Method and apparatus for managing internetwork and intranetwork activity
Abstract
In accordance with the present invention, a network management program ( 80 ) is provided that manages the communication of data packets between an intranetwork ( 44 ) and an internetwork ( 40 ). An operator of a computer connected to the intranetwork ( 44 ) inputs vital information regarding users of computers connected to the intranetwork ( 44 ), mapping information regarding computers connected to the intranetwork ( 44 ), and policies to be applied against those users and computers, using a graphical user interface (GUI 70 ). The GUI ( 70 ) communicates the vital user information, mapping information and policies to a database ( 72 ) which stores and organizes the vital user information, mapping information and policies. A filter executive ( 76 ) optimizes the policies stored in the database ( 72 ) into a set of rules for each user and passes the rules to a filter engine ( 78 ). The filter engine ( 78 ) filters all outbound data packets transmitted from the intranetwork ( 44 ) to the internetwork ( 40 ) and verifies all inbound data packets from the internetwork ( 40 ) according to the rules provided by the filter executive ( 76 ). The filter executive ( 76 ) also communicates the mapping information stored in the database ( 72 ) to a naming service manager ( 74 ) which further updates the mapping information and returns the updated mapping information to the filter executive ( 76 ). Consequently, the filter executive ( 78 ) filters the data packets according to the most recent mapping information.
Claims
exact text as granted — not AI-modified1. A computer-readable medium having computer-executable components for managing communication of data packets between an intranetwork and an internetwork, the intranetwork connecting a plurality of computers via a communications medium, the internetwork connecting a plurality of intranetworks via communications media, the computer-readable medium having computer-executable components comprising:
(a) a graphical user interface for allowing an administrator of a computer connected to the intranetwork to input:
(i) user information identifying each user of a computer connected to the intranetwork;
(ii) mapping information mapping each identified user to at least one computer connected to intranetwork; and
(ii) user policies for each identified user governing the communication of data packets between the identified user and the internetwork;
(b) a database for storing the user information, mapping information and user policies for each identified user provided by the administrator using the graphical user interface;
(c) a filter executive for optimizing the user policies for each identified user stored in the database into a set of rules for each identified user; and
(d) a filter engine for filtering data packets communicated between the intranetwork and the internetwork according to the set of rules for each identified user optimized by the filter executive and the mapping information for each identified user.
2. The computer-readable medium of claim 1 , wherein the mapping information for each identified user includes:
(a) a computer-to-user mapping which identifies a login name of the identified user and a computer name of the computer to which the identified user is assigned; and
(b) a computer-to-address mapping which identifies the computer name of the computer to which the identified user is assigned and the internetwork protocol address of the computer.
3. The computer-readable medium of claim 2 , wherein the filter engine filters data packets by:
for each data packet communicated between the intranetwork and the internetwork,
(a) scanning the mapping information for each identified user for an internetwork protocol address of a mapped computer assigned to an identified user that matches an address of a computer from which the data packet was sent;
(b) comparing the data packet to the set of rules for the identified user assigned to the mapped computer; and
(c) if the data packet matches at least one rule of the set of rules, returning a filter result for the at least one rule, wherein the filter result indicates whether the filter engine is to deny delivery of the data packet.
4. The computer-readable medium of claim 3 , wherein the filter engine further filters the data packet by returning a default result for the at least one rule, if the data packet does not match as least one rule of the set of rules, wherein the default result indicates whether the filter engine is to deny delivery of the data packet.
5. The computer-readable medium of claim 4 , wherein the filter engine also returns a default result if an internetwork protocol address of a mapped computer is not found that matches the address of the computer from which the data packet was sent.
6. The computer-readable medium of claim 5 , wherein the filter result and the default result further indicate whether the filter engine is to log the data packet.
7. The computer-readable medium of claim 5 , wherein the filter result and the default result further indicate whether the identified user assigned to the mapped computer whose internetwork protocol address matches the address of the computer from which the data packet was sent, is to be notified that the data packet has matched at least one rule of the set of rules.
8. The computer-readable medium of claim 2 , wherein each user policy input by the administrator for each identified user comprises at least one the following:
(a) a file type policy indicating whether a file having a particular file extension may be communicated between the identified user and the internetwork;
(b) an application protocol policy indicating whether a particular application protocol may be used to transfer data between the identified user and the internetwork;
(c) a site policy indicating whether the identified user may communicate with a particular computer site located in the internetwork; and
(d) a quota policy indicating how much data may be communicated between the identified user and the internetwork during a given time interval.
9. The computer-readable medium of claim 8 , wherein the database periodically calculates a quota violation for each identified user having a quota policy, wherein the quota violation indicates whether an excessive amount of data has been communicated between the identified user and the internetwork, and wherein the quota violation for each identified user having a quota policy is calculated by:
(a) summing a total number of data bytes in each data packet communicated between the identified user and the internetwork during a given time interval; and
(b) comparing the summation of data bytes to the quota policy for the identified user.
10. The computer-readable medium of claim 2 , wherein the graphical user interface further allows the administrator to organize the identified users into a hierarchy of groups having a root group containing all identified users and a plurality of subgroups, each subgroup containing at least one identified user.
11. The computer-readable medium of claim 10 , wherein the graphical user interface further allows the administrator to input at least one user policy as a group policy, wherein the group policy is applied against a group of the hierarchy such that each identified user contained in the group inherits the group policy.
12. The computer-readable medium of claim 11 , wherein if the group policy inherited by the identified user conflicts with a user policy for the identified user, the database resolves the conflict such that only one of the user policy and the group policy is applied against the user.
13. The computer-readable medium of claim 12 , wherein the database prepares the user and group policies inputted by the administrator for optimization by the filter executive by:
(a) collecting all of the inputted user policies for each identified user;
(b) collecting all of the inputted group policies inherited by each identified user; and
(c) storing each group policy and each user policy for each identified user as an individual user policy to be applied directly against the identified user.
14. The computer-readable medium of claim 13 , wherein the filter executive optimizes the individual user policies into the set of rules for each identified user by defining each rule of the set of rules from at least one corresponding individual user policy stored in the database, wherein each rule dictates how the filter engine is to filter a data packet which matches the rule.
15. The computer-readable medium of claim 14 , wherein each rule in the set of rules for each identified user comprises at least one of the following:
(a) a file extension rule, which dictates how the filter engine should filter a matching data packet communicated between the identified user and the internetwork containing information from a file having a particular file extension;
(b) an application protocol rule, which dictates how the filter engine should filter a matching data packet communicated between the identified user and the internetwork using a particular application protocol; and
(c) a combined site and protocol rule, which dictates how the filter engine should filter a matching data packet communicated between the identified user and a particular internetwork site using a particular application protocol.
16. The computer-readable medium of claim 2 , wherein the graphical user interface further allows the administrator to input system policies for all identified users governing the communication of data packets between all identified users and the internetwork.
17. The computer-readable medium of claim 16 , wherein the system policies include system default policies, and wherein the system default policies include:
(a) an enable logging policy indicating whether the filter engine is to log a data packet which the filter engine has allowed to be delivered between the intranetwork and the internetwork;
(b) a simulate rule enforcement policy indicating whether the filter engine is to simulate filtering of a data packet in accordance with the set of user rules for each identified user; and
(c) a violation message policy indicating whether the filter engine is to send a message to the identified user indicating whether how the filter engine has filtered a data packet.
18. The computer-readable medium of claim 17 , wherein the filter executive optimizes the system default policies into a set of system default rules for all identified users by:
(a) defining a log-on-off rule from the enable logging policy which dictates whether the filter engine is to log a data packet which the filter engine has allowed to be delivered between the intranetwork and the internetwork;
(b) defining a log-no-block rule from the simulate rule enforcement policy which dictates whether the filter engine is to simulate filtering of a data packet in accordance with the set of user rules for each identified user by logging and delivering the data packet regardless of how the filter engine filtered the data packet; and
(c) defining a notify-no-notify rule from the violation message policy which dictates whether the filter engine is to send a message to the identified user indicating how the filter engine filtered a data packet.
19. The computer-readable medium of claim 18 , wherein the system polices further include global network protocol policies, wherein each global network protocol policy indicates whether a particular network protocol may be used to transfer data between all of the identified users of the plurality of computers connected to the intranetwork and the internetwork.
20. The computer-readable medium of claim 19 , wherein the filter executive optimizes the global network protocol policies into a set of inbound and outbound global network protocol rules for all identified users by:
(a) defining an inbound global network protocol rule from each global network protocol policy which dictates how the filter engine should filter a data packet communicated from the internetwork to an identified user using a particular network protocol; and
(b) defining an outbound global network protocol from each global network protocol policy which dictates how the filter engine should filter a data packet communicated from an identified user to the internetwork using a particular network protocol.
21. The computer-readable medium of claim 20 , wherein the system policies further include time schedule policies, wherein each time schedule policy indicates a time schedule during which data may be communicated between all of the identified users and the internetwork using a particular application protocol.
22. The computer-readable medium of claim 21 , wherein the filter executive optimizes the time schedule policies into a set of timer rules for all identified users by defining a timer rule from each time schedule policy which dictates how the filter engine should filter a data packet communicated between the identified user and the internetwork during a particular time interval using a particular application protocol.
23. The computer-readable medium of claim 2 having a further computer-executable component comprising a naming service manager for updating the mapping information for each identified user inputted by the administrator using the graphical user interface.
24. The computer-readable medium of claim 23 , wherein the naming service manager updates the mapping information by:
(a) collecting updated computer-to-user mappings as the identified user logs in to and logs out of computers connected to the intranetwork; and
(b) replacing outdated computer-to-user mappings used by the filter executive with the updated computer-to-user mappings collected from the at least one naming service agent.
25. The computer-readable medium of claim 23 , wherein the naming service manager updates the mapping information for each identified user by:
(a) collecting updated computer-to-address mappings as the address of the at least one computer to which the identified user is assigned changes; and
(b) replacing outdated computer-to-address mappings used by the filter executive with the updated computer-to-address mappings collected from the at least one naming service agent.
26. The computer-readable medium of claim 1 , wherein a plurality of administrators are allowed to input user information, mapping information and user policies using the graphical user interface, and wherein each administrator is assigned an administration level which determines what type of user information, mapping information and user policies the administrator is allowed to input using the graphical user interface.
27. An apparatus for managing communication of data packets between an intranetwork and an internetwork, the intranetwork connecting a plurality of computers via a communications medium, the internetwork connecting a plurality of intranetworks via communications media, the apparatus comprising:
(a) a storage medium for storing:
(i) a database which includes user information, mapping information and policies for each user of a computer connected to the intranetwork, wherein the user information identifies each user, wherein the mapping information maps each user to a computer connected to the intranetwork, and wherein the policies govern the communication of data packets between each user and the internetwork;
(ii) a filter executive which optimizes the user policies for each user stored in the database into a set of rules for each user; and
(iii) a filter engine which filters data packets communicated between the intranetwork and the internetwork according to the set of rules for each user optimized by the filter executive and the mapping information for each user; and
(b) a processing unit electronically coupled to the storage medium for executing program instructions which maintain the database, implement the filter executive and implement the filter engine.
28. The apparatus of claim 27 , wherein the mapping information mapping each user to a computer connected to the intranetwork includes:
(a) a computer-to-user mapping which identifies a login name of the user and a computer name of the computer to which the user is assigned; and
(b) a computer-to-address mapping which identifies the computer name of the computer to which the user is assigned and the internetwork protocol address of the computer.
29. The apparatus of claim 28 , wherein the processing unit executes program instructions which cause the filter engine to filter data packets by:
for each data packet communicated between the intranetwork and the internetwork,
(a) scanning the mapping information for each user for an internetwork protocol address of a mapped computer assigned to an user that matches an address of a computer from which the data packet was sent;
(b) comparing the data packet to the set of rules for the user assigned to the mapped computer; and
(c) if the data packet matches at least one rule of the set of rules, returning a filter result for the at least one rule, wherein the filter result indicates whether the filter engine is to deny delivery of the data packet.
30. The apparatus of claim 29 , wherein the processing unit executes program instructions which cause the filter engine to further filter the data packet by returning a default result for the at least one rule, if the data packet does not match as least one rule of the set of rules, wherein the default result indicates whether the filter engine is to deny delivery of the data packet.
31. The apparatus of claim 30 , wherein the filter engine also returns a default result if an internetwork protocol address of a mapped computer is not found that matches the address of the computer from which the data packet was sent.
32. The apparatus of claim 31 , wherein the filter result and the default result further indicate whether the filter engine is to log the data packet.
33. The apparatus of claim 31 , wherein the filter result and the default result further indicate whether the user assigned to the mapped computer whose internetwork protocol address matches the address of the computer from which the data packet was sent, is to be notified that the data packet has matched at least one rule of the set of rules.
34. The apparatus of claim 28 , further comprising an input device for allowing an administrator to input the user information, the mapping information and the policies for each user.
35. The apparatus of claim 34 , wherein the input device further allows the administrator to organize the users into a hierarchy of groups having a root group containing all users and a plurality of subgroups, each subgroup containing at least one user.
36. The apparatus of claim 35 , wherein the input device further allows the administrator to input at least one user policy against each user, wherein the user policy governs the communication of data packets between the user and the internetwork.
37. The apparatus of claim 36 , wherein the input device further allows the administrator to input at least one a group policy, wherein the group policy is applied against a group of the hierarchy such that each user contained in the group inherits the group policy, and wherein the group policy governs the communication of data packets between each user contained in the group and the internetwork.
38. The apparatus of claim 37 , wherein if the group policy inherited by the user conflicts with a user policy for the user, the database resolves the conflict such that only one of the user policy and the group policy is applied against the user.
39. The apparatus of claim 37 , wherein the processing unit executes program instructions which cause the filter executive to optimize the user policies and the group policies into the set of rules for each user by defining each rule of the set of rules from at least one corresponding individual user policy stored in the database, wherein each rule dictates how the filter engine is to filter a data packet communicated between the user and the internetwork which matches the rule.
40. The apparatus of claim 39 , wherein each user policy and each group policy from which each user rule is defined comprise at least one of the following:
(a) a file type policy indicating whether a file having a particular file extension may be communicated between the user and the internetwork;
(b) an application protocol policy indicating whether information transferred using a particular application protocol may be communicated between the user and the internetwork;
(c) a site policy indicating whether the information may be communicated between the user and a particular computer site located in the internetwork; and
(d) a quota policy indicating how much information may be communicated between the user and the internetwork during a given time interval.
41. The apparatus of claim 40 , wherein the processing unit executes program instructions which cause the filter executive to establish a set of user rules for each user comprises:
(a) defining a file extension rule from each file type policy, wherein the file extension rule dictates whether a data packet containing information from a file having a particular file extension may be communicated between the user and the internetwork;
(b) defining an application protocol rule from each application protocol policy, wherein the application protocol rule dictates whether a data packet communicated using a particular application protocol may be communicated between the user and the internetwork; and
(c) a combined site and protocol rule from each site policy and application protocol policy, wherein the combined site and protocol rule dictates whether a data packet may be communicated between the identified user and a particular computer site located in the internetwork.
42. The apparatus of claim 41 , wherein the input device further allows the administrator to input a set of system default policies applied against all users contained in the root group of the system hierarchy, wherein each system default policy indicates whether certain information may be communicated between any of the users contained in the root group and the internetwork.
43. The apparatus of claim 42 , wherein the processing unit executes program instructions which cause the filter executive to establish a set of system default rules for all users contained in the root group of the system hierarchy from the set of system default policies, wherein the set of system default rules dictate whether a data packet containing said information may be communicated between any of the users contained in the root group and the internetwork.
44. The apparatus of claim 43 , wherein the input device further allows the administrator to input a set of global network policies applied against all users contained in the root group of the system hierarchy, wherein each global network policy indicates whether certain information may be communicated between any of the users contained in the root group and the internetwork using a particular network protocol.
45. The apparatus of claim 44 , wherein the processing unit executes program instructions which cause the filter executive to establish a set of global network protocol rules for all users contained in the root group of the system hierarchy from the set of global network policies, wherein the set of global network rules dictate whether a data packet containing said information may be communicated between any of the users contained in the root group and the internetwork using the particular network protocol.
46. The apparatus of claim 45 , wherein the input device further allows the administrator to input a set of time schedule policies applied against all users contained in the root group of the system hierarchy, wherein each time schedule policy indicates a time schedule during which certain information may be communicated between any of the users contained in the root group and the internetwork using a particular application protocol.
47. The apparatus of claim 46 , wherein the processing unit executes program instructions which cause the filter executive to establish a set of timer rules for all users contained in the root group of the system hierarchy from the set of time schedule policies, wherein the set of timer rules dictate whether a data packet containing said information may be communicated between any of the users contained in the root group and the internetwork during the time schedule using the particular application protocol.
48. The apparatus of claim 28 , wherein the database further stores a naming service manager for updating the mapping information for each user inputted by the administrator using the input device, and wherein the processing unit executes program instructions to implement the naming service manager.
49. The apparatus of claim 48 , wherein the processing unit executes program instructions causing the naming service manager to update the mapping information by:
(a) collecting updated computer-to-user mappings; and
(b) replacing outdated computer-to-user mappings used by the filter executive with the updated computer-to-user mappings collected from the at least one naming service agent.
50. The apparatus of claim 49 , wherein the processing unit executes program instructions causing the naming service manager to update the mapping information by:
(a) collecting updated computer-to-address mappings; and
(b) replacing outdated computer-to-address mappings used by the filter executive with the updated computer-to-address mappings collected from the at least one naming service agent.
51. A method for managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising:
(a) establishing one or more policies for each user of the plurality of computers;
( b ) optimizing the one or more policies so as to establish a set of user rules for each user, the user rules governing the communication of information between the user and the internetwork, wherein at least one of the user rules comprises a rule based on a usage quota for a user;
( c ) identifying each user of the plurality of computers connected to the intranetwork;
(b)( d ) mapping each user to at least one computer connected to the intranetwork;
(c) establishing a set of user rules for each user governing the communication of information between the user and the internetwork; and
(d)( e ) filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user.
52. The method of claim 51 , wherein each user is mapped to at least one computer by:
(a) identifying the at least one computer by host name and address; and
(b) assigning the identified at least one computer to the user.
53. The method of claim 52 , further adding each user to a system hierarchy of groups including a root group and a plurality of subgroups, wherein the root group contains each user and wherein each subgroup contains at least one user.
54. The method of claim 53 , further comprising applying at least one user policy against each user, wherein the user policy indicates whether certain information may be communicated between the user and the internetwork.
55. The method of claim 54 , further comprising applying at least one group policy against a group of the system hierarchy such that each user contained in the group of the system hierarchy inherits the group policy, wherein the group policy indicates whether certain information may be communicated between the user and the internetwork.
56. The method of claim 55 , wherein establishing a set of user rules for each user comprises:
(a) defining a user rule from each user policy applied against the user, wherein the user rule dictates whether a data packet of information may be communicated between the user and the internetwork; and
(b) defining a user rule from each group policy inherited by the user wherein the user rule dictates whether a data packet of information may be communicated between the user and the internetwork.
57. The method of claim 56 , wherein the user policy from which the user rule is defined comprises at least one of the following:
(a) a file type policy indicating whether a file having a particular file extension may be communicated between the user and the internetwork;
(b) an application protocol policy indicating whether information transferred using a particular application protocol may be communicated between the user and the internetwork;
(c) a site policy indicating whether the information may be communicated between the user and a particular computer site located in the internetwork; and
(d) a quota policy indicating how much information may be communicated between the user and the internetwork during a given time interval.
58. The method of claim 57 , wherein establishing a set of user rules for each user comprises:
(a) defining a file extension rule from each file type policy, wherein the file extension rule dictates whether a data packet containing information from a file having a particular file extension may be communicated between the user and the internetwork;
(b) defining an application protocol rule from each application protocol policy, wherein the application protocol rule dictates whether a data packet communicated using a particular application protocol may be communicated between the user and the internetwork; and
(c) a combined site and protocol rule from each site policy and application protocol policy, wherein the combined site and protocol rule dictates whether a data packet may be communicated between the identified user and a particular computer site located in the internetwork.
59. The method of claim 56 , further comprising applying a set of system default policies applied against all users contained in the root group of the system hierarchy, wherein each system default policy indicates whether certain information may be communicated between any of the users contained in the root group and the internetwork.
60. The method of claim 59 , further comprising establishing a set of system default rules for all users contained in the root group of the system hierarchy from the set of system default policies, wherein the set of system default rules dictate whether a data packet containing said information may be communicated between any of the users contained in the root group and the internetwork.
61. The method of claim 60 , further comprising applying a set of global network policies applied against all users contained in the root group of the system hierarchy, wherein each global network policy indicates whether certain information may be communicated between any of the users contained in the root group and the internetwork using a particular network protocol.
62. The method of claim 61 , further comprising establishing a set of inbound and outbound global network protocol rules for all users contained in the root group of the system hierarchy from the set of global network policies, wherein the set of inbound global network rules dictate whether a data packet of information may be communicated from the internetwork to any of the users contained in the root group using the a particular network protocol; and wherein the outbound global network rules dictate whether a data packet of information may be communicated from any of the users contained in the root group to the internetwork using a particular network protocol.
63. The method of claim 62 , further comprising applying a set of time schedule policies applied against all users contained in the root group of the system hierarchy, wherein each time schedule policy indicates a time schedule during which certain information may be communicated between any of the users contained in the root group and the internetwork using a particular application protocol.
64. The method of claim 63 , further comprising establishing a set of timer rules for all users contained in the root group of the system hierarchy from the set of time schedule policies, wherein the set of timer rules comprises a set of inbound global network rules and a set of outbound global network rules, and wherein the timer rules dictate whether a data packet containing said information may be communicated between any of the users contained in the root group and the internetwork during the time schedule using the particular application protocol.
65. The method of claim 64 , wherein filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork comprises:
(a) intercepting a data packet containing information as the data packet is communicated between a user and the internetwork; (b) if a set of inbound global network protocol rules has been established for all users, comparing the data packet to the set of inbound global network protocol rules; (c) if the data packet matches at least one inbound global network protocol rule, returning a filter result indicating whether to deny delivery of the data packet; and (d) if the data packet does not match at least one inbound global network protocol rule, returning a default result indicating whether to deny delivery of the data packet.
66. The method of claim 65 , wherein filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork further comprises:
(a) if a set of inbound global network protocol rules has not been established for all users, determining whether a set of outbound global network protocol rules has been established for all users; (b) if a set of outbound global network protocol rules has been established for all users, comparing the data packet to the set of outbound global network protocol rules; (c) if the data packet matches at least one outbound global network protocol rule, returning a filter result indicating whether to deny delivery of the data packet; and (d) if the data packet does not match at least one outbound global network protocol rule, returning a default result indicating whether to deny delivery of the data packet.
67. The method of claim 66 , wherein filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork further comprises:
(a) if a set of outbound global network protocol rules has not been established for all users, comparing the data packet to the set of user rules; (b) if the data packet matches at least one user rule in the set of user rules, returning a filter result indicating whether to deny delivery of the data packet; and (c) if the data packet does not match at least one user rule in the set of user rules, returning a default result indicating whether to deny delivery of the data packet.
68. The method of claim 67 , wherein comparing the data packet to the set of user rules comprises:
(a) scanning the mapping information for each user for an internetwork protocol address of a mapped computer assigned to a user which matches an address of a computer from which the data packet was sent; and (b) comparing the data packet to the set of user rules for the user assigned to the mapped computer.
69. The method of claim 68 , wherein filtering the information further comprises, returning a default result if the address of the computer which sent the data packet does not match and internetwork protocol address of a mapped computer.
70. The method of claim 51 , further comprising updating the mapping information for each user as the user logs out of the at least one computer to which the user is assigned.
71. The method of claim 70 , further comprising updating the mapping information for each user as the user logs in to another computer.
72. The method of claim 71 , further comprising updating the mapping information for each user as the address of the at least one computer to which the user is assigned changes.
73. The method of claim 51 , wherein the information comprises an electronic mail.
74. A method of managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising:
establishing one or more policies for each user of the plurality of computers; optimizing the one or more policies so as to establish a set of user rules for each user, the user rules governing the communication of information between the user and the internetwork; identifying each user of the plurality of computers connected to the intranetwork; mapping each user to at least one computer connected to the intranetwork, thereby defining mapping information for each user; querying a NETBIOS server for an IP address of a computer operated by each user; and filtering information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user and the mapping information for each user.
75. The method of claim 74 , further comprising mapping each user to said IP address of each user.
76. A system for managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the system comprising:
means for establishing one or more policies for each user of the plurality of computers; means for optimizing the one or more policies so as to establish a set of user rules for each user, the user rules governing the communication of information between the user and the internetwork, wherein at least one of the user rules comprises a rule based on a usage quota for a user; means for identifying each user of the plurality of computers connected to the intranetwork; means for mapping each user to at least one computer connected to the intranetwork; and means for filtering information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user.
77. A method of managing communication of information between a user of a computer and an intranetwork, wherein the intranetwork is coupled to an internetwork that connects a plurality of intranetworks, the method comprising:
establishing one or more policies for the user; optimizing the one or more policies so as to establish a set of user rules for the user, the user rules governing the communication of information between the user and the internetwork; identifying the user of the computer connected to the intranetwork; mapping the user to the computer connected to the intranetwork as the user logs onto the intranetwork, thereby defining mapping information for each user; and filtering the information communicated between the user and the internetwork according to the set of user rules for the user and the mapping information for each user.
78. The method of claim 77 , wherein the set of user rules comprises a file type policy indicating whether a file having a particular file extension may be communicated between the user and the internetwork.
79. The method of claim 77 , wherein the mapping comprises determining an IP address of the user as the user logs onto the intranetwork.
80. The method of claim 77 , wherein the filtering comprises:
intercepting a data packet containing information as the data packet is communicated between the user and the internetwork; determining that transmission of the data packet to the user should be denied if the information matches at least one of the rules in said set of user rules for the user.
81. The method of claim 77 , further comprising storing in a database an identifier associated with each of said plurality of users, an identifier of the at least one computer mapped to each of said plurality of users, and the set of user rules for each user.
82. The method of claim 77 , further comprising updating the mapping information for each user as the address of the at least one computer to which the user is assigned changes.
83. An apparatus for managing communication of data packets between an intranetwork and an internetwork, the intranetwork connecting a plurality of computers via a communications medium, the internetwork connecting a plurality of intranetworks via communications media, the apparatus comprising:
( a ) a storage medium for storing:
a database which includes user information, mapping information and policies for each user of a computer connected to the intranetwork, wherein the user information identifies each user, wherein the mapping information maps each user to an IP address of a computer connected to the intranetwork, and wherein the policies govern the communication of data packets between each user and the internetwork;
a filter executive which optimizes the user policies for each user stored in the database into a set of rules for each user; and
a filter engine which filters data packets communicated between the intranetwork and the internetwork according to the set of rules for each user optimized by the filter executive and the mapping information for each user; and
( b ) a processing unit electronically coupled to the storage medium for executing program instructions which maintain the database, implement the filter executive and implement the filter engine.
84. A method of managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising:
identifying each user of the plurality of computers connected to the intranetwork; mapping each user to at least one computer connected to the intranetwork; establishing a set of user rules for each user governing the communication of information between the user and the internetwork, wherein at least one set of user rules comprises a usage quota rule; and filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user.
85. A method of managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising:
( a ) identifying each user of the plurality of computers connected to the intranetwork; ( b ) mapping each user to at least one computer connected to the intranetwork; ( c ) establishing a set of user rules for each user governing the communication of information between the user and the internetwork, wherein at least one set of user rules comprises a rule based on a usage quota for a user; ( d ) storing in a database an identifier associated with each user, the at least one computer mapped to each identified user, and the set of user rules for each user; and ( e ) filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user.
86. The method of claim 85 , wherein the usage quota is based on a time period during which the user may access the internetwork.
87. The method of claim 85 , wherein the usage quota is based on an amount of data that may be transferred to the user.
88. A method of managing communication of information between users of a plurality of computers connected to an intranetwork, and an internetwork, wherein the internetwork connects a plurality of intranetworks, the method comprising:
( a ) identifying each user of the plurality of computers connected to the intranetwork; ( b ) mapping each user to at least one computer connected to the intranetwork; ( c ) adding each user to a system hierarchy of groups including a root group and a plurality of subgroups, wherein the root group contains each user and wherein each subgroup contains at least one user; ( d ) establishing a set of user rules for each user governing the communication of information between the user and the internetwork, wherein at least one of the sets of user rules comprises a rule based on a usage quota for a user; ( e ) filtering the information communicated between the users of the plurality of computers connected to the intranetwork and the internetwork according to the set of user rules for each user, wherein the filtering comprises applying a set of global network policies against all users contained in the root group of the system hierarchy, wherein each global network policy indicates whether certain information may be communicated between any of the users contained in the root group and the internetwork using a particular network protocol.
89. The method of claim 88 , further comprising applying at least one user policy against each user, wherein the user policy indicates whether certain information may be communicated between the user and the internetwork.
90. The method of claim 88 , wherein the mapping comprises mapping each user to said IP address of each user.
91. The method of claim 88 , further comprising applying at least one rule against one of the plurality of subgroups such that each user in the one of the plurality of subgroups inherits the rule.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.