WO2008038277A2 - A system and a method for secure web browsing using server-based computing configuration - Google Patents

A system and a method for secure web browsing using server-based computing configuration Download PDF

Info

Publication number
WO2008038277A2
WO2008038277A2 PCT/IL2007/001181 IL2007001181W WO2008038277A2 WO 2008038277 A2 WO2008038277 A2 WO 2008038277A2 IL 2007001181 W IL2007001181 W IL 2007001181W WO 2008038277 A2 WO2008038277 A2 WO 2008038277A2
Authority
WO
WIPO (PCT)
Prior art keywords
browser
organization
network
data communication
external data
Prior art date
Application number
PCT/IL2007/001181
Other languages
French (fr)
Other versions
WO2008038277A3 (en
Inventor
David Yanovsky
Original Assignee
Jetro Platforms Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jetro Platforms Ltd. filed Critical Jetro Platforms Ltd.
Publication of WO2008038277A2 publication Critical patent/WO2008038277A2/en
Publication of WO2008038277A3 publication Critical patent/WO2008038277A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1029Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers using data related to the state of servers by a load balancer

Definitions

  • the present invention relates to systems and method which enable end users of networks of organizations to gain access to the internet while ensuring that the integrity of the internal network is not breached. More particularly, the present invention relates to systems and method which provide secure browsing for end users of networks of organizations using application virtualization and server-based computing technologies.
  • SBC Server-based computing
  • SBC is a network architecture according to which applications are deployed, managed, supported and executed in full on a remote server.
  • data and applications reside on servers.
  • the method includes the steps of monitoring designated locations of HTTP requests and distinguishing between locations of the requests on network of the organization and locations of the requests on external data communication networks. This distinction is performed by a first dedicated browser plug residing on a local browser of the client computer and a second dedicated browser plug residing on a remote browser.
  • the method also includes the step of automatically switching to operating in application virtualization mode using the remote browser when the designated location is identified as located on the external data communication networks.
  • the remote browser information is displayed on the application window of the local browser.
  • the disclosed method further includes the step of automatically switching to the local browser when the location is identified as located on the network of the organization.
  • the remote browser information is displayed on the application window of the local browser.
  • the remote browser is located on a remote server in a Secure Internet Browsing Zone located between the network of the organization and the external data communication networks.
  • the method may also include the step of randomly allocating anonymous identification information to the user.
  • the anonymous identification information replaces real identification information of the user before accessing the external data communication networks.
  • the list associating the anonymous identification information and real identification information of users is stored inside the network of the organization. This allocation is performed anew for each communication session for each user.
  • the distinction between locations of the requests on network of the organization and locations of the requests on external data communication networks is performed in accordance with system administrator definitions.
  • the method may also include the step of converting into safe files files from the external data communication networks which are sent to a printer located in the network of the organization. Additionally, the method may include the step of sending a file as an email attachment to the email of a user when the user performs file download from the external data communication networks. Alternatively, the method may include the steps of quarantining a file and inspecting the file using third party tools before allowing the transference of the file into the network of the organization. The quarantining and inspecting are performed when file download is requested from the external data communication networks.
  • the method may further include the steps of monitoring browser data flow and load balancing of the browsing in accordance with the monitored browser data flow. [0013] The method may also include the step of synchronizing between the local browser residing on the client computer and the remote browser. The synchronization may include copying lists of favorite links, copying cookies, and copying browsing history. [0014] The method may further include the step of controlling the execution of flash movies on the browsers. [0015] Also disclosed is a system of enabling the secure access to external data communication networks for a client computer of a user of a network of an organization using application virtualization and server-based computing architecture. The system comprises at least one local browser wherein the local browser resides on the client computer and at least one remote browser located on a server in a Secure Internet 007/001181
  • the Secure Internet Browsing Zone is located between the network of the organization and the external data communication networks.
  • the system also includes a first dedicated browser plug residing on the local browser wherein the plug monitors all designated locations of HTTP requests and distinguishes between locations on the network of the organization and locations on external data communication networks.
  • a second dedicated browser plug residing on the remote browser located on a remote server wherein the plug monitors all designated locations of HTTP requests and distinguishes between locations on the network of the organization and locations on external data communication networks.
  • the system also includes a switching module for alternating between browsing using the local browser and browsing using the remote browser in application virtualization mode in accordance with the distinctions between links on the network of the organization and links on the external data communication networks. The information of the local browser and the remote browser is alternately displayed to the user on the same browser application window.
  • the system may further include at least one dedicated local server residing on the network of the organization.
  • the local server monitors and controls browsing activity of the users in accordance with predefined criteria.
  • the system may further include a local internal directory service for managing the predefined criteria.
  • the local internal directory service further manages the allocation of random identification information for the users.
  • the system may also include at least one gateway server residing on the Secure Internet Browsing Zone.
  • the gateway server may monitor and control browsing activity of the users in accordance with predefined criteria.
  • a remote internal directory service for managing the predefined criteria.
  • the system may further include at least one remote application virtualization controlling server in the Secure Internet Browsing Zone for monitoring and controlling browsing activity through Secure Internet Browsing Zone in accordance with predefined rules.
  • the system may also include a first firewall leg.
  • the first firewall leg is located between the network of the organization and the Secure Internet Browsing Zone.
  • the system may also include a second firewall leg.
  • the second firewall leg is located between the Secure Internet Browsing Zone and the external data communication networks.
  • FIG. 1 is a block diagram illustrating principal components of the proposed system and method in accordance with embodiments of the present invention, and the environment in which they operate;
  • Figure 2 is a flowchart schematically illustrating the principal steps and the flow of information in accordance with embodiments of the present invention.
  • the present invention provides a highly secured controlled access to external data communication networks, which are outside the network of the organization, such as the internet, for end users of an organization.
  • the disclosed system makes use of application virtualization and server based technology (SBC) architectures to provide users with a transparent browsing experience which may be centrally monitored and controlled.
  • SBC application virtualization and server based technology
  • the system enables users the browsing of the internet using their client computers without executing any HTML or downloading of any original web content, such as files, pictures and print files, into the network of the organization and onto the client computer.
  • the proposed system provides additional security measures to the network of the organization by allocating random anonymous users to the client users of the organization.
  • the proposed configuration also enables highly effective load balancing services.
  • An embodiment is an example or implementation of the inventions.
  • the various appearances of "one embodiment,” “an embodiment” or “some embodiments” do not necessarily all refer to the same embodiments.
  • various features of the invention may be described in the context of a single embodiment, the features may also be provided separately or in any suitable combination.
  • the invention may also be implemented in a single embodiment.
  • Reference in the specification to "one embodiment”, “an embodiment”, “some embodiments” or “other embodiments” means that a particular feature, structure, or characteristic described in connection with the embodiments is included in at least one embodiments, but not necessarily all embodiments, of the inventions. It is understood that the phraseology and terminology employed herein is not to be construed as limiting and are for descriptive purpose only.
  • bottom”, “below”, “top” and “above” as used herein do not necessarily indicate that a “bottom” component is below a “top” component, or that a component that is “below” is indeed “below” another component or that a component that is “above” is indeed “above” another component.
  • directions, components or both may be flipped, rotated, moved in space, placed in a diagonal orientation or position, placed horizontally or vertically, or similarly modified.
  • the terms “bottom”, “below”, “top” and “above” may be used herein for exemplary purposes only, to illustrate the relative positioning or placement of certain components, to indicate a first and a second component or to do both.
  • FIG. 1 is a block diagram illustrating principal components of the proposed system and method in accordance with embodiments of the present invention, and the environment in which they operate.
  • users in the organization connect to their client computers 110 which may be any type of computer device such as desktop, laptop, handheld personal computer (PC), Palm, BlackberryTM, Smart PhoneTM, workstation and the like.
  • the client computers are connected to the network of the organization 100.
  • Also connected to the network of the organization 100 are dedicated servers 120.
  • Dedicated servers 120 monitor and control the internal and external browsing activity of the users based on information stored in internal directory service 125.
  • Internal directory service 125 manages the identities and relationships that make up network environments.
  • the system switches to secure application virtualization browsing mode.
  • dedicated servers 160 in the network of the organization 100 communicate with remote servers 160 in Secure Internet Browsing Zone 140 through first firewall leg 130.
  • Remote servers 160 acquire information from their local directory services domain 165 and communicate with Application Virtualization Services (AVS) Servers, in remote AVS farm 150.
  • the local directory services domain 165 may be any type of directory services domain, such as Active Directory of MicrosoftTM.
  • AVS Servers in remote AVS farm 150 may be any type of servers of Application Virtualization Services, such as Terminal Servers of MicrosoftTM Presentation Server of CitrixTM and application vitalizing technology of VMwareTM.
  • the servers in the Secure Internet Browsing Zone 140 establish connections with external data communication networks 180 through a second firewall leg 170.
  • the data from external data communication networks 180 to client computers 110 flows from the external data communication networks 180 through second firewall leg 170 to the remote servers in Secure Internet Browsing Zone 140, and through the first firewall leg 130 to the client computers 110 on the network of the organization 100.
  • the distinction between the network of the organization 100 and the external data communication networks 180 may be defined by the system administrator.
  • the system administrator may define the local area network (LAN) of the organization as the network of the organization 100 and any other address as residing on an external data communication network 180.
  • the system administrator may define several addresses on the internet as belonging to the network of the organization 100 and any other addresses as residing on external data communication network 180. Such definitions may be performed according to the domain names of the websites.
  • the browser on the client computers 110 operates in local mode when browsing sites in the internal links within the network of the organization 100.
  • local browsing mode the browsing is performed using a local browser which runs on the client computer 110.
  • the system automatically switches to browsing in application virtualization mode.
  • switching between local browsing mode and secure application virtualization mode is performed in a manner which is totally transparent to the user.
  • users in the organization may be totally unaware that the browsing application accessible to them on the client computer is not run locally, but operates through remote AVS Servers 150.
  • the system automatically switches to local browsing mode using a browser operating locally, on client computer 110.
  • Remote AVS Server 150 receives all actions performed by the users on the client computers 110 and implements user activities on a browser residing on remote AVS Server 150. Any changes occurring in the browser on remote AVS Server 150 are transmitted to the appropriate client computer 110 using client-server communication protocols, proprietary or commercial protocol such as Remote Desktop Protocol (RDP), Independent Computing Architecture (ICA) or any other protocol.
  • RDP Remote Desktop Protocol
  • ICA Independent Computing Architecture
  • the only information streaming from external data communication networks 180, through Secure Internet Browsing Zone 140 to the network of the organization 100 are graphic, text, video and audio information changes reflecting changes occurring in the browser window.
  • all browser activity is performed on remote AVS 150 and the user receives only graphic, text, video and audio information of the browser window.
  • the network of the organization 100 and its client computers are therefore protected from any malicious content from the external data communication networks 180, such as viruses, worms, Trojan horses and the like.
  • a dedicated browser plug resides on client computer 110 and an additional plug is on external AVSs 150.
  • This plug intercepts all client computer 110 appeals to HTTP/HTTPS protocols.
  • the plug redirects the calls to local browser for internal corporate sites and to remote browser for external sites.
  • Additional features may be added in order to provide enhanced browser 3rd party contents or functionality. These may include content blocking of particular formats, such as flash and video streaming, enabling or disabling add-ins like toolbars, and enabling the operation of additional protocols such as instant messaging and voice over internet protocol (VoIP) tools.
  • the proposed system and method enable controlling the execution of flash movies.
  • FIG. 2 is a flowchart schematically illustrating the above described procedure in accordance with embodiments of the present invention.
  • the user selects a link (step 200).
  • the dedicated agent on the client computer of the user checks whether the link is an internal or an external one (step 205). Provided that the link is an internal one, the local browser on the client computer of the user retrieves the information in local browsing mode (step 210). If the link is found to point to an external website the browser seamlessly switches to operating in virtual browsing mode in accordance with application virtualization methods (step 215).
  • the seamless switching between local browsing mode and virtual browsing mode is achieved using several means.
  • a random user identification information is retrieved from a local server for the user (step 220).
  • the random user identification information is generated anew for each communication session of each user.
  • all browsing activity of the users is kept completely anonymous.
  • the external link information and random user identification information is sent to the server of the Secure Internet Browsing Zone and this information is validated (step 225) by the servers of the Secure Internet Browsing Zone. Additionally, at this step the system may check that requested external link complies with organization policies concerning web-browsing.
  • a browser is activated on the servers of the Secure Internet Browsing Zone (step 230) and the requested information is retrieved from the remote website on the external data communication networks (step 235). The retrieved information is checked according to data-security definitions (step 240). Finally, graphic, text, video and audio information are sent from the browser on the server of the Secure Internet Browsing Zone to the virtual browsing window on the client computer of the user in accordance with application virtualization methods (step 245, 250). Thus, only graphic, text, video and audio information representing the information on the browser in the Secure Internet Browsing Zone is sent to the network of the organization 100.
  • the system includes a AVS shield to protect eavesdropping of communication between the server and the terminals from distributed denial-of-service, buffer overflow and similar attacks.
  • the default eavesdropper accepts connections only from a dedicated secure relay module. All communication protocols such as RDP, secure RDP (RDPS) and printing are encapsulated by digitally signed Extensible Markup Language (XML) tags. The public and private certificates are unique for every organization site. All other unsigned or wrongly signed communication packets are dropped.
  • Client computer 150 in the network of the organization 100 only communicates with servers of the system 120 inside the network of the organization 100.
  • the transmission control protocol (TCP) communication between the network of the organization 100 and Secure Internet Browsing Zone 140 are performed only from servers of the system 120 on the network of the organization 100 to servers 160 of Secure Internet Browsing Zone 140. There are no open communication ports to AVS Servers 150 or to service Directory 165 for replication, thus client desktop do not communicate directly with AVS Servers 150. Any attempt to establish connection with the AVA Servers 150 or to bypass the security system is automatically blocked by the system.
  • an internal user has to be a member of the service directory such as active directory or any other directory service (NOVEL, Netscape etc) of the organization in order to connect to AVS Servers 150. The user identity is kept anonymous during internet browsing.
  • the system allocates random usernames to the users of the organization to create anonymous usernames.
  • the lists of real usernames and anonymous usernames are kept only in server 120 of the network of the organization 100.
  • the outside world, including the Secure Internet Browsing Zone 140 only has access to the anonymous usernames.
  • the system erases the cookies and browsing history lists of the user with every user logoff.
  • the proposed system and method also enable implementing precise monitoring of user activity on external data communication networks 180.
  • the system may not only monitor which websites the user accesses, but also give precise indications as to for how long the window presenting the website was active. Since users sometime use multiple windows simultaneously and leave some windows open even when they are not working directly with them, it is difficult to provide accurate indications as for the actual time the user spent in a particular website using prior art. However, since in application virtualization architecture the status of the window is constantly monitored, the system may provide accurate information concerning the internet usage patterns of the user. Additionally, according to embodiments of the present invention the system may implement management restriction regarding the access of the user to the internet, including time and website content limitations.
  • the downloaded file is sent by email to the user.
  • the downloaded file is scanned and filtered by the email security mechanisms of the organization.
  • all downloaded files are first downloaded to a secure isolated zone. The files are then checked and scanned using file inspection third party tools before allowing their transference to the network of the organization 100.
  • all files which are sent to printers located on the network of the organization 100 from external data communication networks 180 are converted into safe files and printing commands before entering the network of the organization 100.
  • load balancing tools are used in order to provide maximum scalability and performance when running browsers on the AVS Server 150.
  • a dedicated performance related counter may be implemented, which may include monitoring browser I/O operations per second, page faults per second, private bytes, thread counts, user and kernel time and the like. Those counters enable identifying bottlenecks and releasing them. Releasing bottlenecks enables the increase of server resource utilization and allow more users to be served by same AVS Servers 150.

Abstract

The present invention provides a highly secured controlled access to external data communication networks, which are outside the network of the organization, such as the internet, for end users of an organization. According to embodiments of the present invention the disclosed system makes use of application virtualization and server based technology (SBC) architectures to provide users with a transparent browsing experience which may be centrally monitored and controlled. The system enables users the browsing of the internet using their client computers without executing any HTML or downloading of any original web content into the network of the organization and onto the client computer. According to embodiments of the present invention the proposed system provides additional security measures to the network of the organization by allocating random anonymous users to the client users of the organization. The proposed configuration also enables highly effective load balancing services.

Description

A System and a Method for Secure Web Browsing Using Server-
Based Computing Configuration
[001] FIELD OF INVENTION [002] The present invention relates to systems and method which enable end users of networks of organizations to gain access to the internet while ensuring that the integrity of the internal network is not breached. More particularly, the present invention relates to systems and method which provide secure browsing for end users of networks of organizations using application virtualization and server-based computing technologies.
[003] BACKGROUND OF THE PRIOR ART
[004] The security hazards awaiting users on the internet and their high rate of evolving do not enable providing solutions which provide users with full security. For this reason many organizations have found that the only way they can secure their local area networks (LAN) is by highly restricting or isolating it completely from the wide area network (WAN). While this solution highly increases the security of the LAN, it also poses severe limitation on the LAN end users access to the internet. [005] One of the possible solutions for this problem includes maintaining two independent networks — the internal network of the organization and an additional one which provides end users with access to the internet using a different set of client computers. This solution has several shortcomings. In addition to being inconvenient for the end users who have to use different client computers for the different purposes, it is also a relatively costly solution since it demands providing the infrastructure and maintenance of two different networks in the same organization. Additionally, this solution does not provide absolute security since end users may unwittingly breach the security mechanisms of the internal LAN of the organization by transferring files downloaded from the internet using portable hardware, such as universal serial buss (USB) flash memory devices. Using such devices the end users bypass all file transference security means and may cause significant damage to the organization. Moreover, this mode of operation does not provide easy solutions for monitoring and managing the accessibility of end users to the internet on an individual bases since most often one client computer which is connected to the internet serves more than one end user. Thus, while the type of websites the end users enter may be monitored and controlled, the time each user spends browsing the web and the type of activities each user performs cannot be depicted.
[006] Server-based computing (SBC) is a network architecture according to which applications are deployed, managed, supported and executed in full on a remote server. In SBC environments data and applications reside on servers.
[007] There is therefore a need for a system and a method for allowing end users of organizations to gain easy and readily access to the internet while ensuring the integrity and security of the organizational LAN. Such a solution would preferably make use of application virtualization and SBC configuration.
[008] SUMMARY OF INVENTION
[009] Disclosed is a method of enabling secure access to external data communication networks for a client computer of a user of a network of an organization using application virtualization and server-based computing architecture. The method includes the steps of monitoring designated locations of HTTP requests and distinguishing between locations of the requests on network of the organization and locations of the requests on external data communication networks. This distinction is performed by a first dedicated browser plug residing on a local browser of the client computer and a second dedicated browser plug residing on a remote browser. The method also includes the step of automatically switching to operating in application virtualization mode using the remote browser when the designated location is identified as located on the external data communication networks. The remote browser information is displayed on the application window of the local browser. The disclosed method further includes the step of automatically switching to the local browser when the location is identified as located on the network of the organization. The remote browser information is displayed on the application window of the local browser. [0010] The remote browser is located on a remote server in a Secure Internet Browsing Zone located between the network of the organization and the external data communication networks. The method may also include the step of randomly allocating anonymous identification information to the user. The anonymous identification information replaces real identification information of the user before accessing the external data communication networks. The list associating the anonymous identification information and real identification information of users is stored inside the network of the organization. This allocation is performed anew for each communication session for each user. The distinction between locations of the requests on network of the organization and locations of the requests on external data communication networks is performed in accordance with system administrator definitions.
[0011] The method may also include the step of converting into safe files files from the external data communication networks which are sent to a printer located in the network of the organization. Additionally, the method may include the step of sending a file as an email attachment to the email of a user when the user performs file download from the external data communication networks. Alternatively, the method may include the steps of quarantining a file and inspecting the file using third party tools before allowing the transference of the file into the network of the organization. The quarantining and inspecting are performed when file download is requested from the external data communication networks.
[0012] The method may further include the steps of monitoring browser data flow and load balancing of the browsing in accordance with the monitored browser data flow. [0013] The method may also include the step of synchronizing between the local browser residing on the client computer and the remote browser. The synchronization may include copying lists of favorite links, copying cookies, and copying browsing history. [0014] The method may further include the step of controlling the execution of flash movies on the browsers. [0015] Also disclosed is a system of enabling the secure access to external data communication networks for a client computer of a user of a network of an organization using application virtualization and server-based computing architecture. The system comprises at least one local browser wherein the local browser resides on the client computer and at least one remote browser located on a server in a Secure Internet 007/001181
Browsing Zone. The Secure Internet Browsing Zone is located between the network of the organization and the external data communication networks. The system also includes a first dedicated browser plug residing on the local browser wherein the plug monitors all designated locations of HTTP requests and distinguishes between locations on the network of the organization and locations on external data communication networks. Also included in the system is a second dedicated browser plug residing on the remote browser located on a remote server wherein the plug monitors all designated locations of HTTP requests and distinguishes between locations on the network of the organization and locations on external data communication networks. [0016] The system also includes a switching module for alternating between browsing using the local browser and browsing using the remote browser in application virtualization mode in accordance with the distinctions between links on the network of the organization and links on the external data communication networks. The information of the local browser and the remote browser is alternately displayed to the user on the same browser application window.
[0017] The system may further include at least one dedicated local server residing on the network of the organization. The local server monitors and controls browsing activity of the users in accordance with predefined criteria. The system may further include a local internal directory service for managing the predefined criteria. The local internal directory service further manages the allocation of random identification information for the users.
[0018] The system may also include at least one gateway server residing on the Secure Internet Browsing Zone. The gateway server may monitor and control browsing activity of the users in accordance with predefined criteria. Optionally also included is a remote internal directory service for managing the predefined criteria.
[0019] The system may further include at least one remote application virtualization controlling server in the Secure Internet Browsing Zone for monitoring and controlling browsing activity through Secure Internet Browsing Zone in accordance with predefined rules.
[0020] The system may also include a first firewall leg. The first firewall leg is located between the network of the organization and the Secure Internet Browsing Zone. The system may also include a second firewall leg. The second firewall leg is located between the Secure Internet Browsing Zone and the external data communication networks. Also optionally included is a module for synchronizing between the local browser residing on the client computer and the remote browser.
[0021] BRIEF DESCRIPTION OF THE DRAWINGS [0022] The subject matter regarded as the invention will become more clearly understood in light of the ensuing description of embodiments herein, given by way of example and for purposes of illustrative discussion of the present invention only, with reference to the accompanying drawings, wherein [0023] Figure 1 is a block diagram illustrating principal components of the proposed system and method in accordance with embodiments of the present invention, and the environment in which they operate;
[0024] Figure 2 is a flowchart schematically illustrating the principal steps and the flow of information in accordance with embodiments of the present invention. L2007/001181
[0025] The drawings together with the description make apparent to those skilled in the art how the invention may be embodied in practice.
[0026] No attempt is made to show structural details of the invention in more detail than is necessary for a fundamental understanding of the invention. [0027] It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements.
[0028] DESCRIPTION OF SOME EMBODIMENTS OF THE INVENTION [0029] The present invention provides a highly secured controlled access to external data communication networks, which are outside the network of the organization, such as the internet, for end users of an organization. According to embodiments of the present invention the disclosed system makes use of application virtualization and server based technology (SBC) architectures to provide users with a transparent browsing experience which may be centrally monitored and controlled. The system enables users the browsing of the internet using their client computers without executing any HTML or downloading of any original web content, such as files, pictures and print files, into the network of the organization and onto the client computer. According to embodiments of the present invention the proposed system provides additional security measures to the network of the organization by allocating random anonymous users to the client users of the organization. The proposed configuration also enables highly effective load balancing services.
[0030] An embodiment is an example or implementation of the inventions. The various appearances of "one embodiment," "an embodiment" or "some embodiments" do not necessarily all refer to the same embodiments. Although various features of the invention may be described in the context of a single embodiment, the features may also be provided separately or in any suitable combination. Conversely, although the invention may be described herein in the context of separate embodiments for clarity, the invention may also be implemented in a single embodiment. [0031] Reference in the specification to "one embodiment", "an embodiment", "some embodiments" or "other embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiments is included in at least one embodiments, but not necessarily all embodiments, of the inventions. It is understood that the phraseology and terminology employed herein is not to be construed as limiting and are for descriptive purpose only.
[0032] The principles and uses of the teachings of the present invention may be better understood with reference to the accompanying description, figures and examples. It is to be understood that the details set forth herein do not construe a limitation to an application of the invention. Furthermore, it is to be understood that the invention can be carried out or practiced in various ways and that the invention can be implemented in embodiments other than the ones outlined in the description below. [0033] It is to be understood that the terms "including", "comprising", "consisting" and grammatical variants thereof do not preclude the addition of one or more components, features, steps, or integers or groups thereof and that the terms are to be construed as specifying components, features, steps or integers. The phrase "consisting essentially of", and grammatical variants thereof, when used herein is not to be construed as excluding additional components, steps, features, integers or groups thereof but rather that the additional features, integers, steps, components or groups thereof do not materially alter the basic and novel characteristics of the claimed composition, device or method. [0034] If the specification or claims refer to "an additional" element, that does not preclude there being more than one of the additional element. It is to be understood that where the claims or specification refer to "a" or "an" element, such reference is not be construed that there is only one of that element. It is to be understood that where the specification states that a component, feature, structure, or characteristic "may", "might", "can" or "could" be included, that particular component, feature, structure, or characteristic is not required to be included. [0035] Where applicable, although state diagrams, flow diagrams or both may be used to describe embodiments, the invention is not limited to those diagrams or to the corresponding descriptions. For example, flow need not move through each illustrated box or state, or in exactly the same order as illustrated and described. [0036] Methods of the present invention may be implemented by performing or completing manually, automatically, or a combination thereof, selected steps or tasks. The term "method" refers to manners, means, techniques and procedures for accomplishing a given task including, but not limited to, those manners, means, techniques and procedures either known to, or readily developed from known manners, means, techniques and procedures by practitioners of the art to which the invention belongs. The descriptions, examples, methods and materials presented in the claims and the specification are not to be construed as limiting but rather as illustrative only. [0037] Meanings of technical and scientific terms used herein are to be commonly understood as by one of ordinary skill in the art to which the invention belongs, unless otherwise defined. The present invention can be implemented in the testing or practice with methods and materials equivalent or similar to those described herein. [0038] The terms "bottom", "below", "top" and "above" as used herein do not necessarily indicate that a "bottom" component is below a "top" component, or that a component that is "below" is indeed "below" another component or that a component that is "above" is indeed "above" another component. As such, directions, components or both may be flipped, rotated, moved in space, placed in a diagonal orientation or position, placed horizontally or vertically, or similarly modified. Accordingly, it will be appreciated that the terms "bottom", "below", "top" and "above" may be used herein for exemplary purposes only, to illustrate the relative positioning or placement of certain components, to indicate a first and a second component or to do both.
[0039] Any publications, including patents, patent applications and articles, referenced or mentioned in this specification are herein incorporated in their entirety into the specification, to the same extent as if each individual publication was specifically and individually indicated to be incorporated herein. In addition, citation or identification of any reference in the description of some embodiments of the invention shall not be construed as an admission that such reference is available as prior art to the present invention. [0040] Figure 1 is a block diagram illustrating principal components of the proposed system and method in accordance with embodiments of the present invention, and the environment in which they operate. According to embodiments of the present invention users in the organization connect to their client computers 110 which may be any type of computer device such as desktop, laptop, handheld personal computer (PC), Palm, Blackberry™, Smart Phone™, workstation and the like. The client computers are connected to the network of the organization 100. Also connected to the network of the organization 100 are dedicated servers 120. Dedicated servers 120 monitor and control the internal and external browsing activity of the users based on information stored in internal directory service 125. Internal directory service 125 manages the identities and relationships that make up network environments.
[0041] To allow browsing on external data communication networks 180, the system switches to secure application virtualization browsing mode. In order to enable the secure connection to external data communication networks 180 in application virtualization mode, dedicated servers 160 in the network of the organization 100 communicate with remote servers 160 in Secure Internet Browsing Zone 140 through first firewall leg 130. Remote servers 160 acquire information from their local directory services domain 165 and communicate with Application Virtualization Services (AVS) Servers, in remote AVS farm 150. The local directory services domain 165 may be any type of directory services domain, such as Active Directory of Microsoft™. AVS Servers in remote AVS farm 150 may be any type of servers of Application Virtualization Services, such as Terminal Servers of Microsoft™ Presentation Server of Citrix™ and application vitalizing technology of VMware™. [0042] The servers in the Secure Internet Browsing Zone 140 establish connections with external data communication networks 180 through a second firewall leg 170. The data from external data communication networks 180 to client computers 110 flows from the external data communication networks 180 through second firewall leg 170 to the remote servers in Secure Internet Browsing Zone 140, and through the first firewall leg 130 to the client computers 110 on the network of the organization 100.
[0043] According to embodiments of the present invention the distinction between the network of the organization 100 and the external data communication networks 180 may be defined by the system administrator. For instance, the system administrator may define the local area network (LAN) of the organization as the network of the organization 100 and any other address as residing on an external data communication network 180. Similarly, the system administrator may define several addresses on the internet as belonging to the network of the organization 100 and any other addresses as residing on external data communication network 180. Such definitions may be performed according to the domain names of the websites.
[0044] According to embodiments of the present invention the browser on the client computers 110 operates in local mode when browsing sites in the internal links within the network of the organization 100. In local browsing mode the browsing is performed using a local browser which runs on the client computer 110. Whenever the user requests access to an address or clicks on an external link to a site which resides on external data communication networks 180 the system automatically switches to browsing in application virtualization mode. According to embodiments of the present invention, switching between local browsing mode and secure application virtualization mode is performed in a manner which is totally transparent to the user. Thus, users in the organization may be totally unaware that the browsing application accessible to them on the client computer is not run locally, but operates through remote AVS Servers 150. Similarly, when users attempt to access an address located on the network of the organization 100 of the organization while browsing in application virtualization mode, the system automatically switches to local browsing mode using a browser operating locally, on client computer 110.
[0045] Remote AVS Server 150 receives all actions performed by the users on the client computers 110 and implements user activities on a browser residing on remote AVS Server 150. Any changes occurring in the browser on remote AVS Server 150 are transmitted to the appropriate client computer 110 using client-server communication protocols, proprietary or commercial protocol such as Remote Desktop Protocol (RDP), Independent Computing Architecture (ICA) or any other protocol. The only information streaming from external data communication networks 180, through Secure Internet Browsing Zone 140 to the network of the organization 100 are graphic, text, video and audio information changes reflecting changes occurring in the browser window. Thus, all browser activity is performed on remote AVS 150 and the user receives only graphic, text, video and audio information of the browser window. The network of the organization 100 and its client computers are therefore protected from any malicious content from the external data communication networks 180, such as viruses, worms, Trojan horses and the like.
[0046] According to embodiments of the present invention a dedicated browser plug (agent) resides on client computer 110 and an additional plug is on external AVSs 150. This plug intercepts all client computer 110 appeals to HTTP/HTTPS protocols. According to system definitions the plug redirects the calls to local browser for internal corporate sites and to remote browser for external sites. Additional features may be added in order to provide enhanced browser 3rd party contents or functionality. These may include content blocking of particular formats, such as flash and video streaming, enabling or disabling add-ins like toolbars, and enabling the operation of additional protocols such as instant messaging and voice over internet protocol (VoIP) tools. [0047] Additionally, the proposed system and method enable controlling the execution of flash movies. This feature is especially designed to reduce the redundant use of server resources by banners which execute flash movies in loops. For this purpose, the system administrator may define the automatically permitted period of time for the execution of flash movies. For instance, the system administrator may define that flash movies can run for 5 seconds, and any additional time period of executing the flash movies is performed only on user request. The system administrator may also distinguish between websites which are flash-based, and allow their flash movies to run, and websites which only execute flash movies in banners for which the execution of the flash movies should be restricted. Additionally, the system administrator may also distinguish between different users of the system and enable some users to run flash movies while allowing only restricted execution of flash movies to others. [0048] Figure 2 is a flowchart schematically illustrating the above described procedure in accordance with embodiments of the present invention. Working on a client computer on the network of the organization 100 the user selects a link (step 200). The dedicated agent on the client computer of the user checks whether the link is an internal or an external one (step 205). Provided that the link is an internal one, the local browser on the client computer of the user retrieves the information in local browsing mode (step 210). If the link is found to point to an external website the browser seamlessly switches to operating in virtual browsing mode in accordance with application virtualization methods (step 215).
[0049] The seamless switching between local browsing mode and virtual browsing mode is achieved using several means. First, the user activates both browsing modes using a single icon and both browsers operate alternatively in the same window. The user then does not have to select which browsing mode he or she is required to use. Second, the browsing environment is duplicated and maintained identical in both browsing modes, including the browser preferences, lists of favorite websites, history, cookies and any other browser attribute.
[0050] Next, a random user identification information is retrieved from a local server for the user (step 220). The random user identification information is generated anew for each communication session of each user. Thus, all browsing activity of the users is kept completely anonymous. The external link information and random user identification information is sent to the server of the Secure Internet Browsing Zone and this information is validated (step 225) by the servers of the Secure Internet Browsing Zone. Additionally, at this step the system may check that requested external link complies with organization policies concerning web-browsing. Provided that the request is found to be valid and in keeping with organization policies, a browser is activated on the servers of the Secure Internet Browsing Zone (step 230) and the requested information is retrieved from the remote website on the external data communication networks (step 235). The retrieved information is checked according to data-security definitions (step 240). Finally, graphic, text, video and audio information are sent from the browser on the server of the Secure Internet Browsing Zone to the virtual browsing window on the client computer of the user in accordance with application virtualization methods (step 245, 250). Thus, only graphic, text, video and audio information representing the information on the browser in the Secure Internet Browsing Zone is sent to the network of the organization 100. [0051] According to additional embodiments of the present invention, the system includes a AVS shield to protect eavesdropping of communication between the server and the terminals from distributed denial-of-service, buffer overflow and similar attacks. The default eavesdropper accepts connections only from a dedicated secure relay module. All communication protocols such as RDP, secure RDP (RDPS) and printing are encapsulated by digitally signed Extensible Markup Language (XML) tags. The public and private certificates are unique for every organization site. All other unsigned or wrongly signed communication packets are dropped. Client computer 150 in the network of the organization 100 only communicates with servers of the system 120 inside the network of the organization 100. The transmission control protocol (TCP) communication between the network of the organization 100 and Secure Internet Browsing Zone 140 are performed only from servers of the system 120 on the network of the organization 100 to servers 160 of Secure Internet Browsing Zone 140. There are no open communication ports to AVS Servers 150 or to service Directory 165 for replication, thus client desktop do not communicate directly with AVS Servers 150. Any attempt to establish connection with the AVA Servers 150 or to bypass the security system is automatically blocked by the system. [0052] According to embodiments of the present invention, an internal user has to be a member of the service directory such as active directory or any other directory service (NOVEL, Netscape etc) of the organization in order to connect to AVS Servers 150. The user identity is kept anonymous during internet browsing. The system allocates random usernames to the users of the organization to create anonymous usernames. The lists of real usernames and anonymous usernames are kept only in server 120 of the network of the organization 100. The outside world, including the Secure Internet Browsing Zone 140 only has access to the anonymous usernames. According to embodiments of the present invention, the system erases the cookies and browsing history lists of the user with every user logoff.
[0053] The proposed system and method also enable implementing precise monitoring of user activity on external data communication networks 180. According to embodiments of the present invention the system may not only monitor which websites the user accesses, but also give precise indications as to for how long the window presenting the website was active. Since users sometime use multiple windows simultaneously and leave some windows open even when they are not working directly with them, it is difficult to provide accurate indications as for the actual time the user spent in a particular website using prior art. However, since in application virtualization architecture the status of the window is constantly monitored, the system may provide accurate information concerning the internet usage patterns of the user. Additionally, according to embodiments of the present invention the system may implement management restriction regarding the access of the user to the internet, including time and website content limitations. [0054] According to embodiments of the present invention when users wish to download files from the external data communication networks 180 to their client computer they may perform it using one of several methods. According to one method, the downloaded file is sent by email to the user. Thus, the downloaded file is scanned and filtered by the email security mechanisms of the organization. According to another method, all downloaded files are first downloaded to a secure isolated zone. The files are then checked and scanned using file inspection third party tools before allowing their transference to the network of the organization 100. Similarly, all files which are sent to printers located on the network of the organization 100 from external data communication networks 180 are converted into safe files and printing commands before entering the network of the organization 100.
[0055] Also within the scope of the present invention are load balancing tools. According to embodiments of the present invention a dedicated load balance policy is used in order to provide maximum scalability and performance when running browsers on the AVS Server 150. A dedicated performance related counter may be implemented, which may include monitoring browser I/O operations per second, page faults per second, private bytes, thread counts, user and kernel time and the like. Those counters enable identifying bottlenecks and releasing them. Releasing bottlenecks enables the increase of server resource utilization and allow more users to be served by same AVS Servers 150. [0056] While the invention has been described with respect to a limited number of embodiments, these should not be construed as limitations on the scope of the invention, but rather as exemplifications of some of the embodiments. Those skilled in the art will envision other possible variations, modifications, and applications that are also within the scope of the invention. Accordingly, the scope of the invention should not be limited by hat has thus far been described, but by the appended claims and their legal equivalents. Therefore, it 'is"" to be understood that alternatives, modifications, and variations of the present invention are to be construed as being within the scope and spirit of the appended claims.

Claims

What is claimed is:
1. A method of enabling secure access to external data communication networks for a client computer of a user of a network of an organization using application virtualization and server-based computing architecture, said method includes the steps of:
- monitoring designated locations of HTTP requests;
- distinguishing between locations of said requests on network of said organization and locations of said requests on external data communication networks wherein said distinction is performed by a first dedicated browser plug residing on a local browser of said client computer and a second dedicated browser plug residing on a remote browser;
- automatically switching to operating in application virtualization mode using said remote browser when said designated location is identified as located on said external data communication networks, wherein said remote browser information is displayed on the application window of said local browser;
- automatically switching to said local browser when said location is identified as located on said network of said organization, wherein said remote browser information is displayed on the application window of said local browser.
2. The method of claim 1 wherein said remote browser is located on a remote server in a Secure Internet Browsing Zone located between said network of said organization and said external data communication networks.
3. The method of claim 1 further including the step of randomly allocating anonymous identification information to said user wherein said anonymous identification information replaces real identification information of said user before accessing said external data communication networks.
4. The method of claim 3 wherein the list associating said anonymous identification information and real identification information of said user is stored inside said network of said organization.
5. The method of claim 3 wherein said allocation is performed anew for each communication session for each said user.
6. The method of claim 1 wherein said distinction is performed in accordance with system administrator definitions.
7. The method of claim 1 further including the step of converting into safe files files from said external data communication networks which are sent to a printer located in said network of said organization.
8. The method of claim 1 further including the step of sending a file as an email attachment to the email of a user when said user performs file download from said external data communication networks.
9. The method of claim 1 further including the steps of:
- quarantining a file; - inspecting said file using third party tools before allowing the transference of said file into said network of said organization; wherein said quarantining and inspecting are performed when file download is requested from said external data communication networks.
10. The method of claim 1 further including the steps of:
- monitoring browser data flow;
- load balancing of said browsing in accordance with said monitored browser data flow.
11. The method of claim 1 further including the step of synchronizing between said local browser residing on said client computer and said remote browser.
12. The method of claim 11 wherein said synchronization includes at least one of the following: copying lists of favorite links, copying cookies, copying browsing history.
13. The method of claim 1 further including the step of controlling the execution of flash movies on said browsers.
14. A system of enabling the secure access to external data communication networks for a client computer of a user of a network of an organization using application virtualization and server-based computing architecture, said system comprising: - at least one local browser wherein said local browser resides on said client computer;
- at least one remote browser located on a server in a Secure Internet Browsing Zone wherein said Secure Internet Browsing Zone is located between said network of said organization and said external data communication networks; - a first dedicated browser plug residing on said local browser wherein said plug monitors all designated locations of HTTP requests and distinguishes between locations on said network of said organization and locations on external data communication networks; - a second dedicated browser plug residing on said remote browser located on a remote server wherein said plug monitors all designated locations of HTTP requests and distinguishes between locations on said network of said organization and locations on external data communication networks; and - a switching module for alternating between browsing using said local browser and browsing using said remote browser in application virtualization mode in accordance with said distinctions between links on said network of said organization and links on said external data communication networks wherein the information of said local browser and said remote browser is alternately displayed to said user on the same browser application window.
15. The system of claim 14 further including at least one dedicated local server residing on said network of said organization wherein said local server monitors and controls browsing activity of said users in accordance with predefined criteria.
16. The system of claim 15 further including a local internal directory service for managing said predefined criteria.
17. The system of claim 16 wherein said local internal directory service further manages the allocation of random identification information for said users.
18. The system of claim 14 further including at least one gateway server residing on said Secure Internet Browsing Zone, wherein said gateway server monitors and controls browsing activity of said users in accordance with predefined criteria.
19. The system of claim 18 further including a remote internal directory service for managing said predefined criteria. 1
20. The system of claim 14 further including at least one remote application virtualization controlling server in said Secure Internet Browsing Zone for monitoring and controlling browsing activity through Secure Internet Browsing Zone in accordance with predefined rules.
21. The system of claim 14 further including a first firewall leg wherein said first firewall leg is located between said network of said organization and said Secure Internet Browsing Zone.
22. The system of claim 14 further including a second firewall leg wherein said second firewall leg is located between said Secure Internet Browsing Zone and said external data communication networks.
23. The system of claim 14 further including a module for synchronizing between said local browser residing on said client computer and said remote browser.
24. The method of claim 23 wherein said synchronization includes at least one of the following: copying lists of favorite links, copying cookies, copying browsing history.
PCT/IL2007/001181 2006-09-26 2007-09-25 A system and a method for secure web browsing using server-based computing configuration WO2008038277A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US84711906P 2006-09-26 2006-09-26
US60/847,119 2006-09-26

Publications (2)

Publication Number Publication Date
WO2008038277A2 true WO2008038277A2 (en) 2008-04-03
WO2008038277A3 WO2008038277A3 (en) 2009-08-27

Family

ID=39230670

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2007/001181 WO2008038277A2 (en) 2006-09-26 2007-09-25 A system and a method for secure web browsing using server-based computing configuration

Country Status (2)

Country Link
IL (1) IL186289A (en)
WO (1) WO2008038277A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312928A (en) * 2012-03-14 2013-09-18 柯尼卡美能达商用科技株式会社 Information processing system, user terminal, information processing device and control method
KR101509081B1 (en) 2014-02-28 2015-04-08 (주) 더존비즈온 Application virtualization system and browser execution method thereof
CN105320536A (en) * 2014-10-15 2016-02-10 贵州电网公司信息通信分公司 Terminal management method based on application virtualization
EP3247084B1 (en) 2016-05-17 2019-02-27 Nolve Developments S.L. Server and method for providing secure access to web-based services

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6286046B1 (en) * 1997-12-22 2001-09-04 International Business Machines Corporation Method of recording and measuring e-business sessions on the world wide web

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6286046B1 (en) * 1997-12-22 2001-09-04 International Business Machines Corporation Method of recording and measuring e-business sessions on the world wide web

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312928A (en) * 2012-03-14 2013-09-18 柯尼卡美能达商用科技株式会社 Information processing system, user terminal, information processing device and control method
US20130246509A1 (en) * 2012-03-14 2013-09-19 Konica Minolta Business Technologies, Inc. Information processing system, user terminal, information processing device, and non-transitory computer readable recording medium
EP2639688A3 (en) * 2012-03-14 2014-02-19 Konica Minolta Business Technologies, Inc. Information processing system, user terminal, information processing device and non-transitory computer readable recording medium
US9578084B2 (en) 2012-03-14 2017-02-21 Konica Minolta Business Technologies, Inc. Information processing system for starting up a browser, user terminal, information processing device, and non-transitory computer readable recording medium
KR101509081B1 (en) 2014-02-28 2015-04-08 (주) 더존비즈온 Application virtualization system and browser execution method thereof
CN105320536A (en) * 2014-10-15 2016-02-10 贵州电网公司信息通信分公司 Terminal management method based on application virtualization
EP3247084B1 (en) 2016-05-17 2019-02-27 Nolve Developments S.L. Server and method for providing secure access to web-based services
US11232167B2 (en) 2016-05-17 2022-01-25 Randed Technologies Partners S.L. Server and method for providing secure access to web-based services

Also Published As

Publication number Publication date
WO2008038277A3 (en) 2009-08-27
IL186289A (en) 2009-02-11

Similar Documents

Publication Publication Date Title
CN109196505B (en) Hardware-based virtualized security isolation
US11363067B2 (en) Distribution and management of services in virtual environments
US10375111B2 (en) Anonymous containers
EP3716108A1 (en) Cloud-based web content processing system providing client threat isolation and data integrity
US8955050B1 (en) Generating secure roaming user profiles over a network
CA2633966C (en) System and method for secure remote desktop access
US10305907B2 (en) Computer device and method for controlling access to a web resource
GB2551792A (en) Elastic outbound gateway
EP3987728B1 (en) Dynamically controlling access to linked content in electronic communications
US8272041B2 (en) Firewall control via process interrogation
RU2327214C2 (en) Systems and techniques of preventing intrusion into network servers
Charanya et al. Levels of security issues in cloud computing
US10032027B2 (en) Information processing apparatus and program for executing an electronic data in an execution environment
WO2008038277A2 (en) A system and a method for secure web browsing using server-based computing configuration
US20200267146A1 (en) Network analytics for network security enforcement
JP6359260B2 (en) Information processing system and firewall device for realizing a secure credit card system in a cloud environment
EP2710780B1 (en) Network access control system and method
US20210385234A1 (en) Dynamic remote browsing
CA3216776A1 (en) Enterprise browser system
CN115550171A (en) API gateway implementation method based on software definition

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07827155

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07827155

Country of ref document: EP

Kind code of ref document: A2