entitled “SYSTEM AND METHOD FOR COMPREHENSIVE CODE GENERATION FOR SYSTEM MANAGEMENT,” by Keith Johnston which converted into U.S. application Ser. No. 11/078,223, filed Mar. 10, 2005, entitled “SYSTEM AND METHOD FOR COMPREHENSIVE CODE GENERATION FOR SYSTEM MANAGEMENT,” by Keith Johnston; U.S. Provisional Application No. 60/551,703, filed Mar. 10, 2004, entitled “SYSTEM AND METHOD FOR PROVIDING A CENTRALIZED DESCRIPTION/CONFIGURATION OF CLIENT DEVICES ON A NETWORK ACCESS GATEWAY,” by Patrick Turley and Keith Johnston; U.S. Provisional Application No. 60/551,702, filed Mar. 10, 2004, entitled “SYSTEM AND METHOD FOR ACCESS SCOPE CONTROL (“WALLED GARDENS”) FOR CLIENTS OF A NETWORK ACCESS GATEWAY,” by Patrick Turley, Keith Johnston, and Steven D. Tonnesen; U.S. Provisional Application No. 60/551,699, filed Mar. 10, 2004, entitled “SYSTEM AND METHOD FOR DYNAMIC BANDWIDTH CONTROL,” by Patrick Turley, et al.; U.S. Provisional Application No. 60/551,697, filed Mar. 10, 2004, entitled “SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY,” by Steven D. Tonnesen which converted into U.S. application Ser. No. 11/076,652, filed Mar. 10, 2005, entitled “SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY,” by Steven D. Tonnesen; U.S. Provisional Application No. 60/551,705, filed Mar. 10, 2004, entitled “SYSTEM AND METHOD FOR DOUBLE-CAPTURE/DOUBLE-REDIRECT TO A DIFFERENT LOCATION,” by Keith Johnston, et al. which converted into U.S. application Ser. No. 11/076,646, filed Mar. 10, 2005, entitled “SYSTEM AND METHOD FOR DOUBLE-CAPTURE/DOUBLE-REDIRECT TO A DIFFERENT LOCATION,” by Keith Johnston, et al.; U.S. Provisional Application No. 60/551,704, filed Mar. 10, 2004, entitled “SYSTEM AND METHOD FOR NETWORK MANAGEMENT XML ARCHITECTURAL ABSTRACTION,” by Keith Johnston and Mario Garcia which converted into U.S. application Ser. No. 11/076,672, filed Mar. 10, 2005, entitled “SYSTEM AND METHOD FOR NETWORK MANAGEMENT XML ARCHITECTURAL ABSTRACTION,” by Keith Johnston and Mario Garcia; and U.S. Provisional Application No. 60/551,703, filed Mar. 10, 2005, entitled “SYSTEM AND METHOD FOR PROVIDING A CENTRALIZED DESCRIPTION/ CONFIGURATION OF CLIENT DEVICES ON A NETWORK ACCESS GATEWORK,” by Patrick Turley, et al.

Attention is now directed to systems and methods for creating a rules based access system suitable for implementation in a network access gateway. Theses systems and methods may make use of an existing operating system network packet or firewalling subsystem and combines a traffic identification strategy with the application of destination-based access rules to create a controlled environment or “walled garden” capability for a network access gateway. Controlled environments, which limit the network segments or routes available, as well as the network protocol traffic permitted, are known as “walled gardens”, where a network client may be constrained in terms of the types of network protocols (and applications) that they are permitted network access, as well as the destinations or services to which network applications may connect.

These systems and methods may also allow any client known to a system to be arbitrarily classified or grouped based on facts known to the system such as assigned client subnet, organizational boundaries, or security standing based on traffic patterns or content. External assignment may also possible.

Embodiments of the current invention disclose methods and systems for confining a network client's network access to a specific logical region of the network. Embodiments of the present invention may make use of traffic discrimination techniques and network protocol filtering to recognize clients by identity or membership in a group. Once classified, traffic from a client can then be subjected to a particular list of access rules that specify a “walled garden” which define where network access is allowed. Network access confinement can be through limiting network protocol use, limiting network destination address resolution or limiting domain name resolution, leading to network address resolution. In certain embodiments, a controlling entity such as an automated security monitor may utilize the invention to limit a user's present level of network access in a way that can inform a user of certain conditions and still allow a user access to a set of network destinations that may be helpful (for example in resolving the condition that led to reduced access).

Other embodiments of the present invention can also be used for other purposes relevant to a network access gateway such as allowing free access to chosen network content, but requiring additional payment or authorization for unrestricted access. An example of this is a public wireless network at a venue that wishes to provide free information about the venue via its own website or affiliated websites, yet requires payment for clients desiring general access to the Internet from the venue.

FIG. 1 is a diagrammatic representation of a sample network topology illustrating an environment employing an embodiment of the present invention. It should be noted that FIG. 1 is provided by way of example only. In other embodiments of the present invention, the networks attached to the gateway 11 can be any networks known in the art including, but not limited to, LANs, WANs, the Internet, global communications networks, wireless networks and/or any other communications network known in the art.

Clients 1, 2, 3, 4 on LAN network 10 are connected to Internet 13 via gateway 11. All network traffic from clients 1, 2, 3, 4 bound for Internet 13 is handled by gateway 11. Client computers 1, 2, 3, 4 can comprise any computing device known in the art (e.g., desktop, laptop, PDA, mobile phone or any other device capable of network communication) and can be connected to gateway 11 in any manner known in the art (e.g., by LAN, wireless network, direct connection or other manner known in the art).

Gateway 11 may be operable to support any number of walled gardens 20, 30, 40 and any number of client classifications. Gateway 11 can assign clients 1, 2, 3, 4 to walled gardens 20, 30, 40 automatically based on facts known or learned at gateway 11, or the assignment can be done in response to external configuration or commands received at gateway 11.

At network access gateway 11, incoming network traffic is inspected for attributes that identify the traffic as associated with a particular client 1, 2, 3, 4. In one embodiment using the Linux operating system, this is done using the netfilter network packet subsystem by the application of iptables match rules that test for attributes such as IP address, MAC address, or the network interface on gateway 11 where the traffic arrived.

In one embodiment of the present invention, once incoming traffic is discriminated (and/or marked) on a per-client basis, traffic can be directed to, assigned to, or associated with, one or more sets of client-specific (or group-specific) access rules. Each access rule set serves to specify “walled garden” 20, 30, 40; definitions that consists of specifically allowed locations in an outside network. These lists can be manually constructed to contain selected websites (or other resources) that are relevant to the identified client or group. Each list's content may vary over time in response to external configuration or commands received.

Clients 1, 2, 3, 4 who are assigned to a walled garden 20, 30, 40 and whose traffic is not addressed to a location in an access list corresponding to the assigned walled garden 20, 30, 40 may have the traffic dropped, denied, or redirected by gateway 11. In one embodiment, when this errant traffic is a web browser request, gateway 11 can redirect the request thus causing display of an informational page in the requesting user's web browser. The page to which the request is redirected may be generated by gateway 11 itself, or it may instead be served from a remote location. The page can inform the user of his status in the access gateway and offer choices of action.

Turning now to FIG. 2 a representation of an example listing of gateway configuration details that specify per-client behavior is listing. Configuration 200 may be kept by gateway 11 and specify which walled garden 20, 30, 40 a client 1, 2, 3, 4 is associated with. Each client 1, 2, 3, 4 may be assigned a designated level of access. For example, the access granted to Client 2 includes only the destination addresses defined by the contents of the list indicated by “Walled Garden A” 20. The example configuration 200 may further specify what action, if any, should be taken if a client 1, 2, 3, 4 attempts to access a destination that is not specifically allowed. In the case of client 2, such a request would be redirected by gateway 11 to the address of site “Q”. In this example, site “Q” is implemented by web server 12 internal to gateway 11.

The following set of results may occur if the listed actions were taken by clients as depicted with respect to FIGS. 1 and 2. These cases illustrate the ability of this embodiment to “quarantine” certain clients 1, 2, 3, 4 to particular walled garden(s) 20, 30 , 40 while simultaneously allowing other clients 1, 2, 3, 4 unhindered access to the internet 13.

Attempting to

Client Identity
visit:
Result

Client 1
Site “J”
Allowed

Client 1
Site “K”
Allowed

Client 1
Site “M”
Allowed

Client 1
Site “P”
Allowed

Client 1
Site “S”
Allowed

Client 2
Site “J”
Redirected

Client 2
Site “K”
allowed

Client 2
Site “M”
allowed

Client 2
Site “P”
redirected

Client 2
Site “S”
redirected

Client 3
Site “J”
Redirected

Client 3
Site “K”
allowed

Client 3
Site “M”
allowed

Client 3
Site “P”
allowed

Client 3
Site “S”
redirected

Client 4
Site “J”
Dropped

Client 4
Site “K”
dropped

Client 4
Site “M”
dropped

Client 4
Site “P”
dropped

Client 4
Site “S”
allowed

Utilizing an embodiment of the present invention the following scenario may occur: Client 1 is accessing the internet 13 without restrictions from gateway 11. The client 1 computer becomes infected with a worm. The worm creates excessive network traffic. The gateway 11 notices the abusive traffic and “quarantines” client 1. In one embodiment the gateway may detect this infection based on observed, detected behavior fitting a pattern that is suitable for constraint. By assigning the client to a walled garden reserved for infected users traffic from this client to destinations outside the walled garden becomes restricted.

The quarantined client may then attempt to browse a web page on the Internet. In response to this attempt, the gateway redirects the web request to a cooperating web server such as an internal web server on the gateway. The gateway's web server renders a web page informing the client of its perceived infection and offering links to self-help documents and to the websites of anti-virus vendors and the client's OS vendor. Thus, traffic from the client to the destination in the walled garden for infected users is allowed while other traffic is denied or redirected.

To control access of a client only to sites with a particular set of rules corresponding to a “walled garden”, in some embodiments, network firewall technologies are employed to limit network protocol usage by a constrained client, while in other embodiments, network traffic filtering technologies are employed to limit network packet flow by the constrained client. In still other embodiments, network routing technologies are employed to limit network packet traversal by a constrained client.

Constraining a client may also involve analysis of a network protocol. In one embodiment, all network requests from a client in network protocols other than HTTP are denied if they emanate from a constrained client. In this embodiment, a constrained client may only access certain network regions accessible utilizing HTTP, and these network regions may contain content intended to rectify aberrant behavior by the constrained client. More specifically, these network regions may contain content or data intended to repair or enhance a network client's network access and permit renewed access to the other portions of a network by the client, perhaps through the application of security patches.

Claims

1. A method of network traffic quarantine control, comprising: at a network access gateway device between a local network and the Internet, selecting a client device in a first network segment of the network;at the network access gateway device, performing a plurality of quarantine control functions over the client device, wherein the plurality of quarantine control functions comprises:a) restricting all network traffic emanating from the client device to one or more network destination addresses that are not in or subordinate to the first network segment;b) restricting all network traffic emanating from the client device to an allowed network destination address to selected one or more network protocols; andrendering a web page to display on the client device from the network access gateway device, wherein the web page contains an offer for a user of the client device to perform an action in order to obtain unrestricted access to the Internet responsive to implementation of one of the plurality of quarantine control function of the client device.
2. The method according to claim 1, wherein the action requires the user to obtain and execute abnormal behavior scanning software from a server machine running at one of the one or more allowed network destination addresses.
3. The method according to claim 1, further comprising: evaluating network traffic emanating from the client device after the client device has been scanned and abnormal behavior has been removed, mitigated or rendered inert.
4. The method according to claim 1, further comprising: filtering the network traffic emanating from the client device to limit network packet flow by the client device.
5. The method according to claim 1, further comprising: routing the network traffic emanating from the client device to limit network packet traversal by the client device.
6. The method according to claim 1, wherein the plurality of quarantine control functions further comprises: restricting all network traffic emanating from the client device to one or more network destination addresses in one or more network segments that are not in or subordinate to the first network segment.
7. The method according to claim 1, further comprising: performing all of the plurality of quarantine control functions over the client device.
8. A computer program product comprising at least one non-transitory computer readable medium storing instructions translatable by at least one processor to perform: a plurality of quarantine control functions over a client device coupled to the network access gateway device, wherein the network access gateway device is between a local network and the Internet, wherein the client device is in a first network segment of the network, and wherein the plurality of quarantine control functions comprises:a) restricting all network traffic emanating from the client device to one or more network destination addresses that are not in or subordinate to the first network segment;b) restricting all network traffic emanating from the client device to an allowed network destination address to selected one or more network protocols; andrendering a web page to display on the client device from the network access gateway device, wherein the web page contains an offer for a user of the client device to perform an action in order to obtain unrestricted access to the Internet responsive to the implementation of one of the plurality of quarantine control function of the client device.
9. The computer program product of claim 8, wherein the action requires the user to obtain and execute abnormal behavior scanning software from a server machine running at one of the one or more allowed network destination addresses.
10. The computer program product of claim 8, wherein the instructions are further translatable by the at least one processor to perform: evaluating network traffic emanating from the client device after the client device has been scanned and abnormal behavior has been removed, mitigated or rendered inert.
11. The computer program product of claim 8, wherein the instructions are further translatable by the at least one processor to perform: filtering the network traffic emanating from the client device to limit network packet flow by the client device.
12. The computer program product of claim 8, wherein the instructions are further translatable by the at least one processor to perform: routing the network, traffic emanating from the client device to limit network packet traversal by the client device.
13. The computer program product of claim 8, wherein the plurality of quarantine control functions further comprises: restricting all network traffic emanating from the client device to one or more network destination addresses in one or more network segments that are not in or subordinate to the first network segment.
14. The computer program product of claim 8, wherein the instructions are further translatable by the at least one processor to perform: all of the plurality of quarantine control functions over the client device.
15. A network access gateway device, comprising: at least one processor; andat least one non-transitory computer readable medium storing instructions translatable by the at least one processor to perform:a plurality of quarantine control functions over a client device coupled to the network access gateway device, wherein the network access gateway device is between a local network and the Internet, wherein the client device is in a first network segment of the network, and wherein the plurality of quarantine control functions comprises:a) restricting all network traffic emanating from the client device to one or more network destination addresses that are not in or subordinate to the first network segment;b) restricting all network traffic emanating from the client device to an allowed network destination address to selected one or more network protocols; andrendering a web page to display on the client device from the network access gateway device, wherein the web page contains an offer for a user of the client device to perform an action in order to obtain unrestricted access to the Internet responsive to implementation of one of the plurality of quarantine control function of the client device.
16. The system of claim 15, wherein the action requires the user to obtain and execute abnormal behavior scanning software from a server machine running at one of the one or more allowed network destination addresses.
17. The system of claim 15, wherein the instructions are further translatable by the at least one processor to perform: evaluating network traffic emanating from the client device after the client device has been scanned and abnormal behavior has been removed, mitigated or rendered inert.
18. The system of claim 15, wherein the instructions are further translatable by the at least one processor to perform: filtering the network traffic emanating from the client device to limit network packet flow by the client device.
19. The system of claim 15, wherein the instructions are further translatable by the at least one processor to perform: routing the network traffic emanating from the client device to limit network packet traversal by the client device.
20. The system of claim 15, wherein the plurality of quarantine control functions further comprises: restricting all network traffic emanating from the client device to one or more network destination addresses in one or more network segments that are not in or subordinate to the first network segment.

RELATED APPLICATIONS

This application claims priority under 35 U.S.C. 119(e) to U.S. Provisional Patent Application No. 60/551,702, filed Mar. 10, 2004, entitled “System and Method for access Scope Control (“Walled Gardens”) for Clients of a Network Access Gateway,” to Patrick Turley, Keith Johnston, and Steven D. Tonnesen.

US Referenced Citations (264)

Number	Name	Date	Kind
5623601	Vu	Apr 1997	A
5673393	Marshall et al.	Sep 1997	A
5706427	Tabuki	Jan 1998	A
5748901	Afek et al.	May 1998	A
5835727	Wong et al.	Nov 1998	A
5878231	Baehr et al.	Mar 1999	A
5896499	McKelvey	Apr 1999	A
5901148	Bowen et al.	May 1999	A
5936542	Kleinrock et al.	Aug 1999	A
5953506	Kalra et al.	Sep 1999	A
5987134	Shin et al.	Nov 1999	A
5996013	Delp et al.	Nov 1999	A
6085241	Otis	Jul 2000	A
6088451	He et al.	Jul 2000	A
6092200	Muniyappa et al.	Jul 2000	A
6108782	Fletcher et al.	Aug 2000	A
6130892	Short et al.	Oct 2000	A
6131116	Riggins et al.	Oct 2000	A
6157953	Chang et al.	Dec 2000	A
6173331	Shimonishi	Jan 2001	B1
6176883	Holloway et al.	Jan 2001	B1
6185567	Ratnaraj et al.	Feb 2001	B1
6194992	Short et al.	Feb 2001	B1
6205552	Fudge	Mar 2001	B1
6212558	Antur et al.	Apr 2001	B1
6219706	Fan et al.	Apr 2001	B1
6226752	Gupta et al.	May 2001	B1
6233607	Taylor et al.	May 2001	B1
6243815	Antur et al.	Jun 2001	B1
6266774	Sampath et al.	Jul 2001	B1
6275693	Lin et al.	Aug 2001	B1
6295294	Odlyzko	Sep 2001	B1
6321339	French et al.	Nov 2001	B1
6324648	Grantges, Jr.	Nov 2001	B1
6336133	Morris et al.	Jan 2002	B1
6404743	Meandzija	Jun 2002	B1
6421319	Iwasaki	Jul 2002	B1
6463474	Fuh et al.	Oct 2002	B1
6473793	Dillon et al.	Oct 2002	B1
6473801	Basel	Oct 2002	B1
6477143	Ginossar	Nov 2002	B1
6502131	Vaid et al.	Dec 2002	B1
6502135	Munger et al.	Dec 2002	B1
6516417	Pegrum et al.	Feb 2003	B1
6535879	Behera	Mar 2003	B1
6539431	Sitaraman et al.	Mar 2003	B1
6631416	Bendinelli et al.	Oct 2003	B2
6636894	Short et al.	Oct 2003	B1
6643260	Kloth et al.	Nov 2003	B1
6678733	Brown et al.	Jan 2004	B1
6708212	Porras et al.	Mar 2004	B2
6732179	Brown et al.	May 2004	B1
6735691	Capps et al.	May 2004	B1
6748439	Monachello et al.	Jun 2004	B1
6757740	Parekh et al.	Jun 2004	B1
6763468	Gupta et al.	Jul 2004	B2
6785252	Zimmerman et al.	Aug 2004	B1
6789110	Short et al.	Sep 2004	B1
6789118	Rao	Sep 2004	B1
6798746	Kloth et al.	Sep 2004	B1
6804783	Wesinger et al.	Oct 2004	B1
6816903	Rakoshitz et al.	Nov 2004	B1
6823385	McKinnon et al.	Nov 2004	B2
6834341	Bahl et al.	Dec 2004	B1
6839759	Larson et al.	Jan 2005	B2
6876668	Chawla et al.	Apr 2005	B1
6907530	Wang	Jun 2005	B2
6917622	McKinnon et al.	Jul 2005	B2
6976089	Na et al.	Dec 2005	B2
6983323	Cantrell et al.	Jan 2006	B2
6996625	Kaplan et al.	Feb 2006	B2
7013331	Das	Mar 2006	B2
7085385	Frantz et al.	Aug 2006	B2
7085854	Keane et al.	Aug 2006	B2
7092727	Li et al.	Aug 2006	B1
7100195	Underwood	Aug 2006	B1
7120934	Ishikawa	Oct 2006	B2
7143283	Chen et al.	Nov 2006	B1
7143435	Droms et al.	Nov 2006	B1
7146639	Bartal et al.	Dec 2006	B2
7181017	Nagel et al.	Feb 2007	B1
7181542	Tuomenoksa et al.	Feb 2007	B2
7181766	Bendinelli et al.	Feb 2007	B2
7185073	Gai et al.	Feb 2007	B1
7185358	Schreiber et al.	Feb 2007	B1
7185368	Copeland, III	Feb 2007	B2
7188180	Larson et al.	Mar 2007	B2
7194554	Short et al.	Mar 2007	B1
7216173	Clayton et al.	May 2007	B2
7257833	Parekh et al.	Aug 2007	B1
7266754	Shah et al.	Sep 2007	B2
7272646	Cooper et al.	Sep 2007	B2
7290050	Smith et al.	Oct 2007	B1
7290288	Gregg et al.	Oct 2007	B2
7310613	Briel et al.	Dec 2007	B2
7316029	Parker et al.	Jan 2008	B1
7318097	Bernoth	Jan 2008	B2
7324551	Stammers	Jan 2008	B1
7324947	Jordan et al.	Jan 2008	B2
7325042	Soscia et al.	Jan 2008	B1
7386888	Liang et al.	Jun 2008	B2
7406530	Brown et al.	Jul 2008	B2
7418504	Larson et al.	Aug 2008	B2
7420956	Karaoguz et al.	Sep 2008	B2
7444669	Bahl et al.	Oct 2008	B1
7448075	Morand et al.	Nov 2008	B2
7454792	Cantrell et al.	Nov 2008	B2
7483993	Nachenberg et al.	Jan 2009	B2
7490151	Munger et al.	Feb 2009	B2
7587512	Ta et al.	Sep 2009	B2
7590728	Tonnesen et al.	Sep 2009	B2
7610621	Turley et al.	Oct 2009	B2
7624438	White	Nov 2009	B2
7634805	Aroya	Dec 2009	B2
7665130	Johnston et al.	Feb 2010	B2
7792963	Gould et al.	Sep 2010	B2
8032933	Turley et al.	Oct 2011	B2
8108915	White et al.	Jan 2012	B2
8117639	MacKinnon et al.	Feb 2012	B2
8224983	Ta et al.	Jul 2012	B2
20010038639	McKinnon et al.	Nov 2001	A1
20010038640	McKinnon et al.	Nov 2001	A1
20010038645	McKinnin et al.	Nov 2001	A1
20010039576	Kanada	Nov 2001	A1
20010039582	McKinnon et al.	Nov 2001	A1
20020013844	Garrett et al.	Jan 2002	A1
20020021665	Bhagavath et al.	Feb 2002	A1
20020023160	Garrett et al.	Feb 2002	A1
20020023210	Tuomenoksa et al.	Feb 2002	A1
20020026503	Bendinelli et al.	Feb 2002	A1
20020026531	Keane et al.	Feb 2002	A1
20020029260	Dobbins et al.	Mar 2002	A1
20020029276	Bendinelli et al.	Mar 2002	A1
20020035699	Crosbie	Mar 2002	A1
20020042883	Roux et al.	Apr 2002	A1
20020046264	Dillon et al.	Apr 2002	A1
20020052950	Pillai et al.	May 2002	A1
20020053031	Bendinelli et al.	May 2002	A1
20020055968	Wishoff et al.	May 2002	A1
20020056008	Keane et al.	May 2002	A1
20020059408	Pattabhiraman et al.	May 2002	A1
20020075844	Hagen	Jun 2002	A1
20020085719	Crosbie	Jul 2002	A1
20020087713	Cunningham	Jul 2002	A1
20020090089	Branigan	Jul 2002	A1
20020091859	Tuomenoksa et al.	Jul 2002	A1
20020091944	Anderson et al.	Jul 2002	A1
20020099829	Richards et al.	Jul 2002	A1
20020112183	Baird, III et al.	Aug 2002	A1
20020112186	Ford et al.	Aug 2002	A1
20020120741	Webb et al.	Aug 2002	A1
20020123335	Luna et al.	Sep 2002	A1
20020124078	Conrad	Sep 2002	A1
20020124103	Maruyama et al.	Sep 2002	A1
20020129143	McKinnon, III et al.	Sep 2002	A1
20020131404	Mehta et al.	Sep 2002	A1
20020132607	Castell et al.	Sep 2002	A1
20020133581	Schwartz et al.	Sep 2002	A1
20020133586	Shanklin et al.	Sep 2002	A1
20020133589	Gubbi et al.	Sep 2002	A1
20020136226	Christoffel et al.	Sep 2002	A1
20020138631	Friedel et al.	Sep 2002	A1
20020138762	Horne	Sep 2002	A1
20020138763	Delany et al.	Sep 2002	A1
20020143964	Guo et al.	Oct 2002	A1
20020152284	Cambray et al.	Oct 2002	A1
20020162030	Brezak et al.	Oct 2002	A1
20020164952	Singhai et al.	Nov 2002	A1
20020165949	Na et al.	Nov 2002	A1
20020165990	Singhai et al.	Nov 2002	A1
20020169867	Mann et al.	Nov 2002	A1
20020174227	Hartsell et al.	Nov 2002	A1
20020178282	Mysore et al.	Nov 2002	A1
20020199007	Clayton et al.	Dec 2002	A1
20030041104	Wingard et al.	Feb 2003	A1
20030043846	Purpura et al.	Mar 2003	A1
20030046370	Courtney	Mar 2003	A1
20030055962	Freund et al.	Mar 2003	A1
20030055994	Herrmann et al.	Mar 2003	A1
20030059038	Meyerson et al.	Mar 2003	A1
20030061506	Cooper et al.	Mar 2003	A1
20030069955	Gieseke et al.	Apr 2003	A1
20030069956	Gieseke et al.	Apr 2003	A1
20030070170	Lennon	Apr 2003	A1
20030078784	Jordan et al.	Apr 2003	A1
20030087629	Juitt et al.	May 2003	A1
20030110073	Briel et al.	Jun 2003	A1
20030115247	Simpson et al.	Jun 2003	A1
20030123442	Drucker et al.	Jul 2003	A1
20030126608	Safadi et al.	Jul 2003	A1
20030135753	Batra et al.	Jul 2003	A1
20030149751	Bellinger et al.	Aug 2003	A1
20030154399	Zuk et al.	Aug 2003	A1
20030159072	Bellinger et al.	Aug 2003	A1
20030163603	Fry et al.	Aug 2003	A1
20030172167	Judge et al.	Sep 2003	A1
20030172291	Judge et al.	Sep 2003	A1
20030177477	Fuchs	Sep 2003	A1
20030182420	Jones et al.	Sep 2003	A1
20030191966	Gleichauf	Oct 2003	A1
20030212800	Jones et al.	Nov 2003	A1
20030212900	Liu et al.	Nov 2003	A1
20030217126	Polcha et al.	Nov 2003	A1
20040015719	Lee et al.	Jan 2004	A1
20040047356	Bauer	Mar 2004	A1
20040049586	Ocepek et al.	Mar 2004	A1
20040064351	Mikurak	Apr 2004	A1
20040064560	Zhang et al.	Apr 2004	A1
20040064836	Ludvig et al.	Apr 2004	A1
20040073941	Ludvig et al.	Apr 2004	A1
20040083295	Amara et al.	Apr 2004	A1
20040085906	Ohtani et al.	May 2004	A1
20040093513	Cantrell et al.	May 2004	A1
20040103426	Ludvig et al.	May 2004	A1
20040107290	Kaplan et al.	Jun 2004	A1
20040122956	Myers et al.	Jun 2004	A1
20040172557	Nakae et al.	Sep 2004	A1
20040177276	MacKinnon et al.	Sep 2004	A1
20040179822	Tsumagari et al.	Sep 2004	A1
20040181816	Kim et al.	Sep 2004	A1
20040199635	Ta et al.	Oct 2004	A1
20040210633	Brown et al.	Oct 2004	A1
20040215957	Moineau et al.	Oct 2004	A1
20040268149	Aaron	Dec 2004	A1
20040268234	Sampathkumar et al.	Dec 2004	A1
20050021686	Jai et al.	Jan 2005	A1
20050021975	Liu	Jan 2005	A1
20050044350	White et al.	Feb 2005	A1
20050044422	Cantrell et al.	Feb 2005	A1
20050050338	Liang et al.	Mar 2005	A1
20050066200	Bahl et al.	Mar 2005	A1
20050091303	Suzuki	Apr 2005	A1
20050138358	Bahl et al.	Jun 2005	A1
20050138416	Qian et al.	Jun 2005	A1
20050149721	Lu et al.	Jul 2005	A1
20050193103	Drabik	Sep 2005	A1
20050195854	Agmon et al.	Sep 2005	A1
20050204022	Johnston et al.	Sep 2005	A1
20050204031	Johnston et al.	Sep 2005	A1
20050204168	Johnston et al.	Sep 2005	A1
20050204169	Tonnesen	Sep 2005	A1
20050204402	Turley et al.	Sep 2005	A1
20060036723	Yip et al.	Feb 2006	A1
20060117384	Larson et al.	Jun 2006	A1
20060168229	Shim et al.	Jul 2006	A1
20060168454	Venkatachary et al.	Jul 2006	A1
20060173992	Weber et al.	Aug 2006	A1
20060184618	Kurup et al.	Aug 2006	A1
20070073718	Ramer et al.	Mar 2007	A1
20070186113	Cuberson et al.	Aug 2007	A1
20070208936	Ramos Robles	Sep 2007	A1
20070268878	Clements	Nov 2007	A1
20080066096	Wollmershauser et al.	Mar 2008	A1
20080098464	Mizrah	Apr 2008	A1
20080120661	Ludvig et al.	May 2008	A1
20080147840	Roelens et al.	Jun 2008	A1
20080276305	Chan et al.	Nov 2008	A1
20090279567	Ta et al.	Nov 2009	A1
20100064356	Johnston et al.	Mar 2010	A1
20100192213	Ta et al.	Jul 2010	A1
20110219444	Turley et al.	Sep 2011	A1
20110258687	White et al.	Oct 2011	A1
20120096517	White et al.	Apr 2012	A1
20120117615	MacKinnon et al.	May 2012	A1

Foreign Referenced Citations (11)

Number	Date	Country
0587522	Jan 2000	EP
WO 0177787	Oct 2001	WO
WO 0209458	Jan 2002	WO
WO 0223825	Mar 2002	WO
WO 0241587	May 2002	WO
WO 02077820	Oct 2002	WO
WO 03021890	Mar 2003	WO
WO 03098461	May 2003	WO
WO 2004034229	Apr 2004	WO
WO 2004036371	Apr 2004	WO
WO 2005020035	Mar 2005	WO

Non-Patent Literature Citations (139)

Entry
U.S. Patent Office Official Action issued Jan. 25, 2008 in U.S. Appl. No. 11/076,652, Steven D. Tonnesen, Jan. 25, 2008.
U.S. Patent Office Action issued Apr. 17, 2008, in U.S. Appl. No. 10/687,002, Tuan Ta, 13 pages.
U.S. Appl. No. 08/816,174, Short et al.
U.S. Appl. No. 09/458,569, Short et al.
U.S. Appl. No. 09/458,602, Pagan et al.
U.S. Appl. No. 09/541,877, Short et al.
U.S. Appl. No. 09/821,565, Ishikawa.
U.S. Appl. No. 09/881,147, Cooper et al.
U.S. Appl. No. 10/000,396, Copeland.
U.S. Appl. No. 10/072,683, Zuk et al.
U.S. Appl. No. 10/195,326, Lee et al.
U.S. Appl. No. 10/236,402, Bauer.
U.S. Appl. No. 10/291,095, Cantrell et al.
U.S. Appl. No. 10/469,206, Ohtani et al.
U.S. Appl. No. 10/641,494, Valluri.
U.S. Appl. No. 10/643,864, Nakae et al.
U.S. Appl. No. 10/709,423, Lu et al.
U.S. Appl. No. 10/930,392, Cantrell et al.
U.S. Appl. No. 10/930,922, Cantrell et al.
U.S. Appl. No. 10/953,326, Suzuki.
U.S. Patent Office Action issued Jun. 9, 2008, in U.S. Appl. No. 10/683,317, Richard MacKinnon, 15 pages.
Fan et al, “Distributed Real Time Intrusion Detection System for 3G”, 2004, pp. 1566-1570.
Yu et al., “Fuzzy Logic Based Adaptive Congestion Control Scheme for High-Speed Network”, Aug. 2004, pp. 389-393.
Hamano et al., A Redirections-Based Defense Mechanism Against Flood-Type Attacks in Large Scale ISP Networks, 2004, pp. 543-547.
Sarolahti, “Congestion Control on Spurious TCP Retransmssion Timeouts,” 2003, pp. 682-686.
Estevez-Tapiador et al., “Measuring Normality in HTTP Traffic for Anomaly-Based Intrusion Detection”, Jun. 6, 2004, pp. 175-193.
Xing et al., “A Survery of Computer Vulnerability Assessment”, Jan. 2004, pp. 1-11.
Wen et al. “Development of a Snort-Based Security Network Management and Real-Time Intrusion Detection System”, Feb. 2004, pp. 40-43.
Thottethodi et al., “Exploiting Global Knowledge to Achieve Self-Tuned Congestion Control for K-ary n-cube Networks”, Mar. 2004, pp. 257-272.
Trabelsi et al., “Malicious Sniffing Systems Detection Platform”, 2004, pp. 201-207.
Guangzhi et al., “A Framework for Network Vulnerability Analysis”, 2002, pp. 289-294.
Albuquerque et al., “Network Border Patrol: Preventing Congestion Collapse and Promoting Fairness in the Internet”, Feb. 2004, pp. 173-186.
Wirbel, Loring, “Security Stampede Could Flatten IPSec”, Jan. 2004, p. 12.
MacLeod, Calum, “Freeing the Shackles with Secure Remote Working”, 2003, pp. 66-67.
Fisher, D., “SSL Simplifies VPN Security”, Nov. 10, 2003, p. 40.
Conry-Murray, A., “SSL VPNs: Remote Access for the Masses”, Oct. 2003, pp. 26-32.
“Permeo Supports Microsoft Network Access Protection for Simplified Secure Remote Access; Permeo's Base5 Support for Microsoft Tech. Provides Zero Touch” Policy Enforcement.
No author, Permeo Drives Out Operational Costs, Simplifies Secure Remote Access, Mar. 28, 2005, pp. NA.
No author, Netilla Lauches SSL VPN for Citrix. (Industry Briefs) (Virtual Private Networks) (Brief Article), Sep. 20, 2004, p. 43.
Netilla Lauches Secure Gateway Appliance Family of Application-Specific SSL VPN Products; Initial SGA-C Model Provides Secure Remote Access to Citrix MetaFrame Presentation.
No author, “Secure Remote Access (Network Security) (VPN Gateway 4400 Series) (Brief Article)”, Mar. 1, 2004, p. 50.
Fortinet and Aventail Deliver Joint Solution for Clientless Remote Access with High-Performance Antivirus Protection; Integrated SSL VPN and Antivirus Offering Provides.
Hamblen, Matt, “Cisco Targets SSL VPN Vendors, Adds Support for Clientless Security Protoccol: Installed Base of VPN Devices May Give it an Edge, Despite Late Entry (News)”.
International Search Report and Written Opinion for related International Application No. PCT/US04/29249, Dec. 15, 2005.
Stone, David, “Securing Wireless LANs with VPN,” May 2006, pp. NA.
Hamzeh, et al., “Point-to-Point Tunneling Protocol—PPTP RFC 2637” Network Working Group, Jul. 1999, pp. 1-54.
Pfleeger, Charles P., Security in Computing, PTR Prentice-Hall, Inc., 1989, Ch. 10.
International Search Report for PCT/US03/32912, Apr. 8, 2004.
Lingblom, “Granite Develops SMB Strategy,” CRN, San Jose, CA, Jun. 23, 2003.
“Boingo Wireless Service Installed at LaGuardia Airport” Copyright 2003 M2Communications Ltd., found at www.findarticles.com, Dec. 8, 2003, 1 page.
West Point Unwired: the Military Academy at West Point Continues to Lead the Way in High-Tech Curriculum with Wireless Classroom Networking Copyright 2003 M2Communications.
Molta, “Wireless Hotspots Heat Up,” Mobile & Wireless Technology feature, pp. 1-8, Copyright 2003 M2Communications Ltd., found at www.networkcomputing.com, printed Dec. 8, 2003.
Jackson, “Wireless at West Point: Officers of the Future Use IT in Class Now, in the Field Later (Technology Report)” Apr. 21, 2003, pp. 1-3, www.gcn.com.
Lingblom, “Bluesocket's New Gateway Based on Open Standards—WGX-4000 Switch Wireless Gateway” CRN, Burlington, MA at www.crn.channelsupersearch.com, Apr. 21, 2003.
Dornan, “Wireless LANs: Freedom vs. Security?” Network Magazine, Jul. 2005, pp. 36-39.
O'Shea, “PCTEL looks past patent suite toward fusion of Wi-Fi, PC” Telephony.online, Jun. 2, 2003, pp. 1-2, found at www.telephonyonline.com.
O'Shea, “Boingo to Launch Initiative Aimed at Carrier Market” Telephony.online, Mar. 10, 2003, 1 page, found at www.telephonyonline.com.
International Search Report from PCT/US03/32268 dated Oct. 29, 2004.
U.S. Patent Office Official Action issued Jul. 13, 2007 in U.S. Appl. No. 10/922,041, Eric White.
U.S. Patent Office Official Action issued Oct. 9, 2007 in U.S. Appl. No. 10/683,317, Richard MacKinnon.
U.S. Patent Office Official Action issued Oct. 18, 2007 in U.S. Appl. No. 10/687,002, Tuan Ta.
U.S. Patent Office Official Action issued Oct. 31, 2007 in U.S. Appl. No. 11/078,223, Keith Johnston.
Office Action issued in U.S. Appl. No. 11/076,652 dated Dec. 11, 2008, Tonnesen, 8 pages.
Office Action issued in U.S. Appl. No. 10/687,002 dated Jan. 7, 2009, Ta, 4 pages.
U.S. Patent Office Action issued Jul. 22, 2008, in U.S. Appl. No. 11/076,652, Steven D. Tonnesen, 8 pages.
U.S. Patent Office Action issued Jul. 9, 2008, in U.S. Appl. No. 11/076,672, Keith Johnston, 12 pages.
Office Action issued in U.S. Appl. No. 11/076,719, dated Sep. 4, 2008, Turley, 7 pages.
U.S. Patent and Trademark Office, Office Action issued in U.S. Appl. No. 10/922,041, mailed May 8, 2009, White, 13 Pages.
U.S. Patent and Trademark Office, Office Action issued in U.S. Appl. No. 11/076,672, mailed Jul. 21, 2009, White, 11 Pages.
Office Action issued in U.S. Appl. No. 10/922,041, mailed Dec. 6, 2005, White, 10 pages.
Office Action issued in U.S. Appl. No. 10/922,041, mailed Mar. 30, 2006, White, 18 pages.
Office Action issued in U.S. Appl. No. 10/922,041, mailed Aug. 11, 2006, White, 19 pages.
Office Action issued in U.S. Appl. No. 10/922,041, mailed Jan. 30, 2007, White, 20 pages.
Office Action issued in U.S. Appl. No. 10/683,317, mailed Apr. 5, 2007, MacKinnon, 6 pages.
Office Action issued in U.S. Appl. No. 10/687,002, mailed May 2, 2007, Ta, 10 pages.
Crandell et al., “A Secure and Transparent Firewall Web Proxy,” Oct. 2003, USENIX, Retrieved from the internet on Jul. 15, 2009: <URL: http://www.usenix.org/event/lisa03/tech/full—papers/crandell/crandell.pdf>.
Sommerlad, “Reverse Proxy Patterns,” 2003 Retrieved from the Internet on Jul. 15, 2009: <URL: http://www.modsecurity.org/archive/ReverseProxy-book-1.pdf>.
Office Action issued in U.S. Appl. No. 10/683,317, mailed Aug. 18, 2009, 17 pages.
Rashti et al, “A Multi-Dimensional Packet Classifier for NP-Based Firewalls,” Jan. 2004, retrieved from the Internet on Aug. 12, 2009: <URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1266123&isnumber=28312>.
Office Action issued in U.S. Appl. No. 11/076,672, mailed Jan. 7, 2010, 9 pgs.
Office Action for U.S. Appl. No. 12/506,140, mailed Aug. 4, 2011, 18 pgs.
Notice of Allowance for U.S. Appl. No. 12/579,566, mailed Aug. 26, 2011, 9 pgs.
Alshamsi, Abdelnasir, et al., “A Technical Comparison of IPSec and SSL,” Tokyo University of Technology, Jul. 8, 2004, 10 pages.
Fisher, Dennis, “NetScreen to Acquire Neoteris,” IT Security & Network Security News, Oct. 6, 2003, 1 page.
DeMaria, Mike, “Faster Than a Speeding VPN—Super Remote Access With Neoteris IVE,” Network Computing, Sep. 9, 2002, printed Nov. 9, 2011 from http://www.networkcomputing.com/data-protection/2296249, 3 pages.
Snyder, Joel, “SSL VPN Gateways,” Networkworld, Jan. 12, 2004, printed Nov. 9, 2011 from http://www.networkworld.com/reviews/2004/0112revmain.html, 10 pages.
“NetExtender for SSL-VPN,” SonicWALL SSL-VPN NetExtender, Apr. 27, 2006, 30 pages.
“IPSec vs. SSL VPN: Transition Criteria and Methodology,” 2007 Sonicwall, 13 pages.
Fisher, Dennis, “Symantec Acquires SSL VPN Vendor,” IT Security & Network Security News, Oct. 20, 2003, printed Nov. 9, 2011 from http://www.eweek.com/index2.php?option=content& task=v . . . 1 page.
Notice of Allowance issued in U.S. Appl. No. 12/617,211, mailed Nov. 10, 2011, 8 pages.
Notice of Allowance issued in U.S. Appl. No. 10/683,317, mailed Nov. 28, 2011, 11 pages.
Office Action for U.S. Appl. No. 12/753,390, mailed Dec. 8, 2011, 19 pgs.
Notice of Allowance for U.S. Appl. No. 12/617,211, mailed Dec. 12, 2011, 8 pgs.
Notice of Allowance for U.S. Appl. No. 12/753,390, mailed Mar. 16, 2012, 5 pgs.
“Cisco Common Classification Policy Language,” Cisco Router and Security Device Manager 2.4 User's Guide, Ch. 34, 2007, 32 pgs., Cisco Systems, Inc., San Jose, CA.
Office Action for U.S. Appl. No. 12/506,140, mailed Feb. 18, 2011, 13 pgs.
Notice of Allowance for U.S. Appl. No. 12/579,566, mailed Mar. 23, 2011, 12 pgs.
Notice of Allowance for U.S. Appl. No. 12/579,566, mailed May 13, 2011, 8 pgs.
Office Action for U.S. Appl. No. 10/683,317, mailed Jun. 8, 2011, 15 pgs.
Office Action for U.S. Appl. No. 12/617,211, mailed Jul. 19, 2011, 18 pgs.
Office Action for U.S. Appl. No. 12/619,560, mailed May 9, 2012, 7 pgs.
Bauer, Mick, Designing and Using DMZ Networks to Protect Internet Servers, Linux Journal, Mar. 1, 2001, 6 pgs. at http://linuxjournal.com/article/4415, printed Mar. 22, 2012.
Office Action for U.S. Appl. No. 13/092,488, mailed Jun. 11, 2012, 7 pgs.
Office Action for U.S. Appl. No. 13/173,764, mailed Jul. 17, 2012, 15 pgs.
Discussion of Conceptual Difference Between Cisco IOS Classic and Zone-Based Firewalls, Oct. 2007, 4 pgs., Cisco Systems, Inc., San Jose, CA.
Cisco IOS Firewall Zone-Based Policy Firewall, Release 12.4(6)T, Technical Discussion, Feb. 2006, 77 pgs., Cisco Systems, Inc., San Jose, CA.
Zone-Based Policy Firewall Design and Application Guide, Document ID: 98628, Sep. 13, 2007, 49 pgs., Cisco Systems, Inc., San Jose, CA.
“FreeBSD Handbook, Chapter 30 Firewalls,” 2003, found at www.freebsd.org/doc/handbook/firewalls-ipfw.html, printed Dec. 27, 2010, 13 pgs.
Watters, Paul, “Solaris 8 Administrator's Guide. Chapter 4, Network Configuration,” O'Reilly & Associates, Inc., Jan. 2002, 17 pgs.
Spitzner, Lance, “Configuring network interface cards; getting your interfaces to talk,” Mar. 23, 2004, 4 pgs.
Gite, Vivek, “Redhat/CentOS/Fedora Linux Open Port,” Sep. 13, 2007, found at www.cyberciti.biz/faq/howto-rhel-linux-open-port-using-iptables/ printed Jan. 3, 2011, 7 pgs.
Office Action for U.S. Appl. No. 10/683,317, dated Jan. 3, 2011, 12 pgs.
SP Maj, W Makairanondh, D Veal, “An Evaluation of Firewall Configuration Methods,” IJSCSNS International Journal of Computer Science and Network Security, vol. 10, No. 8, Aug. 2010, 7 pgs.
Using VPN with Zone-Based Policy Firewall, May 2009, Cisco Systems, Inc., San Jose, CA, 10 pgs.
Cisco IOS Firewall Classic and Zone-Based Virtual Firewall Application Configuration Example, Document ID: 100595, Feb. 12, 2008, 20 pgs., Cisco Systems, Inc., San Jose, CA.
Class-Based Policy Provisioning: Introducing Class-Based Policy Language (CPL), Aug. 2008, 36 pgs., Cisco Systems, Inc., San Jose, CA.
Cisco IOS Zone Based Firewall Example, at http://www.linickx.com/archives/2945/cisco-ios-zon . . . , printed Dec. 7, 2010, 6 pgs., LINICKX.com.
Zone-Based Policy Firewall, Published Feb. 22, 2006, Updated Jun. 19, 2006, 46 pgs., Cisco Systems, Inc., San Jose, CA.
Applying Zone-based Firewall Policies in Cisco Security Manager, Published Mar. 2009, Revised Sep. 2009, 64 pgs., Cisco Systems, Inc., San Jose, CA.
Office Action for U.S. Appl. No. 10/683,317, mailed Jul. 23, 2010, 9 pgs.
Office Action for U.S. Appl. No. 12/506,140, mailed Sep. 1, 2010, 11 pgs.
Office Action for U.S. Appl. No. 12/579,566, mailed Oct. 6, 2010, 7 pgs.
Office Action for U.S. Appl. No. 12/617,211, dated Feb. 3, 2011, 14 pgs.
“Managing Firewall Services,” User Guide for Cisco Security Manager 3.3.1, Oct. 2009, Ch. 11, 90 pgs., Cisco Systems, Inc., San Jose, CA.
“Cisco Common Classification Policy Language,” Cisco Router and Security Device Manager 2.4 User's Guide, Ch. 34, 32 pgs., Cisco Systems, Inc., San Jose, CA.
Guide to User Documentation for Cisco Security Manager 4.0, Jun. 18, 2010, 6 pgs., Cisco Systems, Inc., San Jose, CA.
Cisco Configuration Professional: Zone-Based Firewall Blocking Peer to Peer Traffic Configuration Example, Document ID: 112237, Updated Dec. 3, 2010, 25 pgs., Cisco Systems, Inc., San Jose, CA.
Tuning Cisco IOS Classic and Zone-Based Policy Firewall Denial-of-Service Protection, 2006, 10 pgs., Cisco Systems, Inc., San Jose, CA.
Holuska, Marty, Using Cisco IOS Firewalls to Implement a Network Security Policy, Fort Hays State University/INT 490, printed Dec. 6, 2010, 5 pgs., at http://quasarint.com/Capstone/zb—policy.php.
Cisco Feature Navigator, Cisco Systems, Inc., San Jose, CA, at http://tools.cisco.com/ITDIT/CFN/Dispatch, printed on Dec. 2, 2010, 4 pgs.
SBC Technology Resources, Inc., XNMP-XML Network Management Protocol and Interface, Jul. 19, 2002, pp. 1-9, http://www.ietf.org/proceedings/02jul/slides.
Shim, Choon B., XNMP for IP Telephony Management, Enterprise Networks & Servers, Jun. 2006, pp. 1-7, http://www.enterprisenetworksandservers.com.
Oh et al., Interaction Translation Methods for XML/SNMP Gateway, Jul. 11, 2003, retrieved from . . . http://web-archive.org/web/20030711162412/http://dpnm.postech.ac.kr/papers/DSOM/02/xml-snmp-gateway/xml-snmp-gateway.pdf, pp. 1-5.
Office Action issued in U.S. Appl. No. 11/076,672 dated Feb. 3, 2009, Johnston, 10 pages.
Office Action issued in U.S. Appl. No. 10/683,317 dated Feb. 11, 2009, MacKinnon, 17 pages.
International Preliminary Report on Patentability in PCT/US03/032268 dated Apr. 10, 2005, 3 pages.
International Preliminary Report on Patentability in PCT/US03/032912 dated Apr. 16, 2005, 3 pages.
International Preliminary Report on Patentability and Written Opinion of the International Searching Authority in PCT/US04/029249 dated Feb. 21, 2006, 6 pages.
Office Action issued in U.S. Appl. No. 11/076,719 dated Mar. 17, 2009, 8 pages.

Related Publications (1)

	Number	Date	Country
	20050204050 A1	Sep 2005	US

Provisional Applications (1)

	Number	Date	Country
	60551702	Mar 2004	US

Method and system for controlling network access

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

US Classifications

Field of Search

US

International Classifications

Term Extension

Abstract