Patent Grant
7945945
The present embodiment relates to comprehensive and continuous control of usage of network services. More particularly, the present embodiment relates to static and dynamic policy allocation for network service provisioning based on address block techniques. Specifically the use of the IEEE 802 Organization Unique Identifiers (OUI), Individual Address Block (IAB) assignments of the MAC addresses provided by the IEEE 802 organization or the local address administration as an input into the decision process in policy, authorization, network admission and network service attribute assignment.
Computing systems are useful tools for the exchange of information among individuals. The information may include, but is not limited to, data, voice, graphics, and video. The exchange is established through interconnections linking the computing systems together in a way that permits the transfer of electronic signals that represent the information. The interconnections may be either cable or wireless. Cable connections include, for example, metal and optical fiber elements. Wireless connections include, for example infrared, acoustic, and radio wave transmissions.
Interconnected computing systems having some sort of commonality are represented as a network. For example, individuals associated with a college campus may each have a computing device. In addition, there may be shared printers and remotely located application servers distributed throughout the campus. There is commonality among the individuals in that they all are associated with the college in some way. The same can be said for individuals and their computing arrangements in other environments including, for example, healthcare facilities, manufacturing sites and Internet access users. A network permits communication or signal exchange among the various computing systems of the common group in some selectable way. The interconnection of those computing systems, as well as the devices that regulate and facilitate the exchange among the systems, represent a network. Further, networks may be interconnected together to establish internetworks. For purposes of the description of the present embodiment, the devices and functions that establish the interconnection represent the network infrastructure. The users, computing devices and the like that use that network infrastructure to communicate are referred to herein as attached functions and will be further defined. The combination of the attached functions and the network infrastructure will be referred to as a network system.
The process by which the various computing systems of a network or internetwork communicate is generally regulated by agreed-upon signal exchange standards and protocols embodied in network interface cards or circuitry and software, firmware and microcoded algorithms. Such standards and protocols were borne out of the need and desire to provide interoperability among the array of computing systems available from a plurality of suppliers. Two organizations that have been responsible for signal exchange standardization are the Institute of Electrical and Electronic Engineers (IEEE) and the Internet Engineering Task Force (IETF). In particular, the IEEE standards for internetwork operability have been established, or are in the process of being established, under the purview of the IEEE 802 committee on Local Area Networks (LANs) and Metropolitan Area Networks (MANs). The IEEE 802 also provide a service in the assignment of OUI and IAB values to define unique address space which may be assigned to individual organizations.
The identified organizations generally focus on the mechanics of network and internetwork operation, less so on rules and restrictions on access to, and the provisioning of services associated with, the network. Presently, access to applications, files, databases, programs, and other capabilities associated with the entirety of a discrete network is restricted primarily based on the identity of the user and/or the network attached function. For the purpose of the description of the present embodiment, a “user” is a human being who interfaces via a computing device with the services associated with a network. For further purposes of clarity, a “network attached function” or an “attached function” may be a user connected to the network through a computing device and a network interface device, an attached device connected to the network, a function using the services of or providing services to the network, or an application associated with an attached device. Upon authentication of the offered attached function identity, that attached function may access network services at the level permitted for that identification. For purposes of the present description, “network services” include, but are not limited to, access, Quality of Service (QoS), bandwidth, priority, computer programs, applications, databases, files, and network and server control systems that attached functions may use or manipulate for the purpose of conducting the business of the enterprise employing the network as an enterprise asset. The basis upon which the network administrator grants particular permissions to particular attached functions in combination with the permissions is an established network usage policy. For example, one policy may be that any user (one type of attached function) with an employee identification number is granted access to the enterprise's electronic mail system at a specified bandwidth and QoS level.
Presently, the network administrator establishes policies. The policies are defined in and regulated through a policy server controlled by the administrator. The established policies are transmitted to the network interface devices of the network infrastructure at the connection point or port. As part of the authentication process, a particular set of policies are established by the administrator for that attached function. That is, the port at which that attached function is attached to the network infrastructure is configured to effect those policies. For example, QoS, bandwidth, and priority levels may be set at certain values for one identified attached function and at different levels for another attached function. Once that set of policies has been established for that attached function, there is typically no coordinated mechanism to revise the set of policies during network connection based on a change of circumstances.
Unfortunately, events and activities do occur that may be harmful to the network system. For purposes of this description, harm to the network system includes, for example, access denial, intentionally tying up network computing resources, intentionally forcing bandwidth availability reduction, and restricting, denying or modifying network-related information. There are currently two generally available forms of network protection designed to minimize such types of network harm. Firewalls are designed to prevent the passage of packets to the network based on certain limited specific conditions associated with the packets. Firewalls do not enable assigned policy modifications. Intrusion Detection Systems (IDS) are designed to observe packets, the state of packets, and patterns of usage of packets entering or within the network infrastructure for harmful behavior. However, the available IDS only report the existence of potentially harmful anomalies and do not enable responsive policy modification. Any adjustment to the state of permitted attached function network usage typically occurs manually after evaluation of the detected anomalies. There is presently little comprehensive capability available for continuous network system monitoring and network-forced adjustment or change of assigned network usage permissions based upon the detection of one or more conditions that would trigger such a change.
In certain limited instances, network usage (meaning first entry to the network system for the purpose of accessing the network services and the subsequent use of such services) may be restricted for reasons other than user authentication. For example, an attached function seeking usage of a discrete network system through dial-up or virtual private networking may be isolated from certain network services simply because private network entry is made through a public portal, i.e., the internet. It is also understood that in certain academic settings offering wireless connectivity, network usage may be limited upon detection of attached function attempts to seek unauthorized access to specified restricted network services. Further, the use of dynamic policy assignment has been defined and extended in co-pending U.S. patent application Ser. No. 10/629,331 entitled “System and Method for Dynamic Network Policy Management” of John Roese et al. and assigned to a common assignee. Even this work, however, leaves cases of insufficient information available to make proper Acceptable Use Policy (AUP) assignments or other dynamic policy decisions. Thus the network system is unable to provide proper services and unable to limit the traffic to and from an attached device sufficiently to: (a) protect the network from an unknown device; and (b) protect the device from attack by the network or from devices/attackers through the network infrastructure. This failure or inability to protect devices such as process or manufacturing control devices from attack by or through the network interface is the exact reason so few systems may be networked beyond the locked doors and well controlled physical access. Despite the benefit of data collection, software updates, and closed loop operation capabilities, the fear and reality of the device vulnerabilities limit the network extent and scale granted to these devices. Often these and other devices lack the security or software and features to interact in a secure network environment. Authentication capabilities may be non-existent; no human user may ever be associated with the device or device may have no interface for authentication, such as WiFi phones.
According to one implementation, a method includes acquiring address block information for an attached function that initiates network access on a distributed computing network. Additional policy information in acquired concerning the attached function. One or more access policies are set based, at least in part, on the address block information and the additional policy information.
One or more of the following features may also be included. The address block information may be obtained from an OUI field of a MAC address. Acquiring additional policy information may include obtaining stored policy information, or querying the attached function for policy information. The additional policy information may include one or more of: attached function location information; attached function configuration information; attached function operating system information; attached function security features information; user location information; and network entry port information. Network operations of the distributed computing network may be monitored to detect when the attached function initiates network access. The attached function may be authenticated in response to the attached function initiating network access.
According to another implementation, a computer program product residing on a computer readable medium has a plurality of instructions stored on it. When the instructions are executed by a processor, the instructions cause the processor to acquire address block information for an attached function that initiates network access on a distributed computing network. Additional policy information in acquired concerning the attached function. One or more access policies are set based, at least in part, on the address block information and the additional policy information.
One or more of the following features may also be included. The address block information may be obtained from an OUI field of a MAC address. Acquiring additional policy information may include obtaining stored policy information, or querying the attached function for policy information. The additional policy information may include one or more of: attached function location information; attached function configuration information; attached function operating system information; attached function security features information; user location information; and network entry port information. Network operations of the distributed computing network may be monitored to detect when the attached function initiates network access. The attached function may be authenticated in response to the attached function initiating network access.
According to another implementation, a system is configured for acquiring address block information for an attached function that initiates network access on a distributed computing network. Additional policy information in acquired concerning the attached function. One or more access policies are set based, at least in part, on the address block information and the additional policy information.
One or more of the following features may also be included. The address block information may be obtained from an OUI field of a MAC address. Acquiring additional policy information may include obtaining stored policy information, or querying the attached function for policy information. The additional policy information may include one or more of: attached function location information; attached function configuration information; attached function operating system information; attached function security features information; user location information; and network entry port information. Network operations of the distributed computing network may be monitored to detect when the attached function initiates network access. The attached function may be authenticated in response to the attached function initiating network access.
The details of one or more implementations is set forth in the accompanying drawings and the description below. Other features and advantages will become apparent from the description, the drawings, and the claims.
In a general aspect, the embodiment adds another element to a dynamic policying system. The use of the OUI field within the MAC address of the IEEE 802 assigned Ethernet address provides another useful data point for dynamic policy and AUP assignment. The OUI is often referred to as the company code and is assigned to a company by the IEEE 802 for use in providing a unique address block to the company for use in their products. IEEE 802 network devices, with the exception of the traditional PC and Laptops, are often becoming specialized commodity items with many dedicated devices emerging. Often the dedicated devices are receiving dedicated OUI identifiers based on the company of origin. Cell phones are a new class of mobile device with this property, for which rapid setup, high QOS and guest service will be required on the enterprise data infrastructure. Additionally, the IEEE address assignment authority has a further refinement of the addressing structure called an Individual Assignment Block (IAB) This block is only 4096 addresses and allows even the smallest business or organization to have unique address groups for their LAN products. In addition to these well defined address blocks, another mechanism exists to provide further meaning and information to an IEEE 802 addressing structure. Local address administration is another technique, whereby the administrators' addresses may be assigned. In a structured approach, these locally administered addresses are generally assigned in groups, blocks, or some organized or hierarchical manner. Local address assignment allows for even stronger association between address and functional capability, network AUP and service requirements, including being the sole definitive, determining factor. These assignments types and techniques of adding grouping and classification to the addressing structure shall be defined herein to be Address Blocks. It should be recognized that the block size may be as large as the addressing capability, or as small as a single address. Additionally, other structure may be added or impressed by assignment or interpretation to the addressing, such as groups within groups or hierarchical mapping. Address blocks may provide at least a strong hint or even a definitive requirement to the network use, capabilities, limitations and needs of the devices using these addresses. Dynamic policy systems may further refine the AUP, ingress and egress policy assignment based on additional data and event information. However, the address block information provides an extremely strong starting point in that process. This address block based starting point for the static or dynamic policy based system may vastly decrease the effort and time to place the device in the “best” policy assigned states. Here, “best” is defined as the most restrictive policies in terms of packets egressing to the device (protect the device from harm by the network) and full coverage of all required ingress capabilities including all features, bandwidth and forwarding QOS metrics, while further limiting its ingress as completely as possible to ONLY the required ingress capabilities (tightly controlled AUP assignment).
The address block can simple be considered another finer grained event in the trigger based system of dynamic policy. A trigger is any detected or observed event, activity, occurrence, information or characteristic identified in a network system by the network administrator as being of interest for the purpose of making a modification to an assigned set of policies. The types of triggers that define usage restrictions may be of any type of interest to the network administrator, including those associated with user authentication as traditionally understood. Examples of relevant triggers will be provided herein. The system configuration can vary and can include any type of data network, including LANs, MANs, Wide Area Networks (WANs), Personal Area Networks (PANs), Virtual Private Networks (VPNs), and Home Networks. The system may be used in any of a variety of ways to improve network usage, configuration accuracy, allocation of network resources, control, and security.
The present embodiment is a system and related method for provisioning policies to attached functions in a dynamic manner using address block information as an input. Referring to
One or more of the devices of the infrastructure 101 include a dynamic policy function module 108 (e.g., modules 108a, 108b, 108c, 108d). The dynamic policy function module 108 includes the sub-functions of monitoring the network for triggers, including address block information, decision making of whether to modify an assigned set of policies and, if so, in what way, and enforcement of the assigned set of policies. The dynamic policy function module 108 of any particular device of infrastructure 101 may include any one or more of the three identified sub-functions. It is contemplated that the policy server 103 under control of the network administrator will have primary responsibility for decision making of assigning and modifying sets of policies. However, it is also contemplated that some decision making may be established in the module 108 of a network device. That is, for example, module 108c of central switching device 106 may include the decision making sub-function and modules 108a and 108b of network entry devices 104a and 104b (respectively) may have monitoring and enforcement sub-functions for the attached functions to which they are connected. In addition, there may be network devices that have no dynamic policy function module 108. Instead, such “dumb” devices may simply provide packet exchange functionality only and leave monitoring, decision making and enforcement to other devices of the infrastructure 101. The dynamic policy sub-functions may include algorithms and processes necessary to identify information about attached functions, monitor network activity, enforce sets of policies, and make decisions regarding assigned policies. Module 108 can be implemented in hardware and/or software. For example, particular software, firmware, or microcode functions executing on the network infrastructure devices can provide the monitoring functions to be described herein, policy enforcement as presently available in network infrastructure devices, and policy decision making. Alternatively, or in addition, hardware modules, such as programmable arrays, can be used in the devices to provide some or all of those capabilities.
In the illustrated network system 100, an attached function such as a service 104a attaches to infrastructure 101 via cable 109 through connection point 102b (e.g., a jack in a wall). Similarly, network infrastructure entry devices 105a-b and central switching device 106 connect to each other using cables 110 and 111 to connection points 102g-h. In a portion of the network employing cables, a connection point (e.g., 102a-j) is the terminus of the cable where a device physically attaches.
Access by an attached function to the network services associated with network system 100 includes a setting of static and/or dynamic policies, referred to generally as a set of policies, for the attached function. Sets of policies are established by the network administrator. Information regarding an attached function seeking or having access to network services and the sets of policies may be stored centrally or in a distributed manner, including being stored locally. In an example of a centralized approach, the policying system of the present embodiment stores attached function and policy set information for all of the connection points of the network system 100 in a server such as policy server 103. In an example of a distributed approach, described in more detail in the alternatives section below, the policying system stores attached function and policy set information for all attached functions, or a portion of the attached functions, in one or more of the local network devices 105a-b and 106 of the network infrastructure 101.
The system of the present embodiment is able to enforce established and generated policies, on an initial and continual basis, based on usage permission rules established by a network administrator and these may contain address block information. It can restrict usage of the network system and its services based on the attached function's characteristics, the particular connection point through which network infrastructure connection is established, and network system events related or unrelated to the attached function. All policy sets may be directed to all network entry devices. Alternatively, the policy sets may be apportioned among the network entry devices and attached functions forced to particular connection points based on established sets of policies. It is contemplated that multiple policies will be applied to the connection points, some with overlapping purpose. Also, some policies configured at the network entry devices may be applicable to some attached functions but not to others.
As illustrated in
Entry to the network system 100, and the infrastructure 101 primarily, may also be initially regulated using authentication systems such as Network Operating Systems (NOSs), Remote Authentication Dial-In User Service (RADIUS), described in IETF Request For Comment (RFC) 2138, IEEE 802.1X standard and/or address block information and other techniques.
In addition to acquiring the attached function information necessary to authenticate access to the network services, the policying system is configured to obtain stored information or query the attached function (step 203) for such further additional information identified by the network administrator as being of importance in assessing relevant policies. Such further additional information includes, but is not limited to: attached function location, attached function configuration, attached function operating system, attached function security features, user location, and network entry port information. Based upon information obtained using address block information (step 202) and the additional attached function information (if any) (step 203), the system 100 makes a preliminary determination of the attached function's permission to access network services (step 204). If the information acquired is authenticated or otherwise accepted, the attached function enters the network. The process 200 further includes a check on whether additional challenges have been established upon preliminary permitted entry to the network infrastructure 101, or if additional external challenges have been established. Process 200 continues with the normal dynamic policy process of obtaining network, user, device, application information (step 205) and applying dynamic policy rules applicable to such events (step 206), as disclosed in U.S. patent application Ser. No. 11/066,622, filed 25 Feb. 2005, and entitled “DYNAMIC NETWORK DETECTION SYSTEM AND METHOD”.
The policying system of the present embodiment is configured to maintain and update the information associated with the attached functions and the network infrastructure 101 of the network system 100 in a centralized database, including the saved policies history. Alternatively, the saved policies history may be stored in a distributed manner, including, for example, being stored or cached on a local network access device. The information included in the database can vary. For example, a table containing the information may form part of or be accessible by the database. Such a table may associate each attached function with one or more access devices, one or more access connection points, applications requested, priority requested, as well as other information of the type represented in
Use of the above techniques enables the system of the present embodiment to restrict access to the network system 100 and network services including, but not limited to data, applications, specific network infrastructure devices, data and network service, QoS levels, network tools, and the like, based on the attached function and the connection point through which the attached function seeks network usage, and based on monitored triggers. Further to the techniques above, system 100 can employ the specified information to effect a modification of the usage requirements. For example, when an attached function is permitted network services usage via a connection point deemed not to be inherently secure (e.g., an edge switch port associated with an external internet connection), the policying system can prompt the attached function to initiate an improved connection, such as a VPN, or can notify the attached function that supplemental restrictions apply while in the insecure area. More generally, this can be seen as an expansion of policy-based usage in that the usage rules for an individual attached function may be adapted at any time for any reason. Policies may be changed upon access request, during a session, or even during an exchange flow.
As noted, the present system and related method employ a centralized policy server 103 that includes network usage policy enforcement and decision making capabilities. It may also include the policy information database. Also as indicated, that functionality may be distributed throughout the infrastructure 101. As described below, for a distributed system example, devices both inside and outside network infrastructure 101 can optionally maintain policy information that affects their operation. Relatedly, the policy information may be stored in the centralized policy server 103, distributed, or stored or cached locally for rapid access and access permissions established by the designated policies.
The following is a list of a few possible devices (but not limited to only those devices) that can contain the policy server and/or any one or more of the dynamic policy sub-functions: network switches, data switches, routers, firewalls, gateways, computing devices such as network file servers or dedicated usage servers, management stations, network connected voice over IP/voice over data systems such as hybrid PBXs and VoIP call managers, network layer address configuration/system configuration servers such as enhanced DHCP servers, enhanced Bootstrap Protocol (bootp) servers, IPv6 address auto-discovery enabled routers, and network based authentication servers providing services such as radius, extensible authentication protocol/IEEE 802.1X or others.
Additionally, the processes, steps thereof and various examples and variations of these processes and steps, individually or in combination, may be implemented as a computer program product tangibly as computer-readable signals on a computer-readable medium, for example, a non-volatile recording medium, an integrated circuit memory element, or a combination thereof. Such computer program product may include computer-readable signals tangibly embodied on the computer-readable medium, where such signals define instructions, for example, as part of one or more programs that, as a result of being executed by a computer, instruct the computer to perform one or more processes or acts described herein, and/or various examples, variations and combinations thereof. Such instructions may be written in any of a plurality of programming languages, for example, Java, Visual Basic, C, or C++, Fortran, Pascal, Eiffel, Basic, COBOL, and the like, or any of a variety of combinations thereof. The computer-readable medium on which such instructions are stored may reside on one or more of the components of system 100 described above and may be distributed across one or more such components.
The following examples may help illustrate the embodiment:
To automatically detect all Avaya IP phones in a network, one could use this feature to look for any attached device with the Avaya OUI of “00-04-OD” and associate those devices to a restrictive role suitable for IP phones. Continuing dynamic policy management may then further modify the port policies.
To detect all HP printers using JetDirect cards, the HP OUI could be used as a trigger. Possible policy assignments would be to allow LPR or other printing protocols at 5 MB/S, allow administrative protocols only from the network operations center IP addresses and finally prohibit all other protocols. The result is that the printer is manageable, useable and protected dynamically from all other attacks.
To detect the attachment of an IP enabled Allen Bradley numerically controlled milling machine or other industrial systems, the presence of OUI “00-00-BC” would be enough to trigger a policy set appropriate for that type of system. Egress policies to that machine may be extremely tight allowing no packet for which older equipment may have known security vulnerabilities.
Attachment of WiFi enabled IP phones need proper detection to give them access to real time service over an enterprise guest network. This is needed as these devices are not able to authenticate via traditional techniques, as a PC could, and therefore should be less trusted, but they require higher priority services for RTP and SIP than a user in the default guest role. OUI detection could allow for a slight over-ride of default policies without requiring complex authentication methods.
Specific assignment of local addresses to devices with known security vulnerabilities would allow their use on a network system which could otherwise exploit those vulnerabilities. The network devices could cache policy and AUP assignments and enable them independent of any other authentication techniques or methods to insure both ingress and egress policies are in place immediately upon network connection. This would make it impossible to exploit known device vulnerabilities, even for the hacker who knows the device is present on the network.
A number of examples to help illustrate the embodiment have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the embodiment. Accordingly, other embodiments are within the scope of this embodiment.
This application claims the priority of U.S. Provisional Application Ser. No. 60/599,626, entitled “System and Method for Address Block Enhanced Dynamic Network Policy Management”, and filed 6 Aug. 2004; which is herein incorporated by reference. This application is a continuation-in-part of U.S. patent application Ser. No. 11/066,622, filed 25 Feb. 2005, and entitled “DYNAMIC NETWORK DETECTION SYSTEM AND METHOD”; which is herein incorporated by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4627052 | Hoare et al. | Dec 1986 | A |
| 4734907 | Turner | Mar 1988 | A |
| 4823338 | Chan et al. | Apr 1989 | A |
| 4939726 | Flammer et al. | Jul 1990 | A |
| 5076688 | Bowen et al. | Dec 1991 | A |
| 5090025 | Marshall et al. | Feb 1992 | A |
| 5095480 | Fenner | Mar 1992 | A |
| 5132926 | MacEachem et al. | Jul 1992 | A |
| 5136580 | Videlock et al. | Aug 1992 | A |
| 5173933 | Garner et al. | Dec 1992 | A |
| 5243652 | Teare et al. | Sep 1993 | A |
| 5289460 | Drake, Jr. et al. | Feb 1994 | A |
| 5331637 | Francis et al. | Jul 1994 | A |
| 5355371 | Auerbach et al. | Oct 1994 | A |
| 5355375 | Christensen | Oct 1994 | A |
| 5361256 | Doeringer et al. | Nov 1994 | A |
| 5367667 | Wahlquist | Nov 1994 | A |
| 5394402 | Ross | Feb 1995 | A |
| 5396493 | Sugiyama | Mar 1995 | A |
| 5400326 | Smith | Mar 1995 | A |
| 5428615 | Backes et al. | Jun 1995 | A |
| 5434855 | Perlman et al. | Jul 1995 | A |
| 5442633 | Perkins et al. | Aug 1995 | A |
| 5444702 | Burnett et al. | Aug 1995 | A |
| 5448565 | Chang et al. | Sep 1995 | A |
| 5475781 | Chang et al. | Dec 1995 | A |
| 5481540 | Huang | Jan 1996 | A |
| 5485455 | Dobbins et al. | Jan 1996 | A |
| 5491694 | Oliver et al. | Feb 1996 | A |
| 5500860 | Perlman et al. | Mar 1996 | A |
| 5506838 | Flanagan | Apr 1996 | A |
| 5511168 | Perlman et al. | Apr 1996 | A |
| 5517494 | Green | May 1996 | A |
| 5517620 | Hashimoto et al. | May 1996 | A |
| 5519760 | Borkowski et al. | May 1996 | A |
| 5521910 | Matthews | May 1996 | A |
| 5530703 | Liu et al. | Jun 1996 | A |
| 5550816 | Hardwick et al. | Aug 1996 | A |
| 5553083 | Miller | Sep 1996 | A |
| 5583861 | Holden | Dec 1996 | A |
| 5606602 | Coyle et al. | Feb 1997 | A |
| 5608726 | Virgile | Mar 1997 | A |
| 5613069 | Walker | Mar 1997 | A |
| 5621793 | Bednarek et al. | Apr 1997 | A |
| 5634011 | Auerbach et al. | May 1997 | A |
| 5640452 | Murphy | Jun 1997 | A |
| 5659617 | Fischer | Aug 1997 | A |
| 5675582 | Hummel et al. | Oct 1997 | A |
| 5684800 | Dobbins et al. | Nov 1997 | A |
| 5727057 | Emery et al. | Mar 1998 | A |
| 5734865 | Yu | Mar 1998 | A |
| 5740171 | Mazzola et al. | Apr 1998 | A |
| 5742604 | Edsall et al. | Apr 1998 | A |
| 5745685 | Kirchner et al. | Apr 1998 | A |
| 5752003 | Hart | May 1998 | A |
| 5754657 | Schipper et al. | May 1998 | A |
| 5757916 | MacDoran et al. | May 1998 | A |
| 5781726 | Pereira | Jul 1998 | A |
| 5781737 | Schmidt | Jul 1998 | A |
| 5790074 | Rangedahl et al. | Aug 1998 | A |
| 5812819 | Rodwin | Sep 1998 | A |
| 5825772 | Dobbins et al. | Oct 1998 | A |
| 5862338 | Walker et al. | Jan 1999 | A |
| 5874964 | Gille | Feb 1999 | A |
| 5881236 | Dickey | Mar 1999 | A |
| 5892451 | May et al. | Apr 1999 | A |
| 5892910 | Safadi | Apr 1999 | A |
| 5892912 | Suzuki et al. | Apr 1999 | A |
| 5898686 | Virgile | Apr 1999 | A |
| 5905779 | Steinmetz | May 1999 | A |
| 5920699 | Bare | Jul 1999 | A |
| 5922073 | Shimada | Jul 1999 | A |
| 5963556 | Varghese et al. | Oct 1999 | A |
| 5983364 | Bortcosh | Nov 1999 | A |
| 5999126 | Ito | Dec 1999 | A |
| 6005864 | Krause | Dec 1999 | A |
| 6006259 | Adelman et al. | Dec 1999 | A |
| 6012088 | Li et al. | Jan 2000 | A |
| 6018771 | Hayden | Jan 2000 | A |
| 6035105 | McCloghrie et al. | Mar 2000 | A |
| 6041166 | Hart et al. | Mar 2000 | A |
| 6044400 | Golan et al. | Mar 2000 | A |
| 6061797 | Jade et al. | May 2000 | A |
| 6070079 | Kuwahara | May 2000 | A |
| 6076114 | Wesley | Jun 2000 | A |
| 6078957 | Adelman et al. | Jun 2000 | A |
| 6085243 | Fletcher et al. | Jul 2000 | A |
| 6094434 | Kotzur et al. | Jul 2000 | A |
| 6105027 | Schneider et al. | Aug 2000 | A |
| 6105064 | Davis et al. | Aug 2000 | A |
| 6108365 | Rubin et al. | Aug 2000 | A |
| 6115754 | Landgren | Sep 2000 | A |
| 6122664 | Boukobza et al. | Sep 2000 | A |
| 6130890 | Leinwand et al. | Oct 2000 | A |
| 6131120 | Reid | Oct 2000 | A |
| 6151324 | Belser et al. | Nov 2000 | A |
| 6151631 | Ansell et al. | Nov 2000 | A |
| 6157647 | Husak | Dec 2000 | A |
| 6167275 | Oros et al. | Dec 2000 | A |
| 6167513 | Inoue et al. | Dec 2000 | A |
| 6192045 | Williams | Feb 2001 | B1 |
| 6192403 | Jong et al. | Feb 2001 | B1 |
| 6201789 | Witkowski et al. | Mar 2001 | B1 |
| 6205126 | Moon | Mar 2001 | B1 |
| 6212391 | Saleh et al. | Apr 2001 | B1 |
| 6216159 | Chintakrindi et al. | Apr 2001 | B1 |
| 6222840 | Walker et al. | Apr 2001 | B1 |
| 6230018 | Watters et al. | May 2001 | B1 |
| 6233242 | Mayer et al. | May 2001 | B1 |
| 6236365 | LeBlanc et al. | May 2001 | B1 |
| 6256338 | Jalloul et al. | Jul 2001 | B1 |
| 6259404 | Parl et al. | Jul 2001 | B1 |
| 6273622 | Ben-David | Aug 2001 | B1 |
| 6286044 | Aoyama et al. | Sep 2001 | B1 |
| 6304218 | Sugiura et al. | Oct 2001 | B1 |
| 6308273 | Goertzel et al. | Oct 2001 | B1 |
| 6317500 | Murphy | Nov 2001 | B1 |
| 6327474 | Ruutu et al. | Dec 2001 | B1 |
| 6327535 | Evans et al. | Dec 2001 | B1 |
| 6343317 | Glorikian | Jan 2002 | B1 |
| 6363422 | Hunter et al. | Mar 2002 | B1 |
| 6370629 | Hastings et al. | Apr 2002 | B1 |
| 6388618 | Stilp et al. | May 2002 | B1 |
| 6421009 | Suprunov | Jul 2002 | B2 |
| 6442394 | Valentine et al. | Aug 2002 | B1 |
| 6442616 | Inoue et al. | Aug 2002 | B1 |
| 6453237 | Fuchs et al. | Sep 2002 | B1 |
| 6456853 | Arnold | Sep 2002 | B1 |
| 6460084 | Van Horne et al. | Oct 2002 | B1 |
| 6466786 | Wallenius | Oct 2002 | B1 |
| 6480495 | Mauger et al. | Nov 2002 | B1 |
| 6523064 | Akatsu et al. | Feb 2003 | B1 |
| 6539229 | Ali | Mar 2003 | B1 |
| 6542813 | Kovacs | Apr 2003 | B1 |
| 6556831 | Buppelmann | Apr 2003 | B1 |
| 6577636 | Sang et al. | Jun 2003 | B1 |
| 6580914 | Smith | Jun 2003 | B1 |
| 6583713 | Bates | Jun 2003 | B1 |
| 6640184 | Rabe | Oct 2003 | B1 |
| 6640248 | Jorgensen | Oct 2003 | B1 |
| 6665715 | Houri | Dec 2003 | B1 |
| 6701864 | Watson et al. | Mar 2004 | B2 |
| 6716101 | Meadows et al. | Apr 2004 | B1 |
| 6741863 | Chiang et al. | May 2004 | B1 |
| 6757545 | Nowak et al. | Jun 2004 | B2 |
| 6757740 | Parekh et al. | Jun 2004 | B1 |
| 6771639 | Holden | Aug 2004 | B1 |
| 6778818 | O'Neil | Aug 2004 | B1 |
| 6795688 | Plasson et al. | Sep 2004 | B1 |
| 6799049 | Zellner et al. | Sep 2004 | B1 |
| 6807427 | Sakamoto et al. | Oct 2004 | B1 |
| 6813501 | Kinnunen et al. | Nov 2004 | B2 |
| 6826385 | Kujala | Nov 2004 | B2 |
| 6826617 | Ansell et al. | Nov 2004 | B1 |
| 6834195 | Brandenberg et al. | Dec 2004 | B2 |
| 6859791 | Spagna et al. | Feb 2005 | B1 |
| 6889051 | Ogino et al. | May 2005 | B2 |
| 6889053 | Chang et al. | May 2005 | B1 |
| 6920329 | Kennedy et al. | Jul 2005 | B2 |
| 6934548 | Gould et al. | Aug 2005 | B1 |
| 6937988 | Hemkumar et al. | Aug 2005 | B1 |
| 6938096 | Greschler et al. | Aug 2005 | B1 |
| 6983313 | Korkea-Aho | Jan 2006 | B1 |
| 6985731 | Johnson et al. | Jan 2006 | B1 |
| 7010583 | Aizono et al. | Mar 2006 | B1 |
| 7089264 | Guido et al. | Aug 2006 | B1 |
| 7120449 | Muhonen et al. | Oct 2006 | B1 |
| 7136915 | Rieger, III | Nov 2006 | B2 |
| 7139829 | O'Toole et al. | Nov 2006 | B2 |
| 7197556 | Short et al. | Mar 2007 | B1 |
| 20010022558 | Karr, Jr. et al. | Sep 2001 | A1 |
| 20010039623 | Ishikawa | Nov 2001 | A1 |
| 20020010866 | McCullough et al. | Jan 2002 | A1 |
| 20020016831 | Peled et al. | Feb 2002 | A1 |
| 20020023010 | Rittmaster et al. | Feb 2002 | A1 |
| 20020034953 | Tricarico | Mar 2002 | A1 |
| 20020046073 | Indseth et al. | Apr 2002 | A1 |
| 20020051540 | Glick et al. | May 2002 | A1 |
| 20020052180 | Ravishankar et al. | May 2002 | A1 |
| 20020062379 | Widegren et al. | May 2002 | A1 |
| 20020063656 | Gutowski | May 2002 | A1 |
| 20020107029 | Caughran et al. | Aug 2002 | A1 |
| 20020122055 | Parupudi et al. | Sep 2002 | A1 |
| 20020138632 | Bade et al. | Sep 2002 | A1 |
| 20020164996 | Dorenbosch | Nov 2002 | A1 |
| 20020188842 | Willeby | Dec 2002 | A1 |
| 20030035544 | Herle et al. | Feb 2003 | A1 |
| 20030041167 | French et al. | Feb 2003 | A1 |
| 20030065571 | Dutta | Apr 2003 | A1 |
| 20030095509 | Ramanan et al. | May 2003 | A1 |
| 20030107590 | Levillain et al. | Jun 2003 | A1 |
| 20030185233 | Ji et al. | Oct 2003 | A1 |
| 20030208523 | Gopalan et al. | Nov 2003 | A1 |
| 20040064334 | Nye | Apr 2004 | A1 |
| 20050199792 | Argast et al. | Sep 2005 | A1 |
| Number | Date | Country |
|---|---|---|
| 1154624 | Nov 2001 | EP |
| 9428683 | Dec 1994 | WO |
| 9705749 | Feb 1997 | WO |
| 9741654 | Nov 1997 | WO |
| 9819482 | May 1998 | WO |
| 0022862 | Apr 2000 | WO |
| 0044149 | Jul 2000 | WO |
| 0067450 | Nov 2000 | WO |
| 0069198 | Nov 2000 | WO |
| 0108425 | Feb 2001 | WO |
| 0122656 | Mar 2001 | WO |
| 0169956 | Sep 2001 | WO |
| 0176093 | Oct 2001 | WO |
| 0182259 | Nov 2001 | WO |
| 0194967 | Dec 2001 | WO |
| 0195505 | Dec 2001 | WO |
| 0209456 | Jan 2002 | WO |
| 0212914 | Feb 2002 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20060036730 A1 | Feb 2006 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60599626 | Aug 2004 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 11066622 | Feb 2005 | US |
| Child | 11199552 | US |
