|Publication number||US20060075467 A1|
|Application number||US 11/167,747|
|Publication date||Apr 6, 2006|
|Filing date||Jun 27, 2005|
|Priority date||Jun 28, 2004|
|Also published as||EP1766926A1, EP1766927A1, EP1766928A2, EP1766931A1, US7760882, US20060023738, US20060064588, US20060072583, US20060075472, US20060075506, WO2006004784A1, WO2006004785A1, WO2006004786A1, WO2006004928A2, WO2006004928A3, WO2006004930A1, WO2006012058A1, WO2006012346A1|
|Publication number||11167747, 167747, US 2006/0075467 A1, US 2006/075467 A1, US 20060075467 A1, US 20060075467A1, US 2006075467 A1, US 2006075467A1, US-A1-20060075467, US-A1-2006075467, US2006/0075467A1, US2006/075467A1, US20060075467 A1, US20060075467A1, US2006075467 A1, US2006075467A1|
|Inventors||Frank Sanda, Naohisa Fukuda, Edward Laves, Robert Johnston, Justin Tidwell, Raymond Gurgone, David Robins, Laura Worthington, Karlton Zeitz|
|Original Assignee||Sanda Frank S, Naohisa Fukuda, Laves Edward W, Johnston Robert L, Tidwell Justin O, Gurgone Raymond T, Robins David S, Worthington Laura J, Zeitz Karlton M|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (99), Referenced by (62), Classifications (70), Legal Events (1)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This application claims priority to Application Ser. No. 60/583,765, filed on Jun. 28, 2004, titled “Controlling Use of a Mobile Work Station Based on Network Environment,” Application Ser. No. 60/598,364, filed on Aug. 3, 2004, titled “Systems and Methods for Enhancing and Optimizing a User's Experience on an Electronic Device,” Application Ser. No. 60/652,121, filed on Feb. 11, 2005, titled “Remote Access Services,” and Application Ser. No. 60/653,411, filed on Feb. 16, 2005, titled “Creating an Environment for Secure Mobile Access Anywhere,” the entirety of all of which are incorporated herein by reference.
The present invention relates generally to computer networking and, more particularly to systems and methods for enhanced network access.
As the workforce becomes more mobile, enterprises often must provide a means for their users to connect to the enterprise network remotely. Enterprises and their users have much greater flexibility in selecting methods of connecting to the enterprise network as well as other resources, such as the Internet. With this added flexibility comes a concomitant increase in complexity and risk. Thus, although remote access may be necessary, enterprises may resist providing their users with remote access.
Each remote method for connecting to an enterprise network opens a potential security hole that might be exploited. For instance, listeners on a network, such as rogue access points, may be able to determine a user's username/password combination for accessing the network.
Also, each connection type may be purchased from a different network provider. The enterprise must reconcile charges from each of the providers for each of the users accessing the network remotely.
Further, every conventional connection product connecting to the enterprise network provides a unique interface. And although each interface may be relatively straightforward, complexity arises from the enterprise and its users having to deal with multiple interfaces for each of the various network connections the user wishes to make.
Embodiments of the present invention provide systems and methods for enhanced network access. One aspect of one embodiment of the present invention comprises receiving a request to connect to a network, the request associated with a user, determining a policy associated with the user, identifying at least one available network connection, determining at least one property of the at least one available network connection, evaluating the property based at least in part on the policy, and selecting the at least one available network connection based on the evaluation. In another embodiment, a computer-readable medium (such as, for example random access memory or a computer disk) comprises code for carrying out such a method.
This illustrative embodiment is mentioned not to limit or define the invention, but to provide one example to aid understanding thereof. Illustrative embodiments are discussed in the Detailed Description, and further description of the invention is provided there. Advantages offered by the various embodiments of the present invention may be further understood by examining this specification.
These and other features, aspects, and advantages of the present invention are better understood when the following Detailed Description is read with reference to the accompanying drawings, wherein:
Embodiments of the present invention provide systems and methods for enhanced network access. There are multiple embodiments of the present invention. By way of introduction and example, one illustrative embodiment of the present invention provides a method for a client device to seamlessly switch from a first network connection to a second.
As a mobile client device moves from a first location to a second location, the device is provided with an indication that the second network connection is available. The device determines a set of properties regarding the second connection, such as speed, reliability, and cost for the connection. The client device then evaluates these properties based on a set of policies, which are specified by the enterprise with which the user is associated, so that at any one time, the user is connected to the “best” network from the point of view of the enterprise. A rules engine automatically determines which of the two connections is most suitable based on the policies and the properties of the connection.
For instance, the second connection may be faster and cheaper than the first. However, the first connection is more reliable. The enterprise policies weigh speed and cost more highly than reliability. Thus, the client device automatically switches from the first connection to the second connection without any user intervention.
This introduction is given to introduce the reader to the general subject matter of the application. By no means is the invention limited to such subject matter. Illustrative embodiments are described below.
Various systems in accordance with the present invention may be constructed. Referring now to the drawings in which like numerals indicate like elements throughout the several figures,
Communication with the security server 104 occurs via a network 108. The network 108 may comprise a public or private network and may include the Internet. The network may also comprise a plurality of networks, including, for example, dedicated phone lines between the various components. In one embodiment, the client 102 communicates with the security server 104 via a virtual private network (“VPN”) established over the Internet.
The security server 104 is also in communication with an enterprise server 106 via a network. The network 108 may comprise various elements, both wired and wireless. In one embodiment, the communication between the security server 104 and enterprise server 106 occurs over a static VPN established over dedicated communication lines.
In one embodiment, a user connects a client device 102 to the network 108 using a network access user interface. The network access user interface is always on and only allows the user to connect to the network 108 via the interface. The network access user interface automatically causes the client 102 to connect to the security server 104 through the network 108. The security server 104 provides value added services to the client 102 and to one or more enterprises. Access to other services, such as the Internet, may be provided via the security server 104.
The modules shown in
The client 102 shown in
In another embodiment of the present invention, the VPN client 202 is used for four purposes: (1) to manage policy files, which include information, such as a gateway Internet Protocol (IP) address, secrecy and authentication level, and hash; (2) automatically connecting a VPN; (3) automatically disconnecting the VPN; and (4) monitoring the status of the VPN. Each of these four purposes may be affected by other modules, including, for example, the connection manager 210.
The client 102 also comprises a secure vault 204. The secure vault 204 protects content on the client 102. In one embodiment, the secure vault 204 is responsible for storing encrypted content on the client 102 and allowing access to the encrypted content based on a set of permissions or policies. In such an embodiment, a content creator can provide access via a viewer to secured content and allow a recipient of the content read-only access or allow the recipient to perform other tasks, such as modifying the content and forwarding it to other users. In another embodiment, the secure vault 204 allows the user to create and distribute secure content to other clients 102, the content creator can decide to send a document to several users and allow two of the users full access and one of the users read-only access.
The client 102 shown in
For example, the IT manager may classify a Wireless Fidelity (“Wi-Fi”) network interface as dangerous since it has traditionally been considered fairly unsafe. And the IT manager may apply more restrictive port-blocking rules to the dangerous zone than to the safe zone and network interface devices, such as those used to connect to a wired Local Area Network (“LAN”) or a Personal Handyphone System (“PHS”) cellular connection. The PHS standard is a TDD-TDMA based microcellular wireless communications technology and has been traditionally considered relatively safer than Wi-Fi connections. The PHS cellular connection may also be referred to as a wireless wide area network (“WWAN”) as opposed to a dial-up connection providing access to a wide area network (“WAN”).
In various other embodiments, the port-blocking rules of the firewall 206 may be based on time of day, client IP address, terminating IP address, terminating and originating port, protocol, and other variables. In one embodiment, the port-blocking rules are based on policy data associated with individual users logged into the client 102.
In one embodiment, the port-blocking rules of the firewall 206 include a blacklist. The blacklist allows an IT manager to prevent an application from executing on the client 102. For instance, an IT manager may blacklist a DVD player so that a user is unable to view DVD's on the client 102. The firewall 206 may provide a message to the user informing the user that an application is unavailable.
In another embodiment, the firewall 206 implements a white list. The white list is somewhat more restrictive than the blacklist described above. The white list allows only specified applications to execute. For example, an IT manager may allow only MS Word, Excel, PowerPoint, and Outlook to execute. No other applications will be permitted to execute. The firewall 206 may be a custom firewall or a third-party firewall integrated into an embodiment of the present invention.
The embodiment shown in
The client 102 also comprises a connection manager 210, which includes a rules processor. In one embodiment, the connection manager 210 assigns a priority number to every connection, e.g., one to one hundred, and selects the connection with the highest number to connect to.
The connection manager 210 may provide a connection to a variety of networks, including, for example, dial-up, LAN, digital subscriber line (“DSL”), cable modem, Wi-Fi, wireless local area network (“WLAN”), PHS, and satellite.
In one embodiment, the connection manager 210 differentiates between public and private connections. A public connection is a connection provided by a service provider who has a relationship with the administrator of the security server 104, which allows the security server 104 to authenticate the connection. For instance, the security server 104 administrator may have a business arrangement with a hotspot provider. In order to connect, the client 102 connects to a local access point and the authentication of the user occurs automatically at the security server 104. In contrast, a private connection requires that all aspects of the authentication mechanism for a connection are managed in the absence of the security server 104, although the connection manager may provide certain facilities to allow for automated authentication where possible.
In one embodiment, the connection manager 210 makes connections available or unavailable to the client 102 based on policies present on the client 102. The connection manager 210 may also download changes to policy data and transmit quality of service (“QoS”) and other data to the security server 104 or the enterprise server 106.
In one embodiment, the connection manager 210 determines the type of connections that are available based on signals provided by hardware associated with the client 102. For example, when the client 102 passes near a hotspot, a Wi-Fi card in the client 102 senses the hotspot and sends a signal to the connection manager 210. For instance, the Wi-Fi card may sense a broadcast service set identifier (“SSID”). Once the signal exceeds a threshold, the connection manager 210 provides a signal to a user of the client 102 that the network is available or may automatically connect to the hotspot. Alternatively, the Wi-Fi card may poll for a non-broadcast SSID. The connection manager 210 may provide a single connection to the client 102 at one time or may provide multiple connections to the client 102.
The client 102 shown in
In one embodiment, the QoS collector 212 collects data regarding a connection during a session but does not send the data for a session until the next session. Thus, if a session is terminated abnormally, the QoS data will still be collected and transferred successfully. In another embodiment, the QoS collector 212 transfers data only when a particular type of connection is detected, such as a high-speed or low cost connection.
The client 102 also comprises a session statistics module 214. The session statistics module stores data representing user characteristics. For instance, the session statistic module 214 may store a list of the applications a user generally accesses, how often the user is connected, the typical CPU and memory utilization measure, keyboard sequences, and other characteristics of a user. If a particular user deviates from the expected characteristics by greater than a threshold, such as N standard deviations, and the significance of the statistic is more than a specified amount, the session statistics module 214 can identify the current user as a potential unauthorized user.
The session statistics module 214 may perform other tasks as well. For instance, in one embodiment, the session statistics module 214 pre-loads applications based on a user's general usage patterns.
The client 102 shown in
For example, an IT manager may establish a VPN profile to be used by a user when connecting to a Wi-Fi network. However, the user may wish to create a secondary VPN profile to be used if the first VPN becomes unavailable. The policy reader 216 loads both local and enterprise VPN profiles, resolving any conflict between the two VPN profiles.
In one embodiment, the policy reader 216 accesses data at an enterprise, department, and user level. In such an embodiment, some of the policy rules may be stored in a lightweight directory access protocol (“LDAP”) server on the client 102, security server 1 04, or enterprise server 106. In another embodiment, the policy reader 216 receives only changes to policy data and does not typically download all of the policy data at once. Policies downloaded by the policy reader 216 may be provided to the rules processor of the connection manager 210.
The client 102 may also comprises a client security module 216. In one embodiment, the client security module 216 implements a client asset protection process. When the client security module 216 receives a signal indicating that the client asset protection process is to be executed, the client security module 216 may, for example, disable devices and interfaces on the client device 102 and may, in some embodiments, encrypt the hard drive of the client device 102 so that the files stored on the drive are not easily accessible.
The client 102 may also comprise a user interface 220. The user interface 220 may control the underlying operating environment or the user's view of the underlying environment. For example, in one embodiment, the user interface 220 supplants the Microsoft® Windows operating system interface from the user's perspective. In other words, the user is unable to access many of the standard Windows features. Such a user interface may be implemented to limit the applications and configuration setting a user is able to access. In some embodiments, such as a personal digital assistant (“PDA”), no user interface is provided by an embodiment of the present invention; the standard PDA user interface is utilized.
The user interface 220 provides the user with an easy-to-use mechanism for accessing network connections. In one embodiment, when the user interface 220 is visible, it provides a very easy-to-use format that displays network connection types and provides other functionality to the user. For example, during complex operations, such as connecting to a new network type, the user can simply select a single button within the user interface 220 and the client 102 will properly disconnect from the previous network, acquire the new network, perform all authentication and policy-based requirements, and then allow the user to continue using an application on the new network. This simple, easy-to-use user interface 220, the complexity of which may be hidden and completely automatic, allows a less-technical user to successfully operate the client 102. All network connection, authentication, secure sign on, VPN parameters, and other aspects of the connection are managed by the user interface 220.
The client 102 shown in
In one embodiment, when the security agent 222 activates, it stops all applications from being able to run and encrypts the data on the hard drive of the client 102. For instance, the security agent 222 may implement a white list as (described above and then implement a secure vault for all data on the client 102. The connection manager 210 may also be configured so that no connections are possible.
In one such embodiment, since the data is merely encrypted by security agent 222, rather than erased, the data may be recovered if the client 102 is subsequently recovered. For instance, the enterprise may retain the key needed for decrypting the local drive. The client 102 is returned to the enterprise, which then decrypts the drive. In another embodiment, the data on the local drive of the client is rendered inaccessible by, for example, writing over the data multiple times.
The client 102 shown in
The RADIUS server 302 provides authentication services on the security server 104. In some embodiments of the present invention, the RADIUS server 302 proxies to a RADIUS server on the enterprise server 106. In one embodiment, the RADIUS server 302 provides mutual authentication for the client 102 using Extensible Authentication Protocol Transport Layer Security (“EAP-TLS”). Although EAP-TLS itself is strictly an 802.lx authentication protocol, designed primarily for WiFi connections, the underlying TLS authentication protocol may be deployed in both wired and wireless networks. EAP-TLS performs mutual secured sockets layer (“SSL”) authentication. This requires both the client device 102 and the RADIUS server 302 to have a certificate. In mutual authentication, each side may prove its identity to the other using its certificate and its private key.
The security server shown in
In some embodiments, the LDAP server 304 is implemented as a list of user identifiers not using the LDAP protocol. In another embodiment, data in the LDAP server 304 is propagated from data present in the enterprise server 106.
The security server 104 shown in
In some embodiments, the client 102 and enterprise server 106 establish a VPN for communication. In such an embodiment, the session manager 306 may be unable to route requests to any location other than the enterprise—the packets are encrypted and thus, cannot be separately evaluated.
In one embodiment, the session manager 306 performs automated authentication of a client device 102 or user. For example, if the session manager 306 determines that a client 102 is approaching a Wi-Fi hotspot, the session manager 306 is able to pre-populate the hotspot with the certificate that the hotspot requires to authenticate the user. In this manner, the authentication appears very fast to the user. The session manager 306 may also control the manner in which data is queued for download to the client device 102.
In one such embodiment, the session manager 306 provides two modes for data queuing. In a first mode, the session manager 306 determines that the network down time will be brief, e.g., the user is moving through a tunnel, which interferes with network access. In such a case, the session manager queues a minimal amount of data. In a second mode, the session manager 306 determines that the network down time will be of a longer duration, e.g., the user is boarding a plane from New York to Tokyo. In such a case, the session manager 306 may queue a larger amount of data. In one such embodiment, the session manager 306 determines the mode by querying the user for the downtime interval. When the user reconnects to the security server 104, the session manager 306 determines the best manner of downloading the queued data and begins the download.
In one embodiment, the session manager 306 comprises a packet shaper (not shown). The packet shaper provides various functional capabilities to the session manager 306. For example, in one embodiment, the packet shaper provides a mechanism for prioritizing packets sent between the enterprise server 106 and the client 102. In one embodiment, the packet shaper utilizes Multiprotocol Label Switching (“MPLS”). MPLS allows a specific path to be specified for a given sequence of packets. MPLS allows most packets to be forwarded at the switching (layer 2) level rather than at the (routing) layer 3 level. MPLS provides a means for providing QoS for data transmissions, particularly as networks begin to carry more varied traffic.
The session manager 306 may also provide session persistence capabilities. For instance, in one embodiment, when a user drops a connection or moves from one provider network coverage area to another, the connection manager 306 persists a virtual connection as the first connection is terminated and the second is initiated.
The session manager 306 may include a server-side rules engine. The server-side rules engine may use historical information, such as the session statistics described above, for statistical attack determination. For instance, session manager 306 may access a stored statistic regarding a client device 102 and based on monitoring of the current statistics for the client device 102 determine that an unauthorized user is using the client device 102.
The security server 104 shown in
When the real-time monitor 308 detects a problem, it may issue an alert to network support. In one embodiment, data from the real-time monitor 308 is provided to users via a portal available on the security server 308. In another embodiment, the real-time portal 308 transfers information to the enterprise server 106, from which users access the data.
The embodiment shown in
The information available via the historical monitor 310 may include, for example, historical QoS data, registration compliance data, and metrics consistency data. The historical data monitor 310 may be used to determine that certain clients are not performing optimally by comparing metrics of various clients over time. For instance, by evaluating information available via the historical data monitor 310, a support person may be able to determine that a radio tuner on a specific client device 102 is failing. If the user of one client device 102 is complaining about the availability of service, but other users are able to successfully access service, then the client device's radio may be the problem.
The historical data monitor 310 may also be used to reconcile information captured on the security server 104 regarding connections and data provided by telecommunication carriers. The data may be used to determine when certain resources need to be increased and when a certain carrier is not performing adequately.
The security server also comprises a database 312. In embodiments of the present invention, the database 312 may be any type of database, including, for example, MySQL, Oracle, or Microsoft SQL Server relational databases. Also, although the database 312 is shown as a single database in
In one embodiment of the present invention, the database 312 stores customer information regarding enterprises served by the security server 104, such as a list of valid users, a list of valid cellular cards, the relationships between the individual users and groups within the enterprise, and other customer information.
For example, in one embodiment, the database 312 stores an association between users and cellular data cards. The enterprise may allocate a single user to a specific data card. Alternatively, the enterprise may associate a group of users with a group of cellular data cards. Other types of data may also be stored in the database 312, such as billing data.
The security server 104 shown in
The security server also comprises a QoS tools engine 316. The QoS tools engine 316 displays data made available by the QoS server 314 and other processes, such as the real-time monitor 308.
In one embodiment, the QoS tools engine 316 provides an aggregation of QoS data in a spreadsheet. In another embodiment, the QoS tools engine 316 provides data using map views, pie charts, and graphs. The QoS tools engine 316 may also provide the capability for setting QoS-based alarms and may provide data to users via a portal.
In the embodiment shown in
Although the security server 104 shown in
Also, the description above suggests that data is provided to and queried from the security server 104 by the client 102, i.e., the client pulls the data. However, in some embodiments, the client 102 also comprises a listener (not shown) so that the security server 104 can push data to the client 102.
The enterprise server 106 shown in
The policies may be managed at one or more levels. For example, an IT manager may wish to create a VPN profile for the enterprise as a whole, but a different VPN profile for an engineering group since the engineering group needs access to various unique applications.
The policy server 402 may also provide a mechanism for configuring the location of various servers that the client 102 will utilize. For instance, the policy server 402 may allow an IT manager to specify the IP address of an acceleration server 404 or a vault server 406
In one embodiment, the policy server also allows the IT manager to specify which users receive updates for various components on the client 102. The policy server 402 may also allow the IT manager to perform connection configuration. For instance, the IT manager may use the policy server to specify phone numbers for PHS connections, Wi-Fi SSID's for private connections, and other connection configuration information.
The enterprise server 106 shown in
In one embodiment, the acceleration server 404 communicates with the policy server 402. An IT manager sets acceleration rules using the policy server 402, and the acceleration server 404 uses these rules to determine what level of acceleration to use for a particular communication. In one embodiment, the IT manager sets a default level of acceleration for all communication and a specific level of acceleration for one group of users. The specific level of acceleration may be referred to as an override.
The enterprise server 106 also comprises a vault server 406. The vault server comprises two components, an automatic component and an administration component. In one embodiment, the automatic component integrates with an enterprise's mail server (not shown) and performs operations on emails to and from the mail server. For instance, the vault server 406 may quarantine an email, automatically encrypt the email before it is sent, add a legal disclaimer to an email, or perform other functions on the email.
In one embodiment, the automatic component of the vault server 406 searches an email based on words or based on the domain or specific address to which the email is addressed or from which the email originated. Using this information, the user can perform functions on the email, such as those described above.
The administration component of the vault server 406 allows a user to terminate access to secure content, either by a specific user or by all users. It also logs activity. Using one embodiment of the vault server 406, a user can indicate that a set of users whose employment has been terminated will no longer have access to any secure content. In an alternative embodiment of the vault server 406, a user can indicate that a given element of secure content, say a price list, is now out of date, and so that piece of secure content will no longer be viewable by any user. When each user accesses the secure content, the vault server 406 logs the event. So for each secure content element, the vault server 406 creates a log of all activity on the secure content.
In one embodiment, the vault server 406 also compresses data. For instance, one embodiment utilizes standard PKZIP compression to compress all content. In another embodiment, an IT manager may identify three types of images and specify a different level of compression for each type of image based on the level of resolution necessary for each type of image.
The enterprise server 108 also comprises a RADIUS server 408 and LDAP server 410, which are similar to those described above in relation to the security server 104. The RADIUS server 302 on the security server 104 may proxy to the RADIUS server 408 on the enterprise server 106. Similarly, data in the LDAP server 410 may be propagated to the LDAP server 204 on the security server 104.
The enterprise server 106 also comprises a one-time password (“OTP”) server 412. The OTP server 412 provides a mechanism for authentication. For instance, in one embodiment of the present invention, the enterprise server 106 uses the OTP server 412 to perform a mutual authentication process.
The enterprise server 106 also comprises a concentrator 414. The concentrator 414 provides remote access capability to the client 102. For instance, the concentrator 414 may serve as a means for terminating a VPN between the client 102 and enterprise server 106.
The enterprise server 104 shown in
Portal one provides a configuration interface for managing the various elements shown in
For instance, a user may use historical QoS data on portal two to determine how a particular provider is performing in terms of throughput, user connections, and other QoS metrics. Portal two may also provide real-time information, such as how many users are currently connected.
For instance, in one embodiment, an IT manager determines that twenty users have been rejected by a carrier in the last three minutes due to authentication failure and five users with the same user identifier are currently logged on to five different devices. The IT manager uses this information to detect a potential security problem. Portal two may also be used to set alerts as described above.
It should be noted that the present invention may comprise systems having a different architecture than that which is shown in
The following illustrative embodiments utilize a central policy server 402 on an enterprise server 106. The client device 102 downloads policies from the policy server 402 and the connection manager 210 utilizes the policies to make connections. In other embodiments, policy files are created and distributed to the client device 102 in other ways. For example, an email attachment or disk may be distributed to each client device 102. Each time an update is necessary, a new disk or email is distributed.
In embodiments of the present invention, policies are created and distributed to client devices 102. The client devices 102 utilize the policies for making connections.
In the embodiment shown in
The policies may be based on a number of factors, including, for example, an enterprise's need to minimize overall transport cost when billed on a usage basis, an enterprise's wish to minimize perceived security exposure based on assumed insecurity on some transports and specific connections, and an enterprise's wish to ensure the highest speed and most reliable usage experience for their users. The policies may be based on third party parameters as well. For instance, the policy may be based on the enterprise's security provider's desire to minimize its transport costs overall.
The policy administrator next selects a group to be associated with the policy 504. The administrator may manually enter group names and user identifiers. Alternatively, the administrator may select groups from a central directory, such as the LDAP 410 or a Microsoft Active Directory Server. Each policy may be associated with, for example, an enterprise, a group within the enterprise or across enterprises, or with an individual.
Once the administrator has created a policy and associated the policy with a group, the administrator saves the policy-group association 506. The policy-group association may be stored in a database (not shown) in communication with the policy server 402. Alternatively, the policy-group association may be stored in a file, for example, in an XML format in a file.
The administrator then causes the policy and policy-group association to be distributed to client devices 508. For instance, the policy and policy-group association may reside in the database, which is in communication with the policy server 402, so that when a client device attempts to download a policy, the policy-group association is used to determine which policy or policies to download. The policy and policy-group association may be distributed via a network, such as network 108, or by media, such as CD-ROM. In one embodiment, only changes to the policies are downloaded. In other embodiments, all policies are downloaded each time a download occurs.
In some embodiments, once the policies are downloaded to the client device, the user may make changes to them. For instance, the user may set up an alternative VPN profile on the client if the VPN associated with the VPN profile downloaded from the policy server 402 is temporarily unusable.
The connection manager 210 then determines what the most recently used connection was and whether the most recently used connection is available 604. For example, a user may shut down a client device 102 while the client device 102 is connected to a WiFi hotspot. When the user starts the client device 102, the client device will attempt to connect to the WiFi hotspot.
If the client device 102 is not able to connect to the most recently used connection, the client device 102 attempts to identify a new connection 606. For example, the client device 102 may have moved out of range of the WiFi hotspot to which the client was connected. The client device 102 identifies all currently-available connections. The client device 102 also identifies one or more policies associated with the user. The client device 102 then identifies properties of the network connection or connections and compares the network properties to the policy (rule). A network property may be, for example, quality of service measures, such as security, reliability, and speed may be utilized. The client device 102 may also use cost or a combination of cost and a plurality of other properties in making the determination. In one embodiment, the client device 102 applies a normalization algorithm to the plurality of properties to come up with a single number for each network connection. The client device 102 then compares the single numbers to determine to which network to connect.
Using either the most recently used connection or the newly-identified connection, the client device connects to the policy server (402) 608. For instance, the client device 102 may connect to the most recently used WiFi hotspot and then establish a connection with the policy server 402 and the QoS server 310 over the Internet.
Once the client device 102 has established a connection with the network, the client device uploads QoS data to the QoS server (310) 610. In one embodiment, QoS data from the previous session is uploaded at the start of the current session so that interruptions in service, such as a lost connection, can be accurately tracked.
The client device next downloads the latest policy data from the policy server (402) 612. The policy data may comprise only changes since the last connection. For example, the client device 102 may store a last download date and only download policies from the policy server 402 that have been created or changed since the last update date. The client device may download other information as well. For instance, the administrator may determine that a particular client device 102 has been stolen and set an indicator to cause the client device to encrypt data on its hard drive. When the client device 102 connects, it downloads the indicator.
The process may be transparent to the user. In one embodiment, the download process runs as a service. Each time the client device 102 starts up, the process executes. The process may also include having the client device 102 connect to a VPN automatically so that the user can access enterprise applications.
In one embodiment, the connection manager 210 identifies a new network. The connection manager then compares a first property of the currently connected (existing) network to a first property of the second new network. The properties may signify the same or similar information about the two networks, e.g., the type of network. Based on policies, the connection manager 210 determines to which network to connect.
In one embodiment, the connection manger 210 rules engine makes connection decisions based on six core pieces of data for connection that is physically available (the correct device is installed and operating, and a signal is available):
Item (1) in this list is specified based on whether or not the connection is available to the enterprise in general and whether the enterprise has made the connection available to the user (or, more precisely in some implementations, not barred the user from the connection). Item (2) is based on enterprise preference indication. It could also be based on attack detection algorithms automatically applied, e.g., if relatively more attacks on a specific type of connection or specific location are detected, then relatively more attacks are occurring.
Item (3) is based on connection statistics. In one such embodiment, the enterprises has the option to indicate perceived relative reliability measures. Item (4) is also based on connection statistics. Item (5) is based on the pricing plan that the enterprise has entered into with the provider. And item (6) is based on carrier pricing arrangements and usage assumptions for various connections.
One embodiment of the present invention takes each of these six items and uses a normalization algorithm to work these elements (with their relative strengths) into a “weighting” within a range. Then, the rules engine on the client device 102 simply selects the connection with the highest weighting.
In some cases, despite the rules based analysis, an enterprise may not wish for a user to use a specific connection for a given, short period of time. In one embodiment, the system allows the enterprise to specifically exclude a connection for a short time.
Before disconnecting, the connection manager 210 sends a signal to the session persistence server 316 to suspend any currently active data transfer 704. By suspending data transfer, the connection manager 210 helps to eliminate the potential for losing data.
The connection manager 210 then disconnects the client device 102 from the network (108) 706. The process for disconnecting may differ between various networks. During the period when the client device 102 is disconnected, the session persistence server 316 caches data. After a period of time, which may be very brief, the connection 210 manager attempts to reconnect to a network 708. The network 108 may be the most recently used network or may be a newly identified network. The connection may be dropped for a period of time. In one embodiment, a user may specify the duration that the user expects to be disconnected when the disconnect occurs. The persistence server 316 uses this information to determine how much data to cache during the period of disconnection.
The connection manager 210 or persistence server 316 then determines whether the download that was occurring before the disconnect should continue 710. For instance, the connection manager 210 may determine that the new connection is too slow to support the data download. The connection manager 210 may also look to the policies to determine what rules apply to the connection.
If the download, should continue, the connection manager 210 resumes the data transfer 712. The data transfer may then complete or may be subject to subsequent disconnects. If the new network is not suitable to support the download, or if the download is complete, the process ends 714.
For example, in one embodiment, a salesperson needs to download a large document containing a price list. The salesperson's computer is currently connected via a wide area network connection, which is relatively slow. The salesperson enters a coffee shop that the salesperson knows has a high speed WiFi connection.
When the client device 102 indicates that the WiFi connection is available, the user indicates that the client device 102 should change networks. The client device seamlessly connects to the WiFi network and, based on rules established in the policies, begins downloading the document. If the user must leave the coffee shop before the download is complete, the connection manager 210 can signal the session persistence server 316 to pause the download until the user reenters the coffee shop or connects to another high-speed network.
In one embodiment, session persistence operates on the following process: when a disconnection event occurs, the connection manager 216 buffers application data coming to the client device 102, making applications “believe” that they are still connected. At the same time, session persistence server 216 buffers information on the server side, making the server 104 “believe” that it is still connected. Once a network connection has been reconnected, the connection manager 210 and session persistence server 316 empty the buffers that have built up on both sides.
One such embodiment implements a kernel mode driver at the NDIS layer in the Microsoft Protocol stack (roughly equivalent to layer 3 in the OSI model). This kernel mode driver is implemented as an “Intermediate Driver” on the Microsoft W2K/WXP operating systems. The driver acts as a single “virtual device” through which all network communications goes. This single device routes this traffic to the appropriate physical device (directed through a virtual device associated with a third-party VPN when appropriate), depending on the current physical connection.
In order to make application layer components believe that a network is still up and running, no “disconnect” signal is transmitted to the application layer components when a network interruption occurs. In this way, application layer components treat the connection as if it is simply slow.
The primary interface component between the client 102 and server 104 in such an embodiment is an indication that a client will be disconnecting for a long period of time, but wishes to persist the session over this extended time. In this case, the client 102 provides the user a means to enter the time that the system will be un-connected (say for the duration of a domestic flight), and the client notifies the server of the expected length of the disconnection event.
On the server 104, the session persistence server 316 functions as a proxy for connections from clients to network resources. Be those resources at the enterprise data center or public resources. The server implementation includes a similar intermediate driver architecture to that on the client, combined with application layer components to manage caching locations and recording for billing purposes. There may be cases where enterprises wish caching to occur at the enterprise. In this case, the system allows for the cache to be on the other side of a static tunnel to the enterprise.
The foregoing description of the embodiments of the invention has been presented only for the purpose of illustration and description and is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Numerous modifications and adaptations thereof will be apparent to those skilled in the art without departing from the spirit and scope of the present invention.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US5406261 *||Jan 11, 1993||Apr 11, 1995||Glenn; James T.||Computer security apparatus and method|
|US5408261 *||Sep 1, 1993||Apr 18, 1995||Fujitsu Limited||Method and apparatus for controlling image communication between a plurality of terminals and an exchange|
|US5473692 *||Sep 7, 1994||Dec 5, 1995||Intel Corporation||Roving software license for a hardware agent|
|US5500517 *||Sep 2, 1994||Mar 19, 1996||Gemplus Card International||Apparatus and method for data transfer between stand alone integrated circuit smart card terminal and remote computer of system operator|
|US5748084 *||Nov 18, 1996||May 5, 1998||Isikoff; Jeremy M.||Device security system|
|US5835737 *||May 10, 1996||Nov 10, 1998||Apple Computer, Inc.||Method and apparatus for arbitrating access to selected computer system devices|
|US5936526 *||Jan 13, 1998||Aug 10, 1999||Micron Electronics, Inc.||Apparatus for generating an alarm in a portable computer system|
|US5953536 *||Sep 30, 1996||Sep 14, 1999||Intel Corporation||Software-implemented tool for monitoring power management in a computer system|
|US5958058 *||Jul 18, 1997||Sep 28, 1999||Micron Electronics, Inc.||User-selectable power management interface with application threshold warnings|
|US6070240 *||Aug 27, 1997||May 30, 2000||Ensure Technologies Incorporated||Computer access control|
|US6085084 *||Sep 24, 1997||Jul 4, 2000||Christmas; Christian||Automated creation of a list of disallowed network points for use in connection blocking|
|US6198920 *||Mar 16, 2000||Mar 6, 2001||Padcom, Inc.||Apparatus and method for intelligent routing of data between a remote device and a host system|
|US6272112 *||Apr 14, 1998||Aug 7, 2001||Fujitsu Limited||Repeating unit testing system and communication apparatus as well as communication method|
|US6418324 *||Sep 17, 1997||Jul 9, 2002||Padcom, Incorporated||Apparatus and method for transparent wireless communication between a remote device and host system|
|US6418533 *||Aug 29, 1997||Jul 9, 2002||Compaq Information Technologies Group, L.P.||“J” system for securing a portable computer which optionally requires an entry of an invalid power on password (POP), by forcing an entry of a valid POP|
|US6490679 *||Jan 18, 1999||Dec 3, 2002||Shym Technology, Inc.||Seamless integration of application programs with security key infrastructure|
|US6542729 *||Apr 27, 1999||Apr 1, 2003||Qualcomm Inc.||System and method for minimizing fraudulent usage of a mobile telephone|
|US6546425 *||Jun 11, 1999||Apr 8, 2003||Netmotion Wireless, Inc.||Method and apparatus for providing mobile and other intermittent connectivity in a computing environment|
|US6564047 *||Aug 28, 2000||May 13, 2003||Motorola Inc.||Advanced air time management|
|US6643701 *||Nov 17, 1999||Nov 4, 2003||Sun Microsystems, Inc.||Method and apparatus for providing secure communication with a relay in a network|
|US6657956 *||Mar 3, 1997||Dec 2, 2003||Bull Cp8||Method enabling secure access by a station to at least one server, and device using same|
|US6725379 *||Aug 11, 1999||Apr 20, 2004||Dell Products L.P.||Stolen computer detection and protection|
|US6813498 *||Oct 27, 2000||Nov 2, 2004||Lucent Technologies Inc.||Apparatus, method and system for detection and recovery of missing wireless devices in communication systems|
|US6865162 *||Dec 6, 2000||Mar 8, 2005||Cisco Technology, Inc.||Elimination of clipping associated with VAD-directed silence suppression|
|US6880079 *||Apr 25, 2002||Apr 12, 2005||Vasco Data Security, Inc.||Methods and systems for secure transmission of information using a mobile device|
|US6947755 *||Aug 15, 2001||Sep 20, 2005||Gould Lawrence A||Systems and methods for distributed processing of location information associated with emergency 911 wireless transmissions|
|US6996728 *||Apr 26, 2002||Feb 7, 2006||Hewlett-Packard Development Company, L.P.||Managing power consumption based on utilization statistics|
|US7003282 *||Jun 24, 1999||Feb 21, 2006||Nokia Corporation||System and method for authentication in a mobile communications system|
|US7051236 *||Jun 13, 2002||May 23, 2006||Dell Products L.P.||Wirelessly network-connected, battery-powered information handling system featuring prevention of data corruption after wake-up by a network event|
|US7054594 *||Jul 18, 2002||May 30, 2006||Data Transfer & Communication Limited||Data security device|
|US7089425 *||Mar 18, 2003||Aug 8, 2006||Ci4 Technologies, Inc.||Remote access authorization of local content|
|US7089553 *||Oct 12, 2000||Aug 8, 2006||International Business Machines Corporation||Method, system, computer program product, and article of manufacture for downloading a remote computer program according to a stored configuration|
|US7107349 *||Sep 30, 2002||Sep 12, 2006||Danger, Inc.||System and method for disabling and providing a notification for a data processing device|
|US7170999 *||Aug 28, 2002||Jan 30, 2007||Napster, Inc.||Method of and apparatus for encrypting and transferring files|
|US7239862 *||Sep 19, 2002||Jul 3, 2007||Cellco Partnership||Method of and system for processing prepaid wireless data communications|
|US7240366 *||May 17, 2002||Jul 3, 2007||Microsoft Corporation||End-to-end authentication of session initiation protocol messages using certificates|
|US7272230 *||Mar 5, 2002||Sep 18, 2007||Pumpkin House Incorporated||Encryption system and control method thereof|
|US7305548 *||Oct 22, 2002||Dec 4, 2007||Microsoft Corporation||Using atomic messaging to increase the security of transferring data across a network|
|US7370349 *||Sep 3, 2003||May 6, 2008||Peoplechart Corporation||Method and system for protecting information on a computer system|
|US7389123 *||Apr 28, 2004||Jun 17, 2008||Sony Ericsson Mobile Communications Ab||Mobile apparatus with remote lock and control function|
|US7392390 *||Dec 11, 2002||Jun 24, 2008||Valve Corporation||Method and system for binding kerberos-style authenticators to single clients|
|US7392391 *||Sep 12, 2002||Jun 24, 2008||International Business Machines Corporation||System and method for secure configuration of sensitive web services|
|US7409061 *||Nov 29, 2001||Aug 5, 2008||Noatak Software Llc||Method and system for secure distribution of subscription-based game software|
|US7421503 *||Jan 17, 2003||Sep 2, 2008||Cisco Technology, Inc.||Method and apparatus for providing multiple authentication types using an authentication protocol that supports a single type|
|US7437550 *||Oct 28, 2003||Oct 14, 2008||Ponoi Corp.||System for providing session-based network privacy, private, persistent storage, and discretionary access control for sharing private data|
|US20020039359 *||Dec 7, 2001||Apr 4, 2002||At&T Corporation||Hybrid fiber twisted pair local loop network service architecture|
|US20020052968 *||Dec 20, 2000||May 2, 2002||Rudy Bonefas||Messaging method and apparatus for routing messages in a client server environment over multiple wireless and wireline networks|
|US20020062445 *||Nov 16, 2001||May 23, 2002||Toru Owada||System, method and apparatus for distributing digital contents, information processing apparatus and digital content recording medium|
|US20020065781 *||Apr 27, 2001||May 30, 2002||Hillegass James C.||Licensed digital material distribution system and method|
|US20020087623 *||Dec 30, 2000||Jul 4, 2002||Eatough David A.||Method and apparatus for determining network topology and/or managing network related tasks|
|US20020099957 *||Jan 24, 2001||Jul 25, 2002||Michael Kramer||Establishing a secure connection with a private corporate network over a public network|
|US20020133584 *||Jan 17, 2001||Sep 19, 2002||Greuel James R.||Method and apparatus for customizably calculating and displaying health of a computer network|
|US20030005331 *||Aug 22, 2001||Jan 2, 2003||Cryptek Secure Communications, Llc||Multi-level security network system|
|US20030051140 *||Sep 10, 2002||Mar 13, 2003||Buddhikot Milind M.||Scheme for authentication and dynamic key exchange|
|US20030056116 *||May 16, 2002||Mar 20, 2003||Bunker Nelson Waldo||Reporter|
|US20030084350 *||Sep 12, 2002||May 1, 2003||International Business Machines Corporation||System and method for secure configuration of sensitive web services|
|US20030088517 *||Sep 24, 2001||May 8, 2003||Xyleco, Inc.||System and method for controlling access and use of private information|
|US20030204748 *||May 20, 2002||Oct 30, 2003||Tom Chiu||Auto-detection of wireless network accessibility|
|US20030217166 *||Dec 23, 2002||Nov 20, 2003||Mario Dal Canto||System and method for provisioning universal stateless digital and computing services|
|US20030221039 *||May 22, 2002||Nov 27, 2003||International Business Machines Corporation||Data caching on bridge following disconnect|
|US20030235307 *||Jun 9, 2003||Dec 25, 2003||Kazuhiro Miyamoto||Encryption and decryption program|
|US20030236827 *||Jun 24, 2002||Dec 25, 2003||Cisco Technology, Inc.||Adaptive feedback technique implemented in Mobile IP networks|
|US20040028017 *||Oct 15, 2002||Feb 12, 2004||Whitehill Eric A.||System and method for determining physical location of a node in a wireless network during an authentication check of the node|
|US20040030887 *||Aug 7, 2002||Feb 12, 2004||Harrisville-Wolff Carol L.||System and method for providing secure communications between clients and service providers|
|US20040039807 *||Mar 13, 2003||Feb 26, 2004||Angel Boveda De Miguel||Methods and arrangements in a telecommunication network|
|US20040052259 *||Jul 31, 2003||Mar 18, 2004||Agilent Technologies, Inc.||Measuring network operational parameters as experienced by network operational traffic|
|US20040064293 *||Sep 24, 2003||Apr 1, 2004||Hamilton David B.||Method and system for storing and reporting network performance metrics using histograms|
|US20040064727 *||Sep 30, 2002||Apr 1, 2004||Intel Corporation||Method and apparatus for enforcing network security policies|
|US20040082351 *||Jun 26, 2003||Apr 29, 2004||Ilkka Westman||User group creation|
|US20040087213 *||Feb 26, 2003||May 6, 2004||Chi-Lei Kao||Plug used for connection with a usb receptacle|
|US20040107360 *||Mar 13, 2003||Jun 3, 2004||Zone Labs, Inc.||System and Methodology for Policy Enforcement|
|US20040110488 *||Dec 10, 2002||Jun 10, 2004||Nokia Corporation||System and method for performing security functions of a mobile station|
|US20040121787 *||Dec 23, 2002||Jun 24, 2004||Asgard Holding, Llc||Wireless network security|
|US20040123150 *||Feb 28, 2003||Jun 24, 2004||Michael Wright||Protection of data accessible by a mobile device|
|US20040137964 *||Sep 15, 2003||Jul 15, 2004||Steven Lynch||Wireless communication device and method for responding to solicitations|
|US20040143470 *||Dec 22, 2003||Jul 22, 2004||Myrick Conrad B.||Structure and method of modeling integrated business and information technology frameworks and architecture in support of a business|
|US20040186901 *||Aug 26, 2003||Sep 23, 2004||Alain Guigui||System for managing user profile data|
|US20040193694 *||Apr 1, 2004||Sep 30, 2004||Randy Salo||Application gateway systems|
|US20040199545 *||Feb 24, 2004||Oct 7, 2004||Frederico Wagner||Networked disposal and replenishment apparatus|
|US20040218587 *||Apr 19, 2004||Nov 4, 2004||Sung-Hoon Kim||Private EV-DO system sharing public network data location register and data service method|
|US20040218605 *||Dec 1, 2003||Nov 4, 2004||Telefonaktiebolaget Lm Ericsson (Publ)||Method for access selection|
|US20040235514 *||Jul 18, 2002||Nov 25, 2004||Stephen Bloch||Data security device|
|US20040235522 *||May 21, 2003||Nov 25, 2004||Alan Lin||Card facility for freely communicating with network systems|
|US20040236547 *||Nov 18, 2003||Nov 25, 2004||Rappaport Theodore S.||System and method for automated placement or configuration of equipment for obtaining desired network performance objectives and for security, RF tags, and bandwidth provisioning|
|US20040259538 *||Oct 11, 2002||Dec 23, 2004||Victor Agbegnenou||Wireless multipurpose communication system|
|US20040268240 *||Jun 10, 2004||Dec 30, 2004||Vincent Winchel Todd||System for normalizing and archiving schemas|
|US20050020315 *||Jul 21, 2004||Jan 27, 2005||Robertson Ian M.||Security for mobile communications device|
|US20050025184 *||Aug 18, 2004||Feb 3, 2005||Dowling Eric Morgan||Virtual connection of a remote unit to a server|
|US20050050323 *||Sep 2, 2003||Mar 3, 2005||Authenture, Inc.||Communication session encryption and authentication system|
|US20050125474 *||Dec 5, 2003||Jun 9, 2005||International Business Machines Corporation||Method and structure for transform regression|
|US20050160280 *||May 12, 2004||Jul 21, 2005||Caslin Michael F.||Method and system for providing fraud detection for remote access services|
|US20050198491 *||Mar 3, 2004||Sep 8, 2005||Cisco Technology, Inc., A Corporation Of California||Network security enhancement methods and devices|
|US20050216736 *||Mar 24, 2004||Sep 29, 2005||Smith Ned M||System and method for combining user and platform authentication in negotiated channel security protocols|
|US20050273592 *||May 20, 2004||Dec 8, 2005||International Business Machines Corporation||System, method and program for protecting communication|
|US20060059265 *||Jun 17, 2003||Mar 16, 2006||Seppo Keronen||Terminal connectivity system|
|US20060149414 *||Feb 9, 2005||Jul 6, 2006||Carrier Corporation||Remote web access control of multiple home comfort systems|
|US20060294219 *||Oct 3, 2003||Dec 28, 2006||Kazuki Ogawa||Network system based on policy rule|
|US20070125620 *||Jun 3, 2004||Jun 7, 2007||Sorenson Timothy N||Methods and systems for providing products, such as digital content including games, ring tones, and/or graphics; and services, such as computer network service including internet service|
|US20070280109 *||Mar 3, 2004||Dec 6, 2007||Jussi Jaatinen||Method, a Device and a System for Transferring Data|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7440441||Jun 16, 2003||Oct 21, 2008||Redknee Inc.||Method and system for Multimedia Messaging Service (MMS) rating and billing|
|US7457865||Jan 23, 2003||Nov 25, 2008||Redknee Inc.||Method for implementing an internet protocol (IP) charging and rating middleware platform and gateway system|
|US7602748 *||Aug 12, 2005||Oct 13, 2009||Verizon Business Global Llc||Fixed-mobile communications with mid-session mode switching|
|US7644158||Nov 3, 2008||Jan 5, 2010||Redknee Inc.||Method for implementing an internet protocol (IP) charging and rating middleware platform and gateway system|
|US7873347||Jun 19, 2003||Jan 18, 2011||Redknee Inc.||Method for implementing a Wireless Local Area Network (WLAN) gateway system|
|US7979549 *||Nov 30, 2005||Jul 12, 2011||Microsoft Corporation||Network supporting centralized management of QoS policies|
|US8027249||Oct 18, 2006||Sep 27, 2011||Shared Spectrum Company||Methods for using a detector to monitor and detect channel occupancy|
|US8027334||Sep 5, 2008||Sep 27, 2011||Redknee, Inc.||Method and system for multimedia messaging service (MMS) rating and billing|
|US8055204||Aug 15, 2007||Nov 8, 2011||Shared Spectrum Company||Methods for detecting and classifying signals transmitted over a radio frequency spectrum|
|US8064840||Jun 18, 2009||Nov 22, 2011||Shared Spectrum Company||Method and system for determining spectrum availability within a network|
|US8095124 *||Oct 20, 2006||Jan 10, 2012||Verizon Patent And Licensing Inc.||Systems and methods for managing and monitoring mobile data, content, access, and usage|
|US8141129 *||May 29, 2008||Mar 20, 2012||Microsoft Corporation||Centrally accessible policy repository|
|US8155649||Aug 14, 2009||Apr 10, 2012||Shared Spectrum Company||Method and system for classifying communication signals in a dynamic spectrum access system|
|US8184653||Aug 15, 2007||May 22, 2012||Shared Spectrum Company||Systems and methods for a cognitive radio having adaptable characteristics|
|US8184678||Jul 11, 2008||May 22, 2012||Shared Spectrum Company||Method and system for transmitting signals with reduced spurious emissions|
|US8244859||Nov 23, 2009||Aug 14, 2012||Redknee, Inc.||Method for implementing an internet protocol (IP) charging and rating middleware platform and gateway system|
|US8285850 *||Jan 19, 2006||Oct 9, 2012||Symantec Operating Corporation||Configuration and dynamic detection of connection-based backup policies|
|US8296178 *||Aug 14, 2008||Oct 23, 2012||Microsoft Corporation||Services using globally distributed infrastructure for secure content management|
|US8326313||Aug 14, 2009||Dec 4, 2012||Shared Spectrum Company||Method and system for dynamic spectrum access using detection periods|
|US8331902||Dec 10, 2010||Dec 11, 2012||Redknee Inc.||Method for implementing a wireless local area network (WLAN) gateway system|
|US8396075||Aug 23, 2011||Mar 12, 2013||Redknee Inc.||Method for implementing an open charging (OC) middleware platform and gateway system|
|US8510484 *||Mar 24, 2011||Aug 13, 2013||Sony Corporation||Content transmission apparatus, content playback system, content transmission method, and program|
|US8554912 *||Mar 14, 2011||Oct 8, 2013||Sprint Communications Company L.P.||Access management for wireless communication devices failing authentication for a communication network|
|US8559301||Sep 9, 2011||Oct 15, 2013||Shared Spectrum Company||Methods for using a detector to monitor and detect channel occupancy|
|US8600964 *||Sep 28, 2007||Dec 3, 2013||Avaya Inc.||Methods and apparatus for providing customer treatment information over a network|
|US8693434||Jul 22, 2009||Apr 8, 2014||Verizon Business Global Llc||Fixed-mobile communications with mid-session mode switching|
|US8755754||Oct 24, 2012||Jun 17, 2014||Shared Spectrum Company||Methods for detecting and classifying signals transmitted over a radio frequency spectrum|
|US8767556||May 2, 2012||Jul 1, 2014||Shared Spectrum Company||Systems and methods for a cognitive radio having adaptable characteristics|
|US8775533 *||May 20, 2011||Jul 8, 2014||Microsoft Corporation||Auto connect in peer-to-peer network|
|US8775621||Jan 23, 2007||Jul 8, 2014||Redknee Inc.||Policy services|
|US8793791||Nov 1, 2011||Jul 29, 2014||Shared Spectrum Company||Methods for detecting and classifying signals transmitted over a radio frequency spectrum|
|US8806023||May 20, 2011||Aug 12, 2014||Microsoft Corporation||Auto-connect in a peer-to-peer network|
|US8818283||Aug 19, 2009||Aug 26, 2014||Shared Spectrum Company||Method and system for dynamic spectrum access using specialty detectors and improved networking|
|US8904529 *||Sep 7, 2006||Dec 2, 2014||International Business Machines Corporation||Automated deployment of protection agents to devices connected to a computer network|
|US8910255||May 27, 2008||Dec 9, 2014||Microsoft Corporation||Authentication for distributed secure content management system|
|US8910268||Aug 14, 2008||Dec 9, 2014||Microsoft Corporation||Enterprise security assessment sharing for consumers using globally distributed infrastructure|
|US8914841 *||Nov 23, 2011||Dec 16, 2014||Tufin Software Technologies Ltd.||Method and system for mapping between connectivity requests and a security rule set|
|US8935742||Aug 18, 2008||Jan 13, 2015||Microsoft Corporation||Authentication in a globally distributed infrastructure for secure content management|
|US8997170 *||Apr 10, 2007||Mar 31, 2015||Shared Spectrum Company||Method and device for policy-based control of radio|
|US9055093 *||Dec 18, 2008||Jun 9, 2015||Kevin R. Borders||Method, system and computer program product for detecting at least one of security threats and undesirable computer files|
|US9059871||Dec 27, 2007||Jun 16, 2015||Redknee Inc.||Policy-based communication system and method|
|US9088891||Aug 13, 2012||Jul 21, 2015||Wells Fargo Bank, N.A.||Wireless multi-factor authentication with captive portals|
|US20040148384 *||Jan 23, 2003||Jul 29, 2004||Karthik Ramakrishnan|
|US20040252657 *||Jun 16, 2003||Dec 16, 2004||Shailesh Lakhani||Method and system for multimedia messaging service (MMS) rating and billing|
|US20040258031 *||Jun 19, 2003||Dec 23, 2004||Zabawskyj Bohdan Konstantyn||Method for implemening a Wireless Local Area Network (WLAN) gateway system|
|US20060041515 *||Aug 13, 2004||Feb 23, 2006||Sbc Knowledge Ventures, L.P.||On-site point-of-sale billing system which manages public use of wired or wireless access network|
|US20060072542 *||Aug 12, 2005||Apr 6, 2006||Mci, Inc.||Fixed-mobile communications with mid-session mode switching|
|US20070056020 *||Sep 7, 2006||Mar 8, 2007||Internet Security Systems, Inc.||Automated deployment of protection agents to devices connected to a distributed computer network|
|US20090089289 *||Sep 28, 2007||Apr 2, 2009||Dhara Krishna K||Methods and Apparatus for Providing Customer Treatment Information Over a Network|
|US20090158430 *||Dec 18, 2008||Jun 18, 2009||Borders Kevin R||Method, system and computer program product for detecting at least one of security threats and undesirable computer files|
|US20090177514 *||Aug 14, 2008||Jul 9, 2009||Microsoft Corporation||Services using globally distributed infrastructure for secure content management|
|US20100319004 *||Jun 16, 2009||Dec 16, 2010||Microsoft Corporation||Policy Management for the Cloud|
|US20110246689 *||Oct 6, 2011||Sony Corporation||Content transmission apparatus, content playback system, content transmission method, and program|
|US20120192246 *||Nov 23, 2011||Jul 26, 2012||Tufin Software Technologies Ltd.||Method and system for mapping between connectivity requests and a security rule set|
|US20120296986 *||May 20, 2011||Nov 22, 2012||Microsoft Corporation||Auto connect in peer-to-peer network|
|USRE43066||Dec 2, 2008||Jan 3, 2012||Shared Spectrum Company||System and method for reuse of communications spectrum for fixed and mobile applications with efficient method to mitigate interference|
|USRE44237||Nov 12, 2010||May 21, 2013||Shared Spectrum Company||System and method for reuse of communications spectrum for fixed and mobile applications with efficient method to mitigate interference|
|USRE44492||Apr 19, 2011||Sep 10, 2013||Shared Spectrum Company||System and method for reuse of communications spectrum for fixed and mobile applications with efficient method to mitigate interference|
|EP2076844A2 *||Oct 12, 2007||Jul 8, 2009||Verizon Services Corp.||System and method for managing and monitoring mobile data, content, access and usage|
|WO2008025157A1 *||Aug 30, 2007||Mar 6, 2008||Redknee Inc||Method and system for applying a policy to access telecommunication services|
|WO2008051379A2 *||Oct 12, 2007||May 2, 2008||Hinal K Balia||System and method for managing and monitoring mobile data, content, access and usage|
|WO2008140471A1 *||Oct 19, 2007||Nov 20, 2008||Shared Spectrum Co||Method and device for policy-based control of radio|
|International Classification||H04W36/14, H04W12/08, H04W48/18, H04L9/00|
|Cooperative Classification||H04L2209/56, H04L2209/60, H04L9/321, H04L2209/805, H04L69/329, H04L67/30, H04W12/08, H04L67/322, H04L41/0213, H04L63/08, H04L41/5009, H04L63/0263, H04L67/14, H04L41/5016, H04L43/0817, H04L43/045, H04L63/0869, H04L67/04, H04L47/11, H04L63/1408, H04L47/22, H04L9/3273, H04L41/509, H04L67/02, H04L63/102, H04L63/162, G06F21/6227, H04L63/0823, H04L41/5067, H04L63/145, H04L63/20, H04L63/0227, H04W48/18, H04L47/24, H04L63/0272, G06F21/316, H04L41/0681, H04L63/166|
|European Classification||H04L63/14D1, H04L63/20, H04L47/24, H04L43/04A, H04L47/22, H04L29/08N3, H04L47/11, H04L9/32R2, H04L29/08N13, H04L63/14A, G06F21/62B1, G06F21/31B, H04L63/08G, H04L63/10B, H04L9/08, H04L63/02B, H04L41/50A2, H04L29/08N31Q, H04W12/08, H04L29/08N1, H04L41/02B, H04L29/08N29, H04L63/02C, H04L29/08A7, H04L41/50J2, H04L63/02B6, H04L43/08D|
|Feb 2, 2006||AS||Assignment|
Owner name: JAPAN COMMUNICATIONS, INC., JAPAN
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SANDA, FRANK SEIJI;FUKUDA, NAOHISA;LAVES, EDWARD W.;AND OTHERS;REEL/FRAME:017109/0848;SIGNING DATES FROM 20050912 TO 20060119