IJS007146638B2
`
`(12)
`
`United States Patent
`Malcolm
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,146,638 B2
`Dec. 5, 2006
`
`(54)
`
`FIREWALL PROTOCOL PROVIDING
`ADDITIONAL INFORMATION
`
`2001/0011294 A1‘
`
`8/2001 Ellis. [11 ..................... 709/201
`
`FOREIGN PATENT DOCUMENTS
`
`(75)
`
`Inventor:
`
`Jerry Walter Malcolm, Arstin, TX
`GJS)
`
`(73)
`
`Assignee:
`
`International Business Machines
`
`Corporation, Armonk, NY (US)
`
`(‘)
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 923 days.
`
`(21)
`
`App1.No.: 10/135,704
`
`(22)
`
`Filed:
`
`Jun. 27, 2002
`
`(65)
`
`(51)
`
`(52)
`(58)
`
`(56)
`
`Prior Publication Data
`
`US 2004/0()03290 Al
`
`Jan. 1, 2004
`
`Int. Cl.
`H04L 9/90
`
`(2006.01)
`(2006.01)
`6061-‘ 15/16
`(2006.01)
`G06!’ 21/00
`US. Cl.
`....................................... .. 726/11; 709/223
`Field of Classification Search ................... .. None
`See application file for complete search history.
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`911999 Chang et al.
`5.958.016 A
`ll/1999 Freund
`5.987,6ll A
`12/1999 Slrnder
`6,009,475 A
`ll/2000 Srrith
`6.151.675 A
`12/2000 Ellis,l1l
`6,167,428 A
`ll/2001 Chutorash
`6314.351 Bl
`Fink et al.
`6.496.935 Bl ‘ 12/2002
`Xie et al.
`8/2004
`6.772.347 B1 ’
`
`.................. .. 726«’13
`................... .. 726/11
`
`W0
`W0
`
`W099/32972
`W099/51003
`
`7/1999
`I0/I999
`
`OTHER PUBLICATIONS
`
`“Simple Assured Bastion Hosts". Chris Cant & Simon Wiseman;
`Defence Evaluation and Research Agency; Malvern, England; pp.
`24-33.
`“Detecting Anomalous and Unknown Intrusions Ayrinst Pro-
`grams". Anup K. Ghoslr, James Wanken & Frank Charron; Reliable
`Sofiware Technologies; 21515 Ridgetop Circle, Suite 250; www.
`rstcorp.corr1; 9 pages.
`
`‘ cited by examiner
`
`Primary Examiner—Christopher' Revak
`(74) Attorney, Agent, or Firm—Justin Dillon; Streets &
`Steele; Jefiiey L. Streets
`
`(57)
`
`ABSTRACT
`
`that allow a
`A method and computer program product
`firewall program to control whether an application program
`is granted access to a wide area network (WAN). such as the
`Internet. The method allows the firewall to receive an access
`
`request definition from the application program through a
`well-known port. A preferred request definition comprises
`the application unique identifier, a destination address, the
`port, and a corresponding justification statement. The fire-
`wall intercepts access requests sent by the application pro-
`gram and identifies a matching access request definition. The
`firewall then prompts a user to approve or deny the request,
`wherein the prompt
`is accompanied by the justification
`statement from the identified access request definition.
`Accordingly, the user is better able to make an informed
`decision whether or not to grant the access request.
`
`30 Claims, 4 Drawing Sheets
`
`
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 1
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 1
`
`

`
`3
`
`2B
`
`sIE
`
`Mme$%§$%N.Jmm.W.<2q$.oe@.
`
`U.S. Patent
`
`Mm,
`
`U
`
`E55
`
`...w.2&Q=$8Em.ism§§_§:&<
`
`:§§_E
`
`>SE.6:mo<
`
`uazéwa
`
`SE96
`
`m2oEs:&<
`
`<23.60:1
`
`ma§§E%
`
`mE285
`
`2
`
`
`
`m2%8u.-mmmamam8m8ES§§2§
`
`$53Essa:
`
`Rmm
`
`
`
`
`
`ea?8%.maze:qmémé.>...Eo.Eq$.=
`
`
`
`$3858$3528$2858$30529053xma
`
`
`
`
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 2
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 2
`
`
`
`

`
`U.S. Patent
`
`Dec. 5, 2006
`
`Sheet 2 of4
`
`Us 7,146,638 B2
`
`STARTUP FIREWALL PROGRAM
`
`STARTUP APPLICATION THAT WILL
`BE ACCESSING THE INTERNET
`
`102
`
`104
`
`T06
`
`THE APPLICATION IDENTIFIES THE PRESENCE
`OF THE FIREWALL PROGRAM AND SENDS
`INFORMATION ABOUT POSSIBLE TYPES OF
`INTERNETACCESS REOUESTS AND RELATED
`JUSTTFICATTON STATEMENTS TO THE FIREWALI.
`
`ATA WELL-KNOWN PORT
`
`APPLICATTON SENDS OUT A STANDARD
`INTERNET ACCESS REOUEST
`
`FIREWALL INTERCEPTS THE STANDAR
`INTERNET ACCESS REOUEST
`
`108
`
`I 10
`
`
`
`"3
`
`
`
`noes
`THE FIREWALL
`ALREADY HA VE AN
`
`ACCESS RULE COVERING THE
`TYPE OF ACCESS REQUEST
`FROM THE APPLICATION
`TO THE RETURN
`URLIPORT
`
`
`
`YES
`
`
`
`
`
`
`NO
`
`9
`
`0
`
`FIG. 2A
`
`0
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 3
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 3
`
`

`
`U.S. Patent
`
`Dec. 5, 2006
`
`Sheet 3 of4
`
`Us 7,146,638 B2
`
`0
`
`9
`
`(9
`
`120
`
`
`
`FIREWALL DISPLAYS THE APPLICATION NAME,
`SERVER TO ACCESS, AND JUSTIFICATION
`STATEMENT FOR THE INTERNET REOUESTAND
`PROMPTS THE USER TO APPROVE OR
`DENY THE REQUEST
`
`
`
`FIREWALL RECEA/ES USER RESPONSE
`
`122
`
`yfs
`
`,2‘,
`
`ADD ACCESS
`RULE T0 DATABASE
`
`
`
`
`
`124
`005$
`USER WANT
`
`
`71-IEFIREWALL T0
`FORMAN
`ACCESS RETURN
`
`
`RULE
`?
`
`
`
`N0
`
`
`DID
`THE USER
`APPROVE THE
`
`ACCESS?
`
`
`
`
`
`RULE APPROVE
`
`E ACCESS
`
`?
`
`
`
`118
`
`N0 FIREWALL DENIES
`
`
`THE REQUESTED
`ACCESS TO
`THE INTERNET
`
`123
`
`YES
`
`FIREWALL PASSES THE
`
`REOUEST TO THE INTERNET
`
`
`
`FIG. 2B
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 4
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 4
`
`

`
`U.S. Patent
`
`Dec. 5, 2006
`
`Sheet 4 of4
`
`Us 7,146,638 B2
`
`5&2
`
`amaomm
`
`9.
`
`EEQEE
`
`,sme§oE%E8%$2E.‘
`
`
`
`ma§E__aHS:mmuuu,
`
`>sE§§<
`
`m358$
`
`_<o:§:&<
`
`0.§_a8m
`
`
`
`Eufiuetm.:u§...EE
`
`EEE
`
`53%
`
`>s=§:&<
`
`<séeomm
`
`aonéfimaa
`
`gmsmfim
`
`M.63
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 5
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 5
`
`
`
`
`
`
`

`
`US 7,146,638 B2
`
`1
`FIREWALL PROTOCOL PROVIDING
`ADDITIONAL INFORMATION
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`
`The present invention relates generally to the field of
`computer security systems and, more particularly,
`to a
`firewall
`that regulates access and maintains security of
`individual computers linked to wide area networks (WAN). 10
`2. Description of the Related Art
`Personal computers were initially used primarily as stand-
`alone units having no direct connections to other computers
`or to computer networks. Exchanging data among these first
`computers was mainly accomplished by exchanging mag-
`netic or optical media such as floppy disks. Over time,
`computer users began to connect their personal computers to
`other personal computers by using Local Area Networks
`(LAN), thereby enabling groups of computer users to share
`peripherals and to share data between their computers. In
`this environment, maintaining security and controlling the
`information that a personal computer user could access over
`the LAN was relatively simple because the overall comput-
`ing environment was limited and clearly defined within the
`LAN.
`
`20
`
`25
`
`Then came the lntemet. The development of the Internet
`has provided personal computers. either as stand-alone units
`or through a Local Area Network (LAN), access to vast
`stores of information, typically through web “browsers",
`such as Microsoft's Internet Explorer® or Netscape Navi-
`gator®. Browsers and other Internet applications have the
`ability to access a URL (Universal Resource Locator) or
`“Web” site. Access to the Internet with its vast stores of
`
`information is now essential for businesses to stay competi-
`tive, for consumers to stay informed, for many people to
`communicate with each other through e-mail or other forms
`of Internet communication, and for a myriad of other rea-
`sons, including entertainment.
`Unfortunately, along with the benefits of having computer
`access to the Internet come a variety of dangers. These
`dangers include, for example, attacks by perpetrators (hack-
`ers) capable of damaging the computer system or stealing
`data and programs, and attacks by viruses and “Trojan
`Horse” programs that infiltrate a computer. Additionally,
`legitimate applications may send personal information to
`marketers without the knowledge of the user. These dangers
`were minor and infrequent before computer users started to
`connect to the lntemet.
`The software industry has introduced many products and
`technologies to address these dangers in an attempt to
`protect computers that access the internet. The technologies
`and products that the software companies have introduced
`focus on keeping outside hackers, viruses and “Trojan
`Horse" programs from penetrating the computer system or
`network, and include, for example, proxy servers and fire-
`walls. Firewalls are applications that intercept the data traflic
`at a gateway to a wide area network and check the data
`packets (i.e., the lntemet Protocol packets, or the IP packets)
`for suspicious or unwanted activities. Some firewalls addi-
`tionally conduct a “stateful inspection”, wherein the firewall
`not only looks at the IP packets but also looks at the transport
`protocol (e.g., TCP) header and even at the application
`program protocols, in an attempt to better understand the
`exact nature of the data exchange. Proxy servers are usually
`combined with a firewall and function by accepting requests
`from the computers on the LAN. After examining these
`requests and determining their suitability, the proxy servers
`
`30
`
`35
`
`45
`
`S0
`
`S5
`
`65
`
`2
`
`may then forward these requests to the requested lntemet
`server or reject the request.
`In this manner,
`the user’s
`computer never comes directly into contact with lntemet
`servers, but
`instead communicates only with the proxy
`ser'ver that is communicating with the Internet servers.
`The Internet is essentially an open network of computers
`and LANs. Computers within this open network communi-
`cate using multiple protocol
`layers. Each of the layers
`addresses a distinct concern of the communication process.
`As a core protocol of the Internet, Internet Protocol (IP)
`provides a layer for exchanging data packets between com-
`puters connected to the Internet, including providing data
`encapsulation and header formatting, data routing across the
`Internet, and fragmentation and reassembly. According to
`the protocol, data is transmitted by attaching a header with
`a destination address (IP address) and then transmitting the
`data packet from one computer to another until the data
`packet arrives at the desired destination. Along this journey,
`each computer uses an implementation of the IP Protocol to
`route the data packet to the next destination until the data
`packet reaches its final destination. Except for checking the
`integrity of the IP header, no error detection or recovery
`tasks are performed. When the data packet arrives at its
`ultimate destination, any necessary integrity checks are
`carried out.
`
`Another protocol, the transport protocol, serves as a layer
`responsible for guaranteeing the integrity of application
`data. It is, therefore, used only at the original source and final
`destination of the data. The lntemet currently uses two
`different transport protocols. One protocol, User Datagram
`Protocol (UDP), does not offer reliable connectionless ser-
`vices. Therefore, in practice it is up to the target application
`to check data integrity. In contrast, Transmission Control
`Protocol (TCP), another transport protocol, provides reliable
`connection-oriented service, which establishes a connection
`with a remote computer and guarantees data integrity and
`delivery (or notifies the application in case of an enor).
`Both TCP and UDP data transmissions provide specific
`headers in addition to the IP header. In order to simplify
`forwarding the data packets to a target application, these
`headers include a port number. The port number identifies an
`application-level protocol. Port number 80, for instance, is
`normally used for the World Vlfrde Web protocol (Hypertext
`Transport Protocol or HTTP), and is therefore called a
`“well-known port number." Other well-known port numbers
`include, for example, port ntunber 25 for SMTP, used to
`deliver email, and port number 21, used for FTP service. A
`server makes its services available to the Internet by using
`a different port number for each service tlmt the server offers.
`To connect to one of the services, the computer trying to
`connect must include both the specific IP address of the
`server and the specific port address used by the server to
`provide the requested service.
`TCP/IP refers to IP Protocol combined with TCP and
`
`UDP. Nonnally, application programs communicate with an
`available TCP/IP implementation (e.g., Windows “Win-
`Sock") through an Applications Programming Interface
`(API). For Windows comptners, the WinSock API simply
`encapsulates the TCP/IP architecture. W'mSock is patterned
`alter the popular Berkeley Sockets programming model,
`which is generally considered the de facto standard for
`TCP/IP networking.
`lntemet applications generally implement more special-
`ized protocols on top of TCP/IP. For example, a Web
`browser implements the client portions of the I-IyperText
`Transfer Protocol (H'I'I'P) in order to communicate with
`Web sewers. A Web browser also might implement other
`
`|PR20’l5-01856 CAP CO, Ltd. Exhibit 2006 Page 6
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 6
`
`

`
`US 7,146,638 B2
`
`3
`protocols, such as the older File Tramfer Protocol (FTP) for
`downloading data. Electronic mail applications (i.e., E-mail
`clients) implement the client portion of the Simple Mail
`Transfer Protocol (SMTP) and the Post Ofiice Protocol
`(POP). Still other protocols exist for use in the lntemet,
`many of which are documented in the technical, trade, and
`patent literature. Firewalls have been developed for instal-
`lation on desktop computers. whether these computers are
`attached to a LAN or operated as stand-alone computers.
`Firewall programs such as ZoneAlarm®, a registered trade-
`mark of Zone Labs, Inc., of San Francisco, Calif., or Desk
`Top Firewall®, a registered trademark of Symantec, lnc., of
`Cupertino, Calif., are installed on a desktop computer to
`prevent unknowing or unauthorized inbound or outbound
`Internet trafiic with the desktop computer. When an appli-
`cation program running on the desktop computer attempts to
`access the lntemet to connect to a particular server/port for
`the first time, the firewall program asks the user to approve
`or deny the access. Typically, the firewall program allows
`the user the option of having the firewall program create an
`lntanet access rule based on the user’s response. Once the
`firewall has an lntemet access rule in place, usually part of
`a database of access rules, criteria and their conditions, then
`the firewall does not have to seek the user’s approval each
`subsequent time that the application program attempts to
`access the particular server covered by the access rule.
`Similarly, when a request to access the user’s computer is
`received from an external source over the lntemet on a
`
`particular port of the user's computer, the firewall program
`on the computer queries the user to approve or deny access,
`again olfering to store the answer in the form of an access
`rule of the firewall program if the user so chooses. There-
`fore, the user is allowed to provide the firewall program with
`instructions about how to control both Internet traflic tlmt is
`
`10
`
`20
`
`25
`
`30
`
`35
`
`inbound to the computer and Internet traflic that is outbound
`from the computer.
`Unfortunately, when an application program requests
`permission to access the Internet through the firewall, a
`typical firewall program provides the user with insufiicient
`information to make an informed decision. Typically, the
`firewall will provide only the name of the desktop applica-
`tion program seeking access to the Internet and the name of
`the remote server and port that the application program 45
`wants to access. The firewall is unable to provide the user
`with a reason why the application program wants to access
`the lntemet or what information will be sent or received.
`
`While some reasons may be obvious, for example, an email
`organizer application requires connecting with the user's
`SMTP server, other reasons are not so obvious, leaving the
`user to guess as to whether to permit access or not. Some
`application programs have abused this lack of user knowl-
`edge, by collecting private information without the user's
`permission, and sending that information to a server without
`the user's knowledge or permission.
`With access to the Internet being such an important and
`growing need for many people and businesses, computer
`users want to protect their computers and their privacy and
`still have access to the Internet. What is needed is a method
`
`S0
`
`S5
`
`informs computer users why their applications and
`that
`computers need to access the Internet before the access is
`provided. It would be of further benefit if the method
`enabled a firewall program to provide the user with enough
`information to make informed decisions as to whether to
`allow the Internet access.
`
`65
`
`4
`SUMMARY OF THE INVENTION
`
`invention provides a firewall method or
`The present
`protocol for controlling access or communication between
`an application program and a wide area network, such as the
`Internet. The method comprises receiving at least one access
`request definition from the application program through a
`well-known port, wherein each access request definition
`comprises the name or other unique identifier of the appli-
`cation program, a destination address on a wide area net-
`work, a port, and a corresponding justification statement.
`The firewall is also responsible for intercepting an access
`request directed from the application program to a destina-
`tion address on the wide area network, identifying one ofthe
`at
`least one access request definitions that matches the
`intercepted access request, and prompting a user to approve
`or deny the intercepted access request accompanied by the
`justification statement from the identified access request
`definition.
`In one embodiment, the firewall receives the at least one
`access request definition from the application progam dur-
`ing startup of the application program. In an alternative
`embodiment, the firewall receives the at least one access
`request definition from the application immediately prior to
`the intercepted access request.
`The intercepted access request will provide the name of
`the application program and a destimtion address on the
`wide area network address. The justification statement origi-
`nating from the application program comprises parameters
`selected from the name of the application program, the
`version of the application program, the destination address
`on the wide area network address, an entity responsible for
`a server at the destination address, a text string detailing a
`purpose for the access request, information to be delivered
`to the server at the destination address, information to be
`received fiorn the server at the destination address, and
`combinations thereof.
`Afier informing the user about the access request, the
`firewall receives a user response indicating approval or
`denial of the intercepted access request. Furthermore, the
`firewall program may maintain an access rule data structure
`and prompt the user to provide an instruction whether to
`apply the user response against subsequent access requests
`matching the identified access request definition. If the user
`desires to apply the response to subsequent access requests,
`the firewall may store an access rule in the access rule data
`structure in accordance with the user instruction. Access
`
`rules comprise three parameters: application name, destina-
`tion address or URL, and port. as well as an instruction to
`accept or deny the access. When a request matches the
`application name, destination address or URL, and the port
`stored in one of these rules,
`the firewall executes the
`associated instruction to accept or deny the access. If a
`request does not match one of the rules, then the firewall
`asks the user for permission to grant the access and provides
`the justification statement. When an access request
`is
`approved, either by an access rule or by the user response,
`the firewall passes the approved access requests to the wide
`area network.
`
`The present invention also provides a computer program
`product to control access by an application program to a
`wide area network. The computer program product com-
`prises receiving instructions for receiving at least one access
`request definition from the application program through a
`well-known port, wherein each access request definition
`comprises the name of the application program, a destina-
`tion address on a wide area network,
`the port, and a
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 7
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 7
`
`

`
`US 7,146,638 B2
`
`5
`corresponding justification statement; intercepting instruc-
`tiom for intercepting an access request directed from the
`application program to a destination address on the wide
`area network; identifying instructions for identifying one of
`the at least one access request definitions that matches the
`intercepted access request; and prompting instructions for
`prompting a user to approve or deny the intercepted access
`request accompanied by the jmtifiwtion statement from the
`identified access request definition. The computer program
`product will typically further comprise receiving instnrc-
`tiom for receiving a user response indicating approval or
`denial of the intercepted access request.
`Optionally,
`the computer program product will also
`include maintaining instructions for maintaining an access
`nrle data structure, and prompting instructions for prompting
`the user to provide an instruction whether to apply the user
`response against subsequent access requests matching the
`identified access request definition. Preferably, the computer
`program product will comprise storing instructions for stor-
`ing an access rule in the access rule data structure in
`accordance with the user instruction. Upon executing receiv-
`ing instructions for receiving a subsequent access request
`matching the stored access rule,
`the computer program
`product will preferably execute searching instructions for
`searching an access rule data structure for an access rule
`covering the access request and automatic instructions for
`automatically approving or denying the subsequent access
`request in accordance with the stored access nrle. Finally, the
`product comprises passing instructions for passing approved
`access requests to the wide area network.
`The foregoing and other objects, features and advantages
`of the invention will be apparent from the following more
`particular description of a preferred embodiment of the
`invention, as illustrated in the accompanying drawing
`wherein like reference numbers represent like parts of the
`invention.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram ofan exemplary computer upon
`which the present invention may be implemented.
`FIGS. 2A—B are a flowchart of a method for controlling
`an application program's access to the Internet on a com-
`puter with a firewall in accordance with the present inven-
`tion.
`
`FIG. 3 is a data fiow diagram illustrating the method of
`FIGS. 2A—B.
`
`DETAILED DESCRIPTION
`
`The present invention provides a method and computer
`program product that allow a firewall program to comrol
`whether an application program is granted access to a wide
`area network (WAN), such as the lntemet. The method ofthe
`present invention allows the firewall to receive at least one
`access request definition from the application program,
`preferably, though not required, through a well-known port.
`A preferred request definition comprises the name of the
`application program, a destination address on a wide area
`network, the port, and a corresponding justification state-
`ment. The firewall
`intercepts access requests tlnt are
`directed from the application program to a destination
`address on the wide area network and identifies one of the
`
`5
`
`I0
`
`20
`
`25
`
`30
`
`35
`
`45
`
`S0
`
`S5
`
`at least one access request definitions that match the inter-
`cepted access request. The firewall then prompts a user to
`approve or deny the intercepted access request accompanied
`by the justification statement from the identified access
`
`65
`
`6
`request definition. When the computer user views, hears or
`otherwise receives the justification statement explaining
`why the application program needs to access the wide area
`network. the user is better able to make an informed decision
`whether or not to grant the access request.
`When the user makes the decision whether or not to grant
`access to the Internet based upon the displayed justification
`statement, the user may also indicate whether to grant the
`particular access request this one time, grant the particular
`access request at all subsequent times, deny the particular
`access request this one time, or deny the particular access
`request at all subsequent times. If the user elects to form an
`access rule applicable to subsequent access requests, the
`decision to grant or deny access may then be stored in a
`database or similar record management system so that the
`next time the particular access request is made, the firewall
`may grant or deny access based upon the user‘s previous
`instructions. Alternatively, the user may continue to instruct
`the firewall to grant or deny the application access to the
`Internet on a case-by-case basis.
`Preferably, the firewall communicates the justification
`statement through a dialogue box or other suitable commu-
`nications interface to inform the user about the type and
`purpose of the requested Internet access. For example, the
`dialogue box may display a statement that:
`“Application XYZ is attempting to contact URL www.x-
`yz.com for the purpose of checking if a new version of
`the application is available. Do you approve this
`access?"
`
`In response to this request, the user may indimte, for
`example by clicking a mouse button over a check box that
`the user approves or denies the access.
`The method of the present invention requires an applica-
`tion program to provide the firewall with the URL of the
`server on the Internet and the purpose for making the
`contact, preferably including the information that will be
`sent and/or received. For example, if an application program
`wants to send banking information to the user's broker, the
`user must approve the request before the information can be
`exchanged. Alternatively, the user may deny the access.
`Specifically, the application program will preferably pro-
`vide the firewall program with a list of Internet access
`requests that
`the application may possibly have during
`execution ofthe application. For example, each record in the
`list of possible lntemet access requests may include param-
`eters selected from the name of the application, the version
`of the application, a name of the external server to contact,
`an entity name responsible for the server, a justification
`statement detailing the purpose for contacting the server,
`information to be delivered to the server, information to be
`received from the server, and combinations thereof.
`When the firewall intercepts a standard lntemet access
`request from the application, any or all of these parameters
`maybe communicated to the user as part of or along with the
`justification statement. The means of communicating these
`parameters from the computer to the user may include any
`known means, such as by displaying the information on a
`computer monitor or playing audio over a set of speakers.
`Not all application programs may be willing or able to
`provide this additional information to the firewall program
`and, ultimately,
`to the user. In that case, the user may
`associate a higher level of risk to those application programs
`not willing or able to provide the additional information,
`since these programs may conceivably be less than com-
`pletely forthright in stating their purpose for contacting a
`particular server. The present invention does not address the
`issue of an application program that provides overtly incor-
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 8
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2006 Page 8
`
`

`
`US 7,146,638 B2
`
`5
`
`I0
`
`20
`
`25
`
`30
`
`7
`rect information to the user. However, such a problem would
`ultimately be detected, thereby discrediting both the appli-
`cation program and the application program's marketer for
`providing false information to the users.
`It is preferred that the application program send informa-
`tion to the firewall during startup of the application, wherein
`the information includes possible types of lntemet access
`requests and associated justification statements for each type
`or request. However, it is also within the scope ofthe present
`invention that the application may send this information to
`the firewall immediately preceding each standard Internet
`request.
`It should be noted that some computers reside on a Local
`Area Network (LAN) having access to the Internet only
`through a separate server that also resides on the LAN. The
`separate server may have a firewall that protects the entire
`LAN from the dangers associated with accessing the Inter-
`net. The present invention is equally applicable to those
`computers having a firewall for protection that is located on
`a separate device residing on the same LAN.
`Regardless of the exact location of the firewall program,
`an access rule may be created at the discretion of the user to
`control the particular Internet access request in the same
`manner whenever subsequently requested by the application
`program. The access rules maybe stored in a database or
`other suitable record management system or data structure
`associated with the firewall program. Access rules comprise
`three parameters, an application name or other unique iden-
`tification, a destination address or URL and a port, and one
`instruction to accept or deny the access. When a request
`matches the application name, destination address or URL,
`and the port stored in one ofthese rules, the firewall executes
`the associated imtruction to accept or deny the access. If a
`request does not have parameters that match one of the rules,
`then the firewall asks the user for permission to grant the
`access and provides the justification statement. Parameters
`contained within the request
`to access the Internet are
`compared with the parameter of the access rules to deter-
`mine whether an idmtical access request was granted in the
`past and granted for all subsequent access requests contain-
`ing the same parameters.
`Establishing communications between the application
`program and the firewall, so that the firewall may inquire of
`the user whether to allow the application program to obtain
`Internet access, may be achieved by methods well known to 45
`those having ordinary skill
`in the art and will not be
`discussed in detail herein. One acceptable method may be
`that the firewall opens a well-known port for the purpose of
`communicating with all the application programs running on
`the desktop computer that may request Internet access. The 50
`operating system may create a socket and bind the socket to
`the well-known port and the firewall may then listen on the
`socket
`for communications from application programs.
`When an application program is started, the application
`program may create a socket for communicating with the 55
`firewall program. The application program may then com-
`municate with the firewall program using standard socket
`protocol thereby sending and receiving communications to
`and from the well-known port of the firewall. In the pre-
`ferred embodiment, communication between the firewall
`and the application program would be through XML-based
`messages, using an industry-accepted standard XML gram-
`mar designed for communicating between the firewall and
`application programs. XML is short for Extensible Markup
`Language, a specification developed by the World Wide Web
`Consortium, an international consortium of companies
`involved with the Internet. XML is a language designed
`
`35
`
`60
`
`65
`
`especially for Web documents allowing customized tags that
`enable the definition, transmission, validation, and interpre-
`tation of data between applications and between organiza-
`tions. However, any alternative means for communicating
`would be acceptable.
`The present invention may be run on a variety of com-
`puters rmder a number of different operating systems. The
`computer could be, for example. a personal computer, a mini
`computer, personal digital assistant, mainframe computer or
`a computer running in a distributed network of other com-
`puters. Although the specific choice of computer is limited
`only by processor speed and disk storage requirements,
`computers in the IBM PC series of computers could be used
`in the present invention. One operating system that an IBM
`personal computer may nm is IBM's OS/2 Warp 4.0. In the
`alternative, the computer system might be in the IBM RISC
`System/6000 (W) line ofcomputers that run on the AIX ('““')
`operating system.
`FIG. 1 is a block diagram of an exemplary comptner upon
`which the present
`invention may be implemented. The
`computer comprises a system unit 11, a keyboard 12, a
`mouse 13 and a display 14. The system unit 11 includes a
`system bus or plurality of system buses 21 to which various
`components are coupled and by which communication
`between the various components is accomplished. The
`microprocessor 22 is connected to the syst bus 21 and is
`supported by read only memory (ROM) 23 and random
`access memory (RAM) 24, also connected to