US007042988B2
`
`(12) United States Patent
`Juitt et al.
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`US 7,042,988 B2
`May 9, 2006
`
`(54) METHOD AND SYSTEM FOR MANAGING
`DATA TRAFFIC IN WIRELESS NETWORKS
`
`(75) Inventors: David Juitt, Arlington, MA (US);
`Philip Bates, London (GB); Thomas
`Christo?el, Concord, MA (US);
`Geo?rey CraWshaW, Needham, MA
`(US); David Crosbie, Somerville, MA
`(Us)
`
`(73) Assignee: Bluesocket, Inc., Burlington, MA (US)
`
`( * ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(1)) by 512 days.
`
`1
`)
`(
`21 App . N0.: 10/259 248
`,
`sep' 27’ 2002
`Prior Publication Data
`
`(22) Flled:
`(65)
`
`US 2003/0087629 A1
`
`May 8, 2003
`
`Related US. Application Data
`(60) Provisional application NO 60/325,592’ ?led on Sep
`28 2001_
`’
`(51) Int_ CL
`(200601)
`H04M 1/64
`(52) us. Cl. ................. .. 379/8817; 370/329; 455/411;
`455/4563. 726/12
`455/412
`413 415’
`See application ?le for Complete Search history.’
`
`(58) Field of Classi?cation Search
`
`(56)
`
`-
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`8/1993
`5,239,466 A
`4/1994
`5,301,356 A
`6/1995
`5,423,065 A
`5,457,680 A 10/1995
`5,629,981 A
`5/1997
`5,657,317 A
`8/1997
`
`Morgan et 31'
`B.Odm et 31'
`
`Pinard ..................... .. 455/332
`Kamm et a1.
`Nerlikar
`Mahany et a1.
`
`5,668,875 A
`5,673,031 A
`5,809,415 A
`i
`
`’
`’
`5915908 A
`
`9/1997 Brown et a1.
`9/1997 Meier
`9/1998 Rossmann ................ .. 455/422
`glrililshte?n
`370/330
`l e a‘ """""""" "
`6/1999 Dulman
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`0 504 122 A2
`
`9/1992
`
`(Continued)
`
`OTHER PUBLICATIONS
`Crosbie, “Method and System for Enabling Seamless Roam
`ing in a Wireless Network,” Mar. 21, 2002*
`
`(Continued)
`Primary ExamineriAllan Hoosain
`Assistant Examiner4Gerald Gauthier
`(74) Attorney, Agent, or F irmiGoodwin Procter, LLP
`
`(57)
`
`ABSTRACT
`
`The present invention can be used to facilitate the integra
`tion of wireless capability provided by wireless access
`points into an enterprise computer network. A gateway
`server is interposed between wireless access points and
`protected networks to provlde secur1ty and integration func
`‘ions’ for e’fampl‘i “the/111M901?’ access 09mm?’ linkP?'
`vacy, link mtegnty, and bandwldth metermg 1n var1ous
`embodiments. Use of such a gateway server allows substan
`tial control to be gained over network access even with the
`use of relatively simple access points. In general, such a
`gateway server receives a request to access the protected
`networ .
`aut ent1cat1on su s stemo t e atewa server
`k An h i
`i
`b y
`f h g
`y
`authenticates the user, preferably by accessing an external
`authentication server and returns a role to the authenticated
`user. An access controller in the gateway server provides
`diiTerential access to the protected network based on the
`user’s assigned role. A multiple gateway servers can be
`connected together to form a mesh network archltecture.
`
`.
`
`52 Claims, 10 Drawing Sheets
`
`DEFINE ROLE K STEP 200
`
`1
`
`|
`
`RECEIVE REQUEST
`
`1K’ STEP 205
`
`i
`AUTHENTICATE
`
`STEP 210
`1K
`
`ASSIGN ROLE W STEP 22°
`
`EVALU 5...?2HE'ES
`
`PROVIDE ACCESS
`
`1
`l
`
`»
`
`1
`
`STEP 225
`
`STEP 230
`
`[K
`
`STARWOOD Ex 1011, page 1
`
`

`
`US 7,042,988 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`2002/0087335 A1
`2002/0098840 A1
`2002/0101848 A1
`2002/0114303 A1
`2002/0124109 A1
`
`7/2002 Meyers et a1. ............... .. 705/1
`7/2002 Hanson etal.
`455/435
`8/2002 Lee etal.
`.......... .. 370/349
`8/2002 Crosbie et al.
`9/2002 Brown
`
`9/2002 Reisman
`2002/0129094 A1
`9,2002 christoffel et 31'
`20020136226 Al
`9,2002 Brown
`2002/0138620 A1
`20020144144 A1,, 10,2002 Weisset 31'
`2003/0035388 A1,,
`2,2003 Schmidt
`2003/0154110 A1
`8/2003 Walter et al.
`2004/0167984 A1
`8/2004 Hermann
`2004/0193921 Al* 9/2004 Byrne
`
`5940591 A
`8/1999 Boyle et 31' ~~~~~~~ " 395/187'01
`5949776 A
`9/1999 Mahany etal'
`2,3332; i 1?; 133g gheung e: 311'
`
`’
`’
`6,014,558 A
`6,018,657 A
`6,026,297 A
`2,835,238 A
`6’044’465 A
`6’055’236 A
`630733234 A
`
`375/225
`
`~~~~~~~~~~~ --
`ngwere '
`1/2000 Thomas .................... ..455/410
`1/2000 Kennedy, 111 et al.
`.455/426
`2/2000 Haansen ...... ..
`.455/426
`ggggg
`....................... .. 455/560
`3,2000 Butcher et a1‘
`4,2000 Nessett et a1‘
`6,2000 Kigo et a1‘
`
`9/2000 chnah
`6,115,390 A
`9/2000 Ota et al. ................. .. 455/553
`6,115,615 A
`6,134,591 A 10/2000 Nickles
`.709/229
`6,137,791 A 10/2000 Frid et al. ................. .. 370/352
`6,141,690 A 10/2000 Weiman
`709/225
`6,151,628 A * 11/2000 Xu et al. ........ ..
`370/466
`6,172,986 B1
`1/2001 Watanuki et al. .
`6,182,076 B1 *
`1/2001 Yu et al. ..................... .. 707/10
`6,192,130 B1
`2/2001 Otway
`6,195,705 B1
`2/2001 Leung ...................... .. 709/245
`6,205,480 B1 *
`3/2001 Broadhurst et al. ....... .. 709/225
`6,223,291 B1
`4/2001 Puhl etal.
`6,233,577 B1
`5/2001 Ramasubramani et al.
`6,243,581 B1
`6/2001 Jawanda ................... .. 455/432
`6,256,300 B1
`7/2001 Ahmed et al.
`6,256,737 B1
`7/2001 Bianco et al.
`6,292,657 B1
`9/2001 Laursen et al.
`6,301,471 B1
`10/2001 Dahm etal.
`6,377,548 B1
`4/2002 Chuah ...................... .. 370/233
`6,427,174 B1
`7/2002 Sitaraman et al. ........ .. 709/245
`6,493,749 B1
`12/2002
`et a1. ............. .. 709/220
`6’594’484 B1
`7/2003 Hltchmgs’ Jr‘
`6,600,734 B1
`7/2003 Gernert et a1.
`6,633,761 B1
`10/2003 Singhal et al. ............ .. 455/436
`6,769,009 B1
`7/2004 Reisman et a1‘
`6,772,331 B1
`g/2004 Hind et a1,
`2001/0001268 A1
`5/2001 Menon et al. ............ .. 370/329
`2001/0012777 A1
`8/2001 Igarashiet a1.
`455/435
`2001/0014917 A1
`8/2001 Ishiyama et a1. ......... .. 709/227
`2001/0016492 A1
`8/2001 Igarashi et a1. ........... .. 455/433
`2001/0017856 A1
`8/2001 Asokan et al. ..... ..
`370/389
`
`888888883138 21
`
`88881 821888“???8.8:..11111111'. 388888
`
`370/401
`9/2001 Alriksson et al. .
`2001/0024443 A1
`2001/0031634 A1 10/2001 Mizutani et al. .......... .. 455/425
`2001/0036224 A1 11/2001 Demello et al. .......... .. 375/220
`2001/0043571 A1
`ll/200l Jang et a1,
`2001/0044305 A1 ll/200l Reddy et a1. ............. .. 455/436
`2001/0048686 A1 12/2001 Takeda et al. ............ .. 370/401
`2002/0010758 A1
`1/2002 Chan ........... ..
`709/218
`
`0 883 266 A2 12/1998
`EP
`0 903 873 A1
`3/1999
`EP
`0 964 599 A2 12/1999
`EP
`0 982 662 A2
`3/2000
`EP
`0 984 639 A2
`3/2000
`EP
`1 009 176 A2
`6/2000
`EP
`1 011 243 A1
`6/2000
`EP
`1 011 278 A2
`6/2000
`EP
`1 131 7744
`11/1999
`JP
`WO 00/36522
`6/2000
`W0
`W0 00/79727
`12/2000
`W0
`W0 01/19097
`3/2001
`W0
`W0 01/50781 A2
`7/2001
`W0
`W0 02/09458 A2
`1/2002
`W0
`W0 02/41587 A2
`5/2002
`W0
`W0 02/065707 A2
`8/2002
`W0
`W0 PcT/Us02/08986
`10/2002
`
`OTHER PUBLICATIONS
`Berger, S‘, et a1" “Pervasive Networking Using BluetoothzA
`Status Report and Future Plans,” Presentation Slides and
`Paper (21 pgs'); IBM Watson Research Center (1999);
`Bluesocket Press Release “Bluesocket Secures 5M in First
`Round Funding from St. Paul Venture Capital and Osborn
`Capital LLC”, (2 pages) [online], [Retrieved 011 NW 19,
`2002)]. Retrieved from the Internet: <URL:http://WWW.
`bluesockeLcQm/newS/funding_htm1>_
`Bluetooth Speci?cation Version 11’ Pan K_.9_. La” Access
`Pro?le‘. 275608 (2001)'
`
`Blue/toothspeci?cationversionwere"1098mm
`
`_
`_
`_
`120423 (2001);
`Blueloolh SPecl?callOn Verslon 11> P a” C‘ Lmk Manager
`Protocol! 184-252 (2001)
`Bluetooth Speci?cation Version 1.1, Part H:]: Host Con
`troller Interface Functional Speci?cation: 536-780 (2001).
`Bluetooth Speci?cation version 11, pm Hi; HC; U53
`Transport Layer‘. '782_796 (2001)~
`
`
`
`2002/0013831 A1 2002/0032855 A1
`
`
`
`1/2002 AS12113 et a1. ............. .. 709/220 3/2002 Neves et al. .............. .. 713/154
`
`
`
`Bluetooth Speci?cation Version Transport Layer 798_818 (2001)
`
`Pan
`
`2002/0032858 A1
`2002/0034298 A1
`2002/0034301 A1
`2002/0035699 A1
`2002/0037708 A1
`2002/0046179 A1
`2002/0046285 A1
`2002/0052965 A1
`2002/0066029 A1
`
`88888888888 21
`2002/0069278 A1
`2002/0069282 A1
`2002/0073240 A1
`2002/0075844 A1
`2002/0085719 A1
`
`713/159
`3/2002 Nakano etal.
`3/2002 Gallagher et al. ........ .. 380/247
`3/2002 Andersson ................ .. 380/270
`3/2002 Crosbie ....... ..
`.
`3/2002 McCann et al. .......... .. 455/411
`4/2002 Kokudo ..................... .. 705/51
`4/2002 Yasushi et a1~
`- 709/228
`5/2002 DoWling ................... .. 709/230
`5/2002 Yi ............................ .. 713/201
`
`‘318881
`28888 Mailman
`6/2002 ForsloW .................... .. 709/225
`6/2002 Reisman
`6/2002 Kokkinen et al. ........ .. 709/249
`6/2002 Hagen ...................... .. 370/351
`7/2002 Crosbie
`
`'
`.
`.
`.'
`Bluetooth Specl?canon Verslon 1'1’ Pa” H~'4~' HCZ UART
`Dal/SP0” Layer! 820-826 (2001)
`_
`Bray 61 211-, “Bluetoothiconnect W1th0ut Cables”, (NeW
`Jersey, Prentice Hall, Mar. 20, 2001), XP002221666, p. 84,
`'H5.7-p. 86,1158.
`Bray et al., “BluetoothiConnect Without Cables”, (New
`Jersey, Prentice Hall, Man 20’ 2001), XP002221667, p_
`115418
`
`“PSPN Solution for CDMAZOOO Networks” <2 Pee)
`[Onhne], [Remeved on Jan- 25’ 20021 RemeVed?Qm [he
`Internet:
`~<URLihttp://WWW.c1sco.con1/Warp/pu‘bl1c/779/
`Servpro/solutlons/wlrelessimoblle/pdsn-html>
`Cisco White Paper, “Cisco Code-Division Multiple Access
`Performance Management”, (15 pgs.) [online], [Retrieved
`
`STARWOOD Ex 1011, page 2
`
`

`
`US 7,042,988 B2
`Page 3
`
`on Jan. 25, 2002]. Retrieved from the Internet: <URL:http://
`WWW.cisco.com/Warp/public/779/servpro/solutions/
`Wirelessimobile/pdsnhtml>.
`ETSI HIPERLAN/2 standard [online], Sep. 2000, (3 pgs.)
`[online], [Retrieved on Jul. 16, 2001]. Retrieved from the
`Internet:
`<URL:http://WWW.etsi.org/technicalactiv/
`hiperlan2.htm>.
`Haartsen, 1., “BluetoothiThe universal radio interface for
`ad hoc, Wireless connectivity”, Ericsson Review No. 3, pp.
`110-117, 1998, XP000783249 ISSN:0014-0171.
`Lough et al., “A Short Tutorial on Wireless LANs and IEEE
`802.11”, (5 pgs.) [online], [Retrieved on Oct. 16, 2001].
`Retrieved from the Internet: <URL:http://WWW.computer.
`org/students/looking/summer97/ieee802.htm>.
`“Medium Access Control (MAC) and Physical (PHY)
`Speci?cations,” MAC Sublayer Management Entity: 123
`128, ANSI/IEEE Std 802.11 (1999).
`MitZel, D., “Overview of 2000 IAB Wireless IntemetWork
`ing Workshop”, (40 pgs.) [online], Dec., 2000 [Retrieved on
`Jan. 25, 2002]. Retrieved from the Internet: <URL:http://
`WWW.ietf.org/rfc/rfc3002.txt?number:3002>.
`Mouly et al., “GSMiThe System for Mobile Communica
`tions” (Palaiseau, France, Sep. 2, 1993), XP002221665, p.
`327-330.
`T. Muller, “Bluetooth White Paper”, Bluetooth Security
`Architecture Version 1.0: 1-33 (1999).
`Perkins, C., “IP Mobility Support”, (67 pgs.) [online], Oct.,
`1996 [Retrieved on Sep. 16, 2002]. Retrieved from the
`Internet:
`<URL:http://WWW.ietf.org/rfc/rfc2002.
`txt?number:2002>.
`“A Practical Approach to Identifying and Tracking Unau
`thoriZed 802.11 Cards and Access Points”, (26 pgs.)
`[online], [Retrieved on Sep. 10, 2001]. Retrieved from the
`Internet: <URL:http:// WWW. interlinknetWorks .com/ graph
`ics/neWs/Wirelessidetectionianditracking.pdf>.
`“RoamAD” (6 pgs.) [online], [Retrieved on Sep. 16, 2002].
`Retrieved from the Internet: <URL:http://WWW.roamad.
`com/roam>.
`R. Schneiderman, “Bluetooth’s sloW daWn: Hype gives Way
`to hard Work as expectations for the mini radio netWork
`encounter nettlesome interoperability issues,” IEEE Spec
`trum: 61-65 (2000).
`Solomon, 1., “Applicability Statement for IP Mobility Sup
`port”, (5 pgs.) [online], Oct., 1996 [Retrieved on Jan. 25,
`2002]. Retrieved from the Internet: <URL:http://WWW.ietf.
`org/rfc/rfc2005 .txt?number:2005 >.
`
`ToWnsley, W., et al., “ Layer TWo Tunneling Protocol
`‘L2TP’,” [online], Aug., 1999 [Retrieved onAug. 29, 2001].
`Retrieved from the Internet: <URL:http://WWW.ietf.org/rfc/
`rfc2661.txt?number:2661>.
`Vernier NetWorks Whitepaper, “Controlling the NetWork
`Edge: Vernier NetWorks and the Enterprise”, (7 pgs.)
`[online], Jun., 2002 [Retrieve on Sep. 10, 2002]. Retrieved
`from the Internet: <URL:WWW.verniemetWorks.com>.
`Vernier NetWorks Whitepaper, “High Availability for Wire
`less Edge Connectivity”, (6 pgs.) [online], Jun., 2002
`[Retrieve on Sep. 10, 2002]. Retrieved from the Internet:
`<URL:WWW.vemiernetWorks.com>.
`Vernier NetWorks Whitepaper, “The Vernier NetWorks Sys
`tem”, (7 pgs.) [online], [Retrieve on Sep. 10, 2002].
`Retrieved from the Internet: <URL:WWW.verniernetWorks.
`com>.
`Vernier NetWorks Whitepaper, “The Three Phases of WLAN
`Deployments”, (2 pgs.) [online], Jun., 2002 [Retrieve on
`Sep. 10, 2002]. Retrieved from the Internet: <URLZWWW.
`verniernetWorks.com>.
`Vernier NetWorks Whitepaper, “Vernier NetWorks: Ensuring
`the Promise of 802.11b NetWorks”, (5 pgs.) [online], Jun.,
`2002 [Retrieve on Sep. 10, 2002]. Retrieved from the
`Internet: <URL:WWW.verniemetWorks.com>.
`Vernier NetWorks Whitepaper, “Wireless Security: Protect
`ing Your 802.11 NetWor ”, (3 pgs.) [online], Jun., 2002
`[Retrieve on Sep. 10, 2002]. Retrieved from the Internet:
`<URL:WWW.vemiernetWorks.com>.
`International Search Report for International Application
`No.: PCT/US01/23145, dated Aug. 16, 2002.
`International Search Report for International Application
`No.: PCT/US02/08986, dated Aug. 19, 2002.
`International Search Report for International Application
`No.: PCT/US01/51306, dated Dec. 3, 2002.
`Bluetooth Speci?cation Version 1.0 B, I 0 Channel Control
`(Nov. 29, 1999), pp. 95-126.
`International Search Report for International Application
`No.: PCT/US01/49547, dated Feb. 28, 2003.
`Of?ce Action for US. Appl. No. 09/911,092 dated Sep. 19,
`2005.
`European Search Report for Application No. 027253228
`dated Aug. 26, 2005.
`International Search Report for International Application
`No.: PCT/US02/30558, dated Mar. 28, 2003.
`
`* cited by examiner
`
`STARWOOD Ex 1011, page 3
`
`

`
`U.S. Patent
`
`May 9, 2006
`
`Sheet 1 0f 10
`
`US 7,042,988 B2
`
`.
`
`N a
`
`'---——--—————----------‘
`
`NP
`
`QwhOmPOmm
`
`o:
`
`352
`
`561
`
`0N2
`
`%
`
`$32
`
`E61
`
`$32 %/
`56¢ 5502
`
`
`
`22 wuSmQ
`
`”, wmmzwg;
`‘w vEo>>Ez a
`
`a
`
`STARWOOD Ex 1011, page 4
`
`

`
`U.S. Patent
`
`May 9,2006
`
`Sheet 2 of 10
`
`US 7,042,988 B2
`
`><>>m:.<0
`
`mm>mmw
`
`om_,
`
`O._.
`
`n_m_._.0m_._.Ow_n_
`
`v_mo>>Ez
`
`o_,_.
`
`wmmoo<
`
`mm44om+zoo
`
`wafl
`
`m4om
`
`mozwam<
`
`amfi
`
`zofi<o:zm:»:<
`
`2m»m>mm:w
`
`mmfl
`
`mm>_m_omm
`
`mmfl
`
`_>_oE
`
`mmm_oo<
`
`w._.Z_On_
`
`Nor
`
`
`
`m:.0_u_
`
`STARWOOD EX 1011, page 5
`
`STARWOOD Ex 1011, page 5
`
`

`
`U.S. Patent
`
`May 9, 2006
`
`Sheet 3 0f 10
`
`US 7,042,988 B2
`
`
`
`mom nmFw
`
`
`
`mNN nEPw
`
`08 nmFw \
`
`
`
`mjOm mZEmQ
`
`................
`
`
`
`mjOm ZO_ww<
`
`N .0?
`
`a
`a a
`a a
`
`STARWOOD Ex 1011, page 6
`
`

`
`U.S. Patent
`
`May 9, 2006
`
`Sheet 4 0f 10
`
`US 7,042,988 B2
`
`
`
`mIOM wZEwO
`
`m .OE
`
`F
`
`JOOOPONE
`komjmw %
`
`a
`
`STARWOOD Ex 1011, page 7
`
`

`
`U.S. Patent
`
`60029:ym
`
`LI.
`
`fl.0
`
`9:240:7SU
`
`2B00
`
`
`
`
`
`
`
`mm...EmEwmcmS_o__on_cozmczmmo
`
`%Eamwoocmci
`
`5__<
`
`m__<
`
`00_.
`
`0.".
`
`__<
`
`__<
`
`
`
`w>m>>Eom
`
`
`
`m>m>>Eom
`
`
`
`m>m>>£om_
`
`9.6930
`
`30930
`
`:o=om:_Q
`
`n:oomm\m=n_>_
`
`mc:mm:_mcm_
`
`£u_;_Emm
`
`>>o__<
`
`;o__<
`
`;o__<
`
`
`
`:o_uo<>o__on_
`
`_.
`
`Eswam
`
`
`
`®_O._Eotu_._®£C_
`
`STARWOOD EX 1011, page 8
`
`STARWOOD Ex 1011, page 8
`
`

`
`U.S. Patent
`
`May 9, 2006
`
`Sheet 6 0f 10
`
`US 7,042,988 B2
`
`023E SEMI;
`
`m8 EEKW $6301 xgll
`
`zobszozm ....... .. zowzo
`
`
`
`
`
`m .OE
`
`>
`
`:02: mm;
`
`azzol
`
`o8 nm?w K zo;o<
`SEOHEE
`
`STARWOOD Ex 1011, page 9
`
`

`
`U.S. Patent
`
`May 9, 2006
`
`Sheet 7 0f 10
`
`US 7,042,988 B2
`
`w .QE
`
`> 62mm
`
`29 :6: E25
`
`STARWOOD Ex 1011, page 10
`
`

`
`U.S. Patent
`
`May 9, 2006
`
`Sheet 8 0f 10
`
`US 7,042,988 B2
`
`NP
`
`I.
`
`h .OE
`
`mmor
`
`nmow
`
`I
`I
`
`I
`
`STARWOOD Ex 1011, page 11
`
`

`
`U.S. Patent
`
`May 9, 2006
`
`Sheet 9 0f 10
`
`US 7,042,988 B2
`
`w .07
`
`STARWOOD Ex 1011, page 12
`
`

`
`U.S. Patent
`
`May 9, 2006
`
`Sheet 10 0f 10
`
`US 7,042,988 B2
`
`IwmE
`
`E0552
`
`Ow
`
`gm
`
`
`
`55mm 5502
`
`mwm
`
`a
`
`M xmosimz
`
`a .GE
`
`55%
`
`Q
`
`STARWOOD Ex 1011, page 13
`
`

`
`US 7,042,988 B2
`
`1
`METHOD AND SYSTEM FOR MANAGING
`DATA TRAFFIC IN WIRELESS NETWORKS
`
`CROSS-REFERENCE TO RELATED
`APPLICATION
`
`This application claims priority to and the bene?t of US.
`Provisional Patent Application Ser. No. 60/325,592, ?led
`Sep. 28, 2001, entitled METHOD AND SYSTEM FOR
`MANAGING DATA TRAFFIC IN WIRELESS NET
`WORKS, the entire disclosure of which is hereby incorpo
`rated by reference.
`
`TECHNICAL FIELD
`
`This invention relates to the ?eld of telecommunications
`and, more particularly, to the management of data traffic in
`wireless networks.
`
`BACKGROUND INFORMATION
`
`Wireless network technology allows a mobile user to
`wirelessly connect to a wired network, such as an enter
`prise’s local area network (LAN) or wide area network
`(WAN), or to another wireless network. Enterprises today
`are rapidly deploying wireless technology, in part because of
`the decreasing cost of mobile devices (e.g., personal digital
`assistants like the Compaq iPAQ by Compaq Corporation of
`Houston, Tex. and laptop computers) and wireless access
`points, and in part because of the increasing ease of instal
`lation and deployment, among other reasons. Such wireless
`network technology can provide LAN and/or WAN service
`to enterprises’ authorized users without wire installation and
`without tethering users to network connections. Wireless
`networks typically include mobile devices and wireless
`access points, which are portals to the wired network.
`Wireless access points are available with varying degrees of
`intelligence and functionality. Some merely act as bridges
`that relay wireless traf?c into a wired network, while others
`provide additional functionality. Typically, simpler access
`points that provide less functionality cost less, but may not
`provide features necessary for operation within an enter
`prise.
`Devices that conform to the IEEE 802.11 standard, a
`family of speci?cations for wireless networks developed by
`a working group of the Institute of Electrical and Electronics
`Engineers (IEEE), are very popular and, particularly, the
`802.11b technology has garnered wide acceptance in many
`businesses as standard networking technology. This tech
`nology e?‘ectively replaces an Ethernet cable from a router
`to a computer with a wireless link. Each 802.11b access
`point can support dozens of mobile devices by sharing 11
`Mbps (megabits per second) of capacity. There can be up to
`three access points working in the same area, and each
`typically has an indoor range of 80 feet at 11 Mbps and 300
`feet at 1 Mbps.
`Despite the freedom and convenience provided by wire
`less networks, establishment of adequate security is a barrier
`to adoption. Wireless networks introduce a series of new
`security problems to organizations because physical con
`nection to a network is not required for access. Wireless
`network signals typically have ranges beyond the physical
`con?nes of a building. Any compatible network adapter or
`access point within the range of an 802.11b access point can
`join the network. Thus, these networks can potentially make
`otherwise proprietary resources available to unauthorized
`users.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`To offset the susceptibility of wireless networks to unau
`thorized accesses, the 802.11b standard provides a security
`protocol called Wired Equivalent Privacy (WEP). WEP
`attempts to provide a wireless network with a level of
`security and privacy comparable to a wired network by
`providing access control, link privacy and data integrity
`functions. When WEP is enabled on an 802.11b network, a
`secure key is entered into each mobile device and this key
`is used to encrypt and authenticate data.
`Many practitioners view the security provided by WEP as
`inadequate, however, and for many applications users typi
`cally implement additional security measures to supplement
`the de?ciencies of WEP. For example, several independent
`studies have shown that, with relatively minor e?cort, attack
`ers can gain access to a WEP-secured wireless network by
`eavesdropping on the network. The studies have also shown
`that attackers can log on to WEP-enabled networks as bona
`?de users and send data into the networks without being
`detected.
`To overcome WEP’s ?aws, industry organizations have
`recommended using Virtual Private Networks (V PNs) to
`provide security for wireless networks. Unfortunately, the
`currently available VPNs introduce additional implementa
`tion challenges. For example, some implementations require
`access points to be directly wired to a single VPN server
`(normally located in a central equipment room). VPNs
`typically provide only binary access to the organization’s
`network, meaning a mobile device user can either have a
`complete access to the protected network or none at all.
`Further, a single 11 Mbps 802.11b access point can have an
`effective throughput of approximately three times more than
`the capacity of a T1 connection, which is the connection
`typically supported by some existing VPN servers. Thus,
`wireless network users might overload the VPN server,
`resulting in poor performance for both the wireless network
`and mobile device users.
`
`SUMMARY OF THE INVENTION
`
`Systems and methods according to the invention can be
`used to facilitate the secure integration of wireless capability
`provided by wireless access points into an enterprise com
`puter network. A gateway server is interposed between one
`or more wireless access points and protected (e.g., wired)
`networks. That gateway server provides security and inte
`gration functions, for example, authentication, access con
`trol, link privacy, link integrity, and bandwidth metering in
`various embodiments. Use of such a gateway server allows
`substantial control to be gained over network access even
`with the use of relatively simple (and inexpensive) access
`points. While the invention is particularly suited to the
`popular IEEE 802.11 wireless communication protocol,
`wireless access points are available that use a variety of
`present protocols, such as variations of 802.11 (e.g.,
`802.11a, 802.11b, 802.11g), Bluetooth, HiperLAN2, and
`802.1x. The invention would be equally useful with other
`protocols and interfaces available now and in the future.
`In one implementation, the present invention can address
`de?ciencies in the WEP and VPN technologies by providing
`differential levels of access based on a category assigned to
`the user, rather than the binary con?guration of according a
`user either full access to the organization’s network or none
`at all. The present invention can limit the bandwidth capac
`ity of users, for example, so the 11 Mbps of capacity at each
`802.11b access point cannot easily be saturated by a single
`user, leaving all other users stalled.
`
`STARWOOD Ex 1011, page 14
`
`

`
`US 7,042,988 B2
`
`3
`In general, in one aspect, a gateway server receives a
`request to access the protected network. This request typi
`cally comes from a mobile device operated by a user. The
`request is communicated from the mobile device to a
`wireless access point, and relayed by the wireless access
`point to the gateway server. The request might be an explicit
`request for access, and can include an identi?er and authen
`tication information (e.g., a PIN, password, digital certi?
`cate, encryption key, digital code, or some combination).
`The request might be an implicit request, such as a request
`to access network resources, a web page request, and so on.
`Since the gateway server manages access control and
`security in a single integrated con?guration, neither the
`mobile device nor the access points need to be intelligent to
`carry out the sophisticated access control and security func
`tions to connect with wireless networks. Moreover, any
`changes in the networks, mobile devices, and access points
`do not result in signi?cant changes, such as additions,
`modi?cations, or replacements, to the gateway server. In one
`implementation, the gateway server can be con?gured by a
`web-based interface, so that con?guration changes can be
`incorporated in the gateway server by merely changing the
`parameters using the web-based interface.
`In some implementations, an authentication subsystem of
`the gateway server authenticates the user of the mobile
`device. This is preferably accomplished by accessing an
`external authentication server (e.g., a RADIUS, LDAP, or
`NTLM server). Enterprises typically use such servers in the
`operation of their networks. The use of an already operating
`external authentication server simpli?es network adminis
`tration. The gateway server (and/ or the external authentica
`tion server) can also authenticate a user that was previously
`authenticated via the same or a different gateway server
`without requiring re-communication of authentication infor
`mation. A user is free to roam between different access
`points in wireless networks without having to terminate
`open connections. In another embodiment, the user can be
`authenticated using an authentication database within the
`gateway server, instead of or in combination with accessing
`an external authentication server. Because the authentication
`process is conducted solely by the gateway server, use of an
`internal or external authentication server is irrelevant and
`transparent to the user.
`In some implementations, after the authentication pro
`cess, the authenticated user of the mobile device can estab
`lish a VPN connection with the gateway server according to
`the Point-to-Point Protocol (PPTP) or Internet Protocol
`Security (IPSec) protocol. The VPN connection can provide
`additional security measures for the user and the protected
`network.
`In one embodiment, the gateway server can passively
`monitor an authentication process when a user makes a
`request to authenticate to a server. If the user successfully
`authenticates, the gateway server assigns a role to the user
`based on the server with which the user authenticated. In one
`example, the gateway server can easily integrate with
`Microsoft NT and/ or Windows environment. A user already
`registered and authenticated in such environment does not
`need to authenticate separately to the gateway server, since
`the gateway server assigns the role when the NT and/or
`Windows server accepted the user.
`In some implementations, the user can authenticate via a
`secure web page without requiring additional software. The
`use of a secure web page can protect the wireless network
`from illicit monitoring. The gateway server receives identi
`?er and authentication information from the user through a
`secure web page. The identi?er and authentication informa
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`tion might be associated with a user of the mobile device, the
`mobile device itself, a smart card, an authentication token,
`and so on. For purposes of this discussion, authenticating the
`mobile device is understood to include any one or a com
`bination of suitable authentication techniques for authenti
`cating a device and/or a user of a device, depending on
`implementation. Examples of an identi?er include one or a
`combination of username, e-mail address, and unique name.
`Examples of authentication information include one or a
`combination of a personal identi?cation number (PIN),
`password, digital certi?cate, encryption key, and digital
`code. As discussed above, the user can use the same iden
`ti?cation and authentication information used to access the
`protected resource in the wired environment.
`Additionally, the gateway server can detect unauthoriZed
`access points by monitoring network traf?c. In particular, the
`gateway server detects the presence of the unauthoriZed
`access points by monitoring SNMP, MAC addresses, and
`802.11 DS Layer signals and characteristics of network
`tra?ic on both the protected and unprotected sides of the
`gateway server.
`In one exemplary implementation, visitors to a corpora
`tion may be allowed to access the Internet at a low data rate
`by entering their e-mail address. Employees from other
`of?ces may be required to enter a usemame and password to
`access the Internet and resources permitted by their home
`of?ce server. Employees working with highly sensitive data
`may be subject to a very high level of security available from
`the gateway server that utiliZes certi?cates, smart cards
`and/or secure token technologies.
`In one embodiment, before the user makes a request to
`access the protected network, a role is previously de?ned in
`the gateway server for the user. A role also can be assigned
`based on the attributes of a user as provided by the external
`authentication server.
`In one embodiment, a role de?ner in the gateway server
`de?nes roles and assigns them to users. The role de?ner can
`specify network resources and degree of access to the
`protected network, including connection bandwidth limits.
`The role de?ner can also specify a tunneling protocol (e.g.
`IPSec or PPTP) associated with a role. Thus, for example,
`once a role is assigned to the user, the user’s bandwidth
`capacity is limited according to the assigned role. Access
`privileges can be differentiated for authoriZed users based on
`roles, instead of the commonly used “all or nothing” access.
`A particular role can be de?ned with different privileges in
`multiple resource locations. For example, an “engineer” role
`can be de?ned with full access to engineering department
`servers, but limited access to ?nance department servers.
`Once the user is authenticated and assigned a role, an
`access controller in the gateway server provides access to
`the protected network based on the assigned role. A role
`includes one or more policies specifying the scope of
`performances permitted for the user. For example, in one
`embodiment, policies can include action, service, connec
`tion direction (e.g., to or from protected network, or both),
`and destination (e.g., resources in the protected network).
`The access controller evaluates each of the policies in the
`role to determine whether the services requested by the user
`should be allowed. If elements in a policy match the user’s
`requests, then the requested actions are performed. If a
`match is not found even after checking all the policies, then
`“inherited” roles can be checked for the user.
`For example, every employee can share the role of staff.
`The staff role can have a set of default policies, or privileges
`granted to everyone in the organization. A change to the
`inherited role need not be repeated in the other speci?c roles,
`
`STARWOOD Ex 1011, page 15
`
`

`
`US 7,042,988 B2
`
`5
`since these changes will apply to all roles that inherit the
`change. If no match is found even with the default policies,
`the user is disallowed from performing the requested ser
`vices.
`In one embodiment, one or more additional gateway
`servers are interposed between the wireless network and the
`protected network to provide a fail-over con?guration. If a
`?rst gateway server (also referred to as the primary server)
`fails, another gateway server (also referred to as the back-up
`server) receives the access request in the place of the ?rst
`gateway server. In one implementation, there are more than
`one additional (or back-up) gateway servers. In this con
`?guration, all set up information, additions and changes to
`the primary server are automatically propagated across and
`shared in real time with the back-up servers. The primary
`and the back-up gateway servers are connected via a fail
`over interface. While the primary server is actively manag
`ing the user and the wireless network, the back-up servers
`remain idle. Concurrently, the back-up servers monitor a
`“heartbeat signal” of the primary server. If the back-up
`servers do not detect a certain number of heartbeats from the
`primary server in a speci?ed amount of time, a fail-over
`occurs and one of the back-up servers takes over the role of
`the primary server and receives the requests from the user,
`without requiring new set-up and con?guration.
`In another embodiment, multiple gateway servers are
`interposed between different wireless networks and pro
`tected networks. These gateway servers replicate the con
`?guration information of a single gateway server initially in
`communication with the mobile device. Such replication
`among the multiple gateway servers can be useful in admin
`istering a large-scale wireless network in that con?guration
`changes are propagated from the single gateway server.
`In some implementations, multiple gateway servers can
`be interposed between the protected network and unpro
`tected wireless local area networks to create a “mesh net
`wor ” architecture of gateway servers. The mesh network
`architecture can facilitate the seamless roaming of a mobile
`device from one gateway server to another