US006230194B1
`(10) Patent No.:
`a2) United States Patent
`US 6,230,194 B1
`Frailonget al.
`(45) Date of Patent:
`May8, 2001
`
`
`(54) UPGRADING A SECURE NETWORK
`INTERFACE
`
`5,845,077 * 12/1998 Fawcett .
`
`.. 709/221
`
`9/1997 Collins w.ceccccececceseseesceeeeeee 709/250
`5,671,355 *
`ve 709/221
`5,689,640 * 11/1997 Okanoue...
`
`5,699,350 * 12/1997 Kraslavskyy .....cseseeeeees 370/254
`a *
`g/1008 See ae TOOL
`3790,
`*
`istanizadeh
`et al.
`wee
`
`5,819,042 * 10/1998 Hansen vee
`... 709/222
`
`* cited by examiner
`Primary Examiner—Saleh Najjar
`(74) Attorney, Agent, or Firm—Blakely, Sokoloff, Taylor &
`Zafman
`(57)
`
`ABSTRACT
`
`,
`
`,
`
`(75)
`
`(*) Notice:
`
`Inventors: Jean-Marc Frailong, Palo Alto;
`*
`.
`JohnTaosPa SanJonesPCAUS)
`(73) Assignee: Freegate Corporation, Sunnyvale, CA
`USWS)
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`US.C. 154(b) by 0 days.
`
`The present invention discloses a system for upgrading the
`(21) Appl. No.: 08/897,214
`software contents of a network interface device connecting
`4.
`a client computer system to an external network. The
`Filed:
`(22)
`Jul. 14, 1997
`
`
`(SL) Tint, C07 oeceececccccsssssssssssssssssessssssseeeven GO6F 15/177._—_—-network interface device is configured for the client system
`(52) U.S. Che casccsssessecssssene 709/220; 709/221; 709/222
`by automated procedures and protocols initiated from a
`(58) Field of Search ....scccsssccscssssseee 709/221, 222,
`mole server. Software programswithin the network inter-
`709220
`face device provide transparent communication between the
`client computer system and services available on the exter-
`nal network. Similar software programs and a configuration
`database within the network interface device provide trans-
`parent communication between the client computer system
`and the remote server.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`5,144,664 *
`9/1992 FEssermanet al. w.cccccccsscseeceeee 38020
`5,155,847 * 10/1992 Kirouac et al. eee 709/221
`5,564,051 * 10/1996 Halliwell et al. oe 370/401
`
`19 Claims, 15 Drawing Sheets
`
`UPGRADE PACKAGE MADE AVAILABLE ON FTP SITES AND
`REGISTERED IN REMOTE MGMT SERVER
`
`FETCH TIME WINDOW AND APPLY TIME WINDOW ARE
`ASSOCIATED WITH UPGRADE PACKAGE
`
`REMOTE SERVER SENDS NOTIFICATION MESSAGE TO
`INTERFACE DEVICES
`
`1902
`
`1904
`
`1006
`
`NOTIFICATION
`
`REJECT UPGRADE
`
`1010
`
`eeeeRane
`PROTOCOL
`
`[1012
`
`NO
`INTERFACE DEVICE RECORDS NOTIFICATION
`MESSAGE
`
`1014
`
`INTERFACE DEVICE RETRIEVES UPGRADE AT
`FETCH TIME
`
`INTERFACE DEVICE EXECUTES PRE-INSTALL
`SCRIPT
`
`INTERFACE DEVICE EXECUTES INSTALL SCRIPT
`AT APPLY TIME
`
`VPN
`UPGRADE
`
`1016
`
`1018
`
`1020
`
`
`
`
`FAIL INTO
`a
`DIAGNOSTIC
`AS UPGRADE
`A SUCCESS?
`STATE
`
`YES NOTIFY HEAD-END|1026
`
`
`OF UPGRADE
`INTERFACE DEVICE EXECUTES POST-INSTALL
`
`PROBLEM
`Sear
`‘
`SCRIPT AND NOTIFIES REMOTE SERVER OF
`UPGRADED STATUS
`
`NOTIFY USER TO
`
`REJECT THE
`END
`UPGRADE
`
`ee
`
`)1928
`
`1
`
`SAMSUNG 1037
`
`1
`
`SAMSUNG 1037
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 1 of 15
`
`US 6,230,194 B1
`
`INTERNET
`
`SERVICE PROVIDER
`
`104
`
`116
`COMMUNICATION
`LINE
`
`NETWORK
`INTERFACE
`
`108
`
`112
`
`—_ — >
`
`114
`
`114
`
`CLIENT NETWORK 120
`
`FIG. 1
`
`(PRIOR ART)
`
`2
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 2 of 15
`
`US 6,230,194 B1
`
`
`REMOTE
`
`SERVER
`
`
`206
`
`INTERNET
`SERVICE
`
`PROVIDER
`204
`
`
`
`
`
`916
`COMMUNICATION
`
`
`LINE
`
`
`
`
`
`
`GATEWAY
`r—{—-_- ___ _ INTERFACE
`
`
`
`208
`
`
`FIG. 2
`
`CLIENT NETWORK 220
`
`3
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 3 of 15
`
`US 6,230,194 B1
`
`——ove
`
`poe
`
`80¢
`
`ralOléJOIASG|SDIAIO
`
`AYOWSWYaldvay
`
`SSVWSSVA
`
`XINOGV3u
`
`
`
`WOCNVYHSV14
`
`AYOWSW
`
`
`ADVYEOLSADVYOLS
`
`SSIO0VAYOWSWOY
`
`90¢
`
`
`
`YAMOd
`
`Addn
`
`Sd
`
`OeE
`
`Ble
`
`Le
`
`cee||LE
`
`9eEook
`
`W3d0WLSNYSHLS
`
`bye
`
`vot
`
`NV.
`M
`
`€‘Old
`
`NOISNVdX3
`
`SdOVAYALNI
`
`AOVAYALNI
`ONISSSOOWd
`dOVAYSALNI
`
`TANVd
`
`WHLNID
`
`
`
`MYOMLANAdSLIVd
`
`4
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 4 of 15
`
`US 6,230,194 B1
`
`400 S
`
`RUNTIME
`
`406
`
`¢ CONSOLE-LESS OPERATING SYSTEM
`* MANAGEMENT DAEMONS/SERVICES
`FOR SYSTEM CONTROL
`
`KERNEL
`
`404
`
`¢ HIGH-LEVEL HARDWARE DRIVERS
`¢ TIMING AND SCHEDULING FUNCTIONS
`¢ FIREWALL SUPPORT
`
`¢ BIOS EXTENSION FOR NEW CODE
`
`BIOS
`
`402
`
`¢ LOW-LEVEL DEVICE DRIVERS
`¢ DIAGNOSTICS & MONITOR PROGRAMS
`
`FIG. 4
`
`5
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 5 of 15
`
`US 6,230,194 B1
`
`USER
`
`INTERFACE
`ote
`
`REMOTE
`
`504
`
`
`
`CONFIGURATION
`MANAGER
`
`506
`
`
`
`
`
`
`DIAGNOSTIC
`MANAGERS
`MANAGERS
`
`510
`
`514
`
`
`
`SERVICE
`
`
` SERVICES
`CONFIGURATION
`
`
`ILEFILES
`516
`
`
`512
`
`
`FIG. 5
`
`6
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 6 of 15
`
`US 6,230,194 B1
`
`USER REQUESTS START OF
`TRANSACTION
`
`604
`
`USER INPUTS A SERVICE REQUEST
`THROUGH USER INTERFACE
`
`CONFIGURATION MGR PROPAGATES
`REQUEST TO EACH SERVICE MGR
`
`SERVICE MANAGER PERFORMS
`SYNTAX CHECK
`
`
`
`
`
`
`614
`
`CONFIGURATION
`MGR NOTIFIES USER,
`IGNORES BAD
`PARAMETER
`
`YES
`CONFIGURATION MGR ADDS REQUEST
`TO TRANSACTION
`
`°°
`
`
`
`618
`
` MORE
`REQUESTS?
`
`NO
`USER REQUESTS TRANSACTION 10 BE
`COMMITTED
`
`620
`
`CONFIGURATION MGR PROPAGATES
`COMMIT REQUEST TO EACH SERVICE MGR
`
`622
`
`624
`
`CHANGE
`ALLOWED?
`
`
`YES
`
`NO
`
`TRANSACTION Is
`ABORTED
`
`1°76
`
`628
`
`TRANSACTION IS COMMITTED
`
`7
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 7 of 15
`
`US 6,230,194 B1
`
`USER
`INTERFACE
`
`
`REMOTE
`
`
`SERVER
`
`504
`
`RPC LAYER
`
`705
`
`CONFIGURATION
`MANAGER
`
`
`
`DATA STORE
`
`508
`
`SERVICE
`SERVICE
`SERVICE
`SERVICE
`
`
`
`MANAGER 1||MANAGER 2||MANAGER 3 vee MANAGER N
`
`510
`
`
`512
`
`
`
`
`
`
`
`
`
`
`50
` CONFIGURATION
`
`FILE
`
`
`
`
`
`
`
`
`
`SYSTEM LOGGING FACILITY
`
`DIAGNOSTIC
`LOG FILE
`
` iz
`
`
`
`
`
`
`DIAGNOSTIC
`DIAGNOSTIC
`DIAGNOSTIC
`
`AGENT3
`AGENT 2
`AGENT1
`
`
`
`
`716
`
`REPORTING MANAGER
`
`720
`
`
`
`ASYNCH
`
`NOTIFICATION
`726
`
`ACTIVE REPORT
`DATABASE
`vrai
`
`FIG. 7
`
`8
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 8 of 15
`
`US 6,230,194 B1
`
`eerste KEY 800
`
`HEAD-END
`
`GATEWAY
`REGISTRATION KEY
`
`CHECKSUM 802
`
`CRC
`
`804
`
`806
`
`<— 12 BITS—»|<4—____ 56 BITS ————_» |--- 12 BITS»
`
`FIG. 8
`
`9
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 9 of 15
`
`US 6,230,194 B1
`
`CUSTOMER CALLS A REGISTERED ISP FOR INTERNET
`ACCESS ISP OBTAINS CUSTOMER REQUIREMENTS
`
`ISP ALLOCATES ADDRESS BLOCKS, ASSIGNS DOMAIN
`NAMES, AND DECIDES WHERE TO PROVIDE PHYSICAL
`NETWORK CONNECTIONS
`
`ISP ACCESSES CUSTOMER REG. FORM AND ENTERS
`ADDRESSES, DOMAIN NAMES, AND CONNECTION
`INFORMATION
`
`INFORMATION STORED IN REMOTE
`CUSTOMER REG.
`MANAGEMENT SERVER
`
`REMOTE MANAGEMENT SERVER GENERATES A
`CUSTOMER REGISTRATION KEY AND SENDS IT TO THE
`ISP
`
`ISP PROVIDES THE REG. KEY TO THE CUSTOMER AND
`ORDERS GATEWAY INTERFACE DEVICE AND NETWORK
`SERVICE
`
`CUSTOMER RECEIVES AND INSTALLS THE INTERFACE
`DEVICE
`
`SOFTWARE LOCATES THE INTERFACE DEVICE USING
`GIP
`
`SOFTWARE ACCESSES ADMINISTRATION WEB PAGE
`
`CUSTOMER ENTERS REG. KEY IN APPROPRIATE
`ENTRY FIELD
`
`INTERFACE DEVICE DECODES REG. KEY, OBTAINS
`REMOTE MANAGEMENT SERVERID AND INITIATES
`CALL TO REMOTE MANAGER SERVER
`
`902
`
`904
`
`906
`
`908
`
`910
`
`a2
`
`914
`
`916
`
`918
`
`920
`
`922
`
`924
`
`FIG. 9A
`
`10
`
`10
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 10 of 15
`
`US 6,230,194 B1
`
`922
`
`INTERFACE DEVICE ESTABLISHES CONNECTION TO REMOTE
`MANAGEMENT SERVER THROUGH PROPRIETARY
`AUTHENTICATION SCHEME
`
`REMOTE MANAGEMENT SERVER ASSOCIATES CUSTOMER
`WITH INTERFACE DEVICE AND AUTHENTICATES LOG-IN
`INFORMATION
`
`REMOTE MANAGEMENT SERVER INITIATES RPC 10
`INTERFACE DEVICE AND PROVIDES ENCRYPTION KEY;
`REMOTE MANAGEMENT SERVER SENDS CONFIGURATION
`
`FILE NAME TO INTERFACE DEVICE
`
`INTERFACE DEVICE INITIATES FTP SESSION WITH REMOTE
`MANAGEMENT SERVER TO RECEIVE CONFIGURATION FILE
`
`INTERFACE DEVICE RECEIVES CONFIGURATION FILE AND
`EXECUTES CONFIGURATION FILE SCRIPT
`
`INTERFACE DEVICE WRITES CONFIGURATION VALUES TO
`CONFIGURATION MANAGER DATABASE
`
`INTERFACE DEVICE VERIFIES RECEIPT OF CONFIGURATION
`au [—m
`
`REMOTE MANAGEMENT SERVER CONFIRMS INTERFACE
`DEVICE VERIFICATION AND MARKS REG. KEY AS USED
`
`924
`
`926
`
`928
`
`930
`
`932
`
`934
`
`936
`
`938
`
`FIG. 9B
`
`11
`
`11
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 11 of 15
`
`US 6,230,194 B1
`
`START
`
`UPGRADE PACKAGE MADE AVAILABLE ON FTP SITES AND
`REGISTERED IN REMOTE MGMT SERVER
`
`FETCH TIME WINDOW AND APPLY TIME WINDOW ARE
`ASSOCIATED WITH UPGRADE PACKAGE
`
`REMOTE SERVER SENDS NOTIFICATION MESSAGE TO
`INTERFACE DEVICES
`
`1002
`
`1004
`
`1006
`
`NOTIFICATION 1014
`
`REJECT UPGRADE
`
`INTERFACE DEVICE RECORDS NOTIFICATION
`
`MESSAGE
`
`NO
`
`INTERFACE DEVICE RETRIEVES UPGRADE AT
`FETCH TIME
`
`INTERFACE DEVICE EXECUTES PRE-INSTALL
`SCRIPT
`
`INTERFACE DEVICE EXECUTES INSTALL SCRIPT
`AT APPLY TIME
`
`eeeoRapE
`
`PROTOCOL
`
`VPN
`UPGRADE
`
`1016
`
`4018
`
`1020
`
`1010
`
`1012
`
`1024
`
`|.!08
`
`
`1022
`AS UPGRADE
`“\_NO
`FAIL INTO
`
`DIAGNOSTIC
`A SUCCESS?
`STATE
`
`YES
`
`NOTIFY HEAD-END|1026
`
`OF UPGRADE
`INTERFACE DEVICE EXECUTES POST-INSTALL
`PROBLEM
`SCRIPT AND NOTIFIES REMOTE SERVER OF
`UPGRADED STATUS
`
`NOTIFY USER TO
`
`REJECT THE
`UPGRADE
`
`END
`
`FIG. 10
`
`12
`
`12
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 12 of 15
`
`US 6,230,194 B1
`
`VPN
`UPGRADE
`
`REMOTE SERVER SENDS A NOTIFICATION MESSAGE TO
`HEADQUARTERS BRANCH OF VPN
`
`HEADQUARTERS BRANCH RECORDS NOTIFICATION MESSAGE
`AND NOTIFIES VPN NODES OF UPGRADE
`
`4102
`
`1104
`
`1106
` HEADQUARTERS
`
`BRANCH NOTIFIES
`
` DO ALL NODES
`
`REMOTE SERVER
`
`ACCEPT UPGRADE?
`
`THAT VPN WILL
`NOT UPGRADE
`
`
`
`HEADQUARTERS BRANCH RETREIVES UPGRADE
`AT FETCH TIME
`
`
`1108
`
`HEADQUARTERS BRANCH SENDS UPGRADE
`PACKAGE TO EACH VPN NODE
`
`VPN NODES EXECUTE INSTALL SCRIPT AT APPLY
`TIME
`
`VPN NODES NOTIFY HEADQUARTERS BRANCH
`OF UPGRADE STATUS
`
`
`
`
`
`
`
`
`FAIL INTO
`
`
`DID ALL VPN NODES
`
`
`DIAGNOSTIC
`UPGRADE?
`
`
`STATE
`
`
`
`HEADQUARTERS
`
`
`BRANCH NOTIFIES
`
`HEADQUARTERS BRANCH NOTIFIES REMOTE
`REMOTE SERVER
`SERVER OF VPN UPGRADE
`OF VPN UPGRADE
`
`
`FAIL
`
`FIG. 11
`
`END
`
`13
`
`13
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 13 of 15
`
`US 6,230,194 B1
`
`START
`
`REMOTE SERVER SENDS A NOTIFICATION MESSAGE TO
`INTERFACE DEVICES WHICH ARE TO BE RECONFIGURED
`
`INTERFACE DEVICE RECORDS THE NOTIFICATION
`MESSAGE
`
`INTERFACE DEVICE WRITES NEW PARAMETERS IN THE
`DATA STORE AT THE TIME SPECIFIED BY THE APPLY TIME
`WINDOW
`
`1202
`
`1204
`
`1206
`
`1208oe
`
`
`NOTIFY REMOTE SERVER OF
`RECONFIG PROBLEM
`
`1210
`
`INTERFACE BOX NOTIFIES REMOTE
`SERVER OF RECONFIGURED STATUS
`
`ROLL BACK TO PRE-CONFIG.
`STATE
`
`['212
`
`
`
`END
`
`FIG. 12
`
`14
`
`14
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 14 of 15
`
`US 6,230,194 B1
`
`INTERFACE DEVICE (GIP SERVER) IS CONFIGURED TO
`TRANSMIT AND RECEIVE GIP BROADCAST MESSAGES
`OVER THE CLIENT LAN
`
`CLIENT COMPUTER(GIP CLIENT) IS CONFIGURED TO
`TRANSMIT AND RECEIVE GIP BROADCAST MESSAGES
`OVER THE CLIENT LAN TO LOCATE THE GATEWAY
`
`INTERFACE DEVICE QUERIES NETWORK TO DETERMINE
`WHETHER THERE IS AN AUTOMATIC IP ADDRESS
`PROVISION SERVICE AVAILABLE
`
`|
`
`1302
`
`1304
`
`1306
`
`1308
`YES
`
`
`
`
`ARE IP ADDRESSES
`PROVIDED?
`
`INTERFACE DEVICE
`ASSIGNS A PROVIDED IP
`ADDRESS TO CLIENT
`
`1310
`
`INTERFACE DEVICE ASSIGNS A
`TEMPORARYIP ADDRESS TO
`CLIENT
`
`
`
`
`
`INTERFACE DEVICE TRANSMITS BROADCAST
`ADVERTISEMENT MESSAGES OVER CLIENT LAN PROVIDING
`IP ADDRESS AND ADMINISTRATIVE WEB SERVICE URL
`
`CLIENT COMPUTER TRANSMITS BROADCAST QUERY OR
`ACKNOWLEDGMENT MESSAGE
`
`CLIENT COMPUTER RECEIVES ASSIGNED IP ADDRESS AND
`| ACCESSES ADMINISTRATIVE WEB SERVICE ON INTERFACE
`DEVICE
`
`1314
`
`1316
`
`1318
`
`FIG. 13
`
`15
`
`15
`
`

`

`U.S. Patent
`
`May8, 2001
`
`Sheet 15 of 15
`
`US 6,230,194 B1
`
`
`
`FIG. 14
`
`16
`
`16
`
`

`

`US 6,230,194 B1
`
`1
`UPGRADING A SECURE NETWORK
`INTERFACE
`
`CROSS REFERENCES TO RELATED
`APPLICATIONS
`
`The present application is related to the following
`co-pending U.S. Patent applications:
`U.S. Patent application entitled, “Remotely Managed
`Secure Network Interface”, having application Ser. No.
`08/892,522, and filed on Jul. 14, 1997;
`US. Patent application entitled, “Initializing and Recon-
`figuring a Secure Network Interface”, having application
`Ser. No. 08/892,301, and filed on Jul. 14, 1997;
`which are assigned to the assignee of the present invention.
`
`FIELD OF THE INVENTION
`
`The present invention relates generally to the field of
`computer networks, and more particularly to a method of
`securely upgrading a network interface device.
`
`BACKGROUND OF THE INVENTION
`
`The Internet is rapidly becoming an important source of
`information and electronic communication for users of com-
`
`puters in homesand businesses. A major problem associated
`with the Internet, however, is the difficulty faced by typical
`computer users in connecting their computers or local area
`networksto the Internet. Acomputeruser desiring to connect
`to the Internet must make manycritical decisions, such as
`which communication medium to use, which Internet Ser-
`vice Provider to subscribe to, how to secure their network
`interface, and which network services to utilize. Business
`managers in charge of local or wide area networks mustalso
`address questions related to the type and configuration of
`computer networks which are to be connected to the
`Internet, and other such external networks (referred to as
`‘internets’). Unlike installing a new telephone system,
`installing an external network connection requires an under-
`standing of many different, and often confusing, communi-
`cation protocols, network services, connection media, and
`computer network practices.
`Connecting a computer network to an internet requires a
`service account and a data communication line to access the
`
`various networks that make up the internet. A dedicated
`Wide Area Network (WAN) connection to an internet is
`typically provided by a commercial Internet Service Pro-
`vider (SP). The ISP acts as the intermediary between the
`user and the network backboneservers which provide access
`to the various networks within the internet. Several different
`data communication lines are available to connect a com-
`
`puter or LAN to the internet. Common data communication
`lines include analog modems (14.4 Kbaud-56 Kbaud),
`ISDN (Integrated Services Digital Network), T1 lines, Frac-
`tional T1 lines, and several others.
`Obtaining an internet connection typically requires the
`user to order an internet account and address block from an
`
`ISP, install the appropriate phone lines for the data commu-
`nication medium (e.g., ISDN line, analog phoneline),install
`the appropriate network interface device between the data
`communication port and the computer which will serve as
`the network gateway computer, and configure the network
`interface device for operation with the user’s LAN and in
`accordance with the network services provided by the ISP.
`Thus,
`the initial configuration of the network interface
`device must be performed by the computer user or LAN
`manager himself, and often requires extensive knowledge of
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`network protocols, internet services, and LAN requirements.
`Initial configuration also often involves the entry of complex
`configuration parameters and options in a database orstor-
`age device by the LAN manager. Similarly, an upgrade or
`reconfiguration of the network interface device requires the
`user or LAN managerto obtain the upgrade information and
`perform the upgrade or reconfiguration operation himself.
`Becauseno internet services or data communication systems
`currently provides a comprehensive and reliable means of
`automatically configuring or updating a network interface
`connection to an internet, internet access remains a signifi-
`cant challenge to those who lack the requisite expertise or
`resources to undertake the task.
`
`It is therefore desirable to provide a system for connecting
`a computer or client network to the internet with minimal
`user interaction. It is further desirable to provide a system
`for automatically upgrading or reconfiguring a network
`interface connection between a computer or client network
`and an internet.
`
`SUMMARYOF THE INVENTION
`
`The present invention discloses a method and apparatus
`for initializing, configuring, and upgrading a network inter-
`face between a client computer network and an external
`network.
`
`invention, a
`According to one aspect of the present
`network interface device is provided to connect a client
`computer network to an external network. The network
`interface device is provided to the client user in an initially
`unconfigured state. The network interface device is config-
`ured for the client system by automated procedures and
`protocols initiated from a remote server. The remote server
`provides and maintains the client information in a secure
`database. The use of a secure database and automated
`
`procedures minimizes the amountof input required from the
`user. The network interface device contains application
`program interfaces which facilitate communication between
`the client computer system and services available on the
`external network. The network interface device also con-
`
`tains a configuration database which stores data and param-
`eters related to the configuration of the network interface
`device. Through the use of the configuration database and
`the resident application program interfaces,
`the remote
`server is able to automatically upgrade or reconfigure the
`network interface device without user intervention.
`
`Other features of the present invention will be apparent
`from the accompanying drawings and from the detailed
`description which follows.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention is illustrated by way of example,
`and not by wayof limitation, in the figures of the accom-
`panying drawings and in which like reference numerals
`indicate similar elements and in which:
`
`FIG. 1 illustrates a prior art interface between a client
`network and an internet.
`FIG. 2 illustrates the interface between a client network
`
`and an internet according to one embodimentof the present
`invention.
`
`FIG. 3 is a block diagram illustration of hardware com-
`ponents of the Gateway Interface Device according to one
`aspect of the present invention.
`FIG. 4 illustrates the basic components of the Gateway
`Interface system software.
`FIG. 5 is a functional block diagram of the runtime
`component of the system software.
`17
`
`17
`
`

`

`US 6,230,194 B1
`
`3
`FIG. 6 is a flowchart illustrating the process of controlling
`a service using the runtime componentillustrated in FIG. 5.
`FIG. 7 is a functional block diagram illustrating the
`software components of the Gateway Interface system.
`FIG. 8 illustrates a registration key to encode user regis-
`tration information according to one embodiment of the
`present invention.
`FIGS. 9A and 9B are a flow diagram illustrating the
`procedure of initializing a Gateway Interface Device accord-
`ing to one aspect of the present invention.
`FIGS. 10 is a flow diagram illustrating the procedure of
`upgrading a Gateway Interface Device according to one
`aspect of the present invention.
`FIG. 11 is a flow diagram illustrating the procedure of
`upgrading a Gateway Interface Device that is part of a
`virtual private network according to one aspect of the
`present invention.
`FIG. 12 is a flow diagram illustrating the procedure of
`reconfiguring a Gateway Interface Device according to one
`aspect of the present invention.
`FIG. 13 is a flow diagram illustrating the determination of
`network addresses by a client computer according to one
`aspect of the present invention.
`FIG. 14 is a block diagram illustrating an example of a
`hierarchy of key certificates for the security framework
`according to one embodiment of the present invention.
`DETAILED DESCRIPTION
`
`A system for initializing, configuring, and upgrading a
`network interface device coupling a client Local Area Net-
`work (LAN) to a Wide Area Network (WAN)is described.
`In the following description, for purposes of explanation,
`numerous specific details are set forth in order to provide a
`thorough understanding of the present invention. It will be
`apparent, however, to one skilled in the art that the present
`invention may be practiced without these specific details. In
`other instances, well-known structures and devices are
`shownin block diagram form in order to avoid unnecessarily
`obscuring the present invention.
`In one embodiment, the steps of the present invention are
`embodied in machine-executable instructions. The instruc-
`tions can be used to cause a general-purpose or special-
`purpose processor which is programmed with the instruc-
`tions to perform the steps of the present
`invention.
`Alternatively, the steps of the present invention might be
`performed by specific hardware components that contain
`hardwired logic for performing the steps, or by any combi-
`nation of programmed computer components and custom
`hardware components.
`Present methodsofinterfacing a client LAN to an external
`network involve installing special data communication lines
`and networkinterface devices, and configuring these devices
`at
`the client site. FIG. 1 illustrates a typical prior art
`connection between a client network and an external net-
`work. Client network 120 includes a local area network
`(LAN) 110 containing several network client computers 114.
`LAN 110 also contains a gateway computer 112 which
`connects LAN 110 to an external network, such as an
`internet. LAN 110 may be a network consisting of a number
`of computers connected in an Ethernet network, a token ring
`network, an FDDI network, or any similar type of network
`arrangement. LAN 110 could also consist simply of one
`computer, such as computer 112, for which external network
`access is required. LAN 110 interfaces to outside networks
`through a network interface device 108 connected to gate-
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`way computer 112. In other network environments, LAN
`110 may interface directly with network interface 108 with-
`out passing through a gateway computer 112. In typical
`homeoroffice situations, network interface 108 can be a
`modem, an ISDN (Integrated Services Digital Network)
`interface box,or the like, and can be an interface card within
`gateway computer 112, or a standalone device whichis kept
`separate from LAN 110 and gateway computer 112, such as
`in a separate phone closet or other isolated environment.
`Network interface 108 provides the connection to an
`internet over communication line 116. Current internet ser-
`
`vice for client networksis typically provided by a commer-
`cial Internet Service Provider, such as ISP 104. ISP 104
`provides the necessary routers and gateway devices for
`connection to the internet from a client network, and pro-
`vides various protocol and packet switching functions. Thus,
`LAN 110 in client network 120, connects to an internet via
`communication line 116 through an ISP.
`In prior art network connection environments such as that
`illustrated in FIG. 1, ISP 104 simply provides the addresses
`and logical interface between client network 120 and the
`internet. The client user is required to install, configure, and
`maintain the network interface 108 and the interface to the
`
`telephone company 106. This requires that the LAN man-
`ager for the client network 120 have knowledgeof the client
`LAN environment, as well as required protocol and interface
`information and various configuration parameters. As the
`types of network connectivity and the number ofservices
`available through the Internet increase, the task ofinstalling,
`configuring, and maintaining a network interface to the
`Internet, and other such external networks, becomes more
`complicated. This increase in network interface complexity
`results in an increased possibility of improper network
`access which may cause unreliable service or insecure
`network connections. Thus, a distinct disadvantage associ-
`ated with prior art network access scenarios is that the LAN
`managerfor a client network must personally configure and
`maintain increasingly complex parameters related to both
`the LAN network protocols and the various network ser-
`vices.
`
`In one embodiment of the present invention, the various
`physical network interface devices, security functions, and
`service interfaces are replaced by a single integrated net-
`workinterface device, hereinafter referred to as a ‘gateway
`interface device’. This integrated gateway interface device
`provides a single point of connectivity for various different
`types of data communication lines, such as Ethernet and
`ISDN,and contains a configuration database for the storage
`of parameters associated with the operation of the network
`interface. The gateway interface device also contains appli-
`cation program interfaces (API’s) for transparent commu-
`nication between the client LAN and various internet ser-
`
`vices. The gateway interface device further provides
`connectivity to a remote server process which provides
`remote initialization, configuration, and upgrades of the
`gateway interface device without necessitating extensive
`user interaction.
`
`FIG. 2 illustrates an improved internet network access of
`the present invention utilizing the gateway interface device.
`Like the client network 120 of FIG. 1, client network 220
`typically consists of a LAN environment 210 in which
`several personal or mini-computers are connected through
`network lines or hubs in a network arrangement. In the
`present invention, the simple networkinterface 108, of FIG.
`1, which is typically a passive device configurable only from
`client network 120 through gateway computer 112,
`is
`replaced by a gateway interface device 208. Gatewayinter-
`18
`
`18
`
`

`

`US 6,230,194 B1
`
`5
`face device 208 provides the physical and logical connection
`between LAN 210 and an external network, such as an
`internet. Data communication ports provided by gateway
`interface device 208 may include interfaces for analog
`modems, Ethernet, ISDN, T1 connections, and the like.
`Gateway interface device 208, also provides an interface to
`the remote servers and services provided in the present
`invention. This second means of access allows a secondary
`service provider to remotely configure, upgrade, and main-
`tain diagnostics related to the network interface. It also
`facilitates the downloading of configuration parameters, a
`task which wastraditionally left to the client LAN manager.
`Gateway interface device 208 also provides an efficient
`means to implement network security such as firewall
`functions, as well as other router and server functions.
`The remote server 206 represents central facility for
`providing convenient and efficient configuration and main-
`tenance of the gateway interface device. In one embodiment
`of the present invention, the remote server 206 (hereinafter
`referred to as the “remote managementserver”) is connected
`to ISP 204 and maintains a dynamic dialog with ISP 204 to
`configure and maintain gateway interface device 208 in
`client network 220. Remote management server 206 inter-
`acts with gateway interface device 208 to provide configu-
`ration information and upgrade parameters required by the
`gateway interface device 208. In this manner, remote man-
`agement server 206 basically serves as a repository for
`information required by the gateway interface device 208.
`Such information may include configuration information
`related to LAN 210,internet address blocks, internet domain
`names, and data related to the physical and logical interfaces
`between the client network 220 and ISP 204.
`
`Gateway interface device 208 contains a configuration
`manager which stores the configuration information trans-
`mitted from the remote management server 206. Gateway
`interface device 208 also contains service adapters which
`communicate with network services resident in the gateway
`interface device 208. The service managers are application
`programming interfaces that provide the required command
`and data translation for the various services available.
`
`Remote management server 206 and gateway interface
`device 208 contain security information such as passwords
`and encryption keysthat are used to establish a trustrelation
`sufficient to ensure secure remote configuration and upgrade
`of gateway interface device 208. By providing a configura-
`tion management function within remote management
`server 206 whichis registered with an ISP 204,it is possible
`to download configuration and upgrade information and
`parameters to gateway interface device 208 at the time the
`gateway interface is first installed between the client net-
`work 220 and the telephone client 204. This eliminates the
`requirement
`that
`the network administrator program the
`network interface device with such configuration and ini-
`tialization information. This system thus greatly reduces the
`amount of work required to connectclient network 220 to an
`internet.
`
`Gateway Interface Device Hardware
`FIG. 3 is a block diagram illustrating representative
`hardware components within gateway interface device 208
`of FIG. 2. Gateway interface device 208 includes central
`processing unit 316 coupled through a bus 302 to random
`access memory (RAM) 306, read-only memory (ROM) 308
`and mass storage device 310. In one embodiment of the
`present invention, two mass storage devices 310 and 312 are
`used to provide redundant storage. Mass storage devices 310
`and 312 can be any type of memory device which provides
`persistent storage of large amounts of data such as hard disk
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`drives, tape drives, or memory cards. In one embodimentof
`the present invention, mass storage devices 310 and 312 are
`removable devices which can be moved from gateway
`interface device 208 to another similar gateway interface
`device, or removed for replacement by other like mass
`storage devices with either updated or different data or
`programs. Mass storage devices 310 and 312 may be
`installed and configured in a mirrored arrangement, such
`that identical data is written simultaneously to both drives.
`This allows a redundant backup functionality such that if
`one massstorage device fails, the other mass storage device
`can be automatically and quickly substituted since it con-
`tains the same data contained in the first mass storage
`device. Gateway interface device 208 also contains non-
`volatile memory in the form of flash memory 304. Flash
`memory 304 stores critical system parameters and may be
`upgraded remotely from a remote server such as remote
`management server 206.
`Also coupled to bus 302 is an expansion interface 320.
`Expansion interface 320 provides physical and logical lines
`which allow for the installation of industry standard expan-
`sion cards to expand the functionality of the gateway inter-
`face device 208. Such expansion functions could include
`additional memory capacity or an alternate network inter-
`face means. Gateway interface device 208 interfaces to
`external networks through a network interface port 314. In
`one embodimentof the present invention, network interface
`314 includes four separate network interface connections
`and standards. Network interface 314 provides access to
`modem port 326, WAN interface 324, and Ethernet port 322.
`In one embodiment of the present invention, two Ethernet
`ports are provided by network interface 314.
`Panel interface 318 provides the main physical interface
`between the user and gateway interface device 208. In one
`embodimentof the present invention, panel interface 318 is
`coupled to a front panel display and control system 330.
`Display and control system 330 contains two LEDs(light
`emitting diodes) 334 and 336, as well as push button switch
`332. Push button switch 332 serves as an on/off switch as
`well as a high-level reset switch. If the gateway interface
`device is powered up and switch 332 is pressed for less than
`five seconds on, it executes a diagnostic process. If the
`gateway device is powered up and switch 332 is pressed for
`more than five seconds,
`it restarts the gateway interface
`device. Thus switch 332 allows a user to activate certain
`
`diagnostic routines and it provides a reset function in case of
`a hardware failure of the gateway interface device 208.
`LEDs 334 and 336 provide an indication of particular
`operational functions of the gateway interface device 208.
`Functions that are monitored by LEDs 334 and 336 may
`include the condition of the client LAN 210, the condition
`of the physical or logical connections between the client
`LAN 210 and the telephone company switch box, as well as
`the internal operation of the gateway interface device 208.
`The uncomplicated front panel display and control system
`330 promotes the ease of use pursued by the present inven-
`tion. The single push-button switch 332 provides a straight-
`forward means of interaction with the gateway interface
`device, and dual LEDs provide a simple notification to the
`user in the event of a failure related to the primary virtual
`user interface.
`
`System power to the gateway interface device 208 is
`supplied through power supply 340. Power supply 340
`provides the varying voltage levels such (e.g., 12 VDC, 5
`VDC, and 3.3 VDC) that may be required by the different
`devices within the gateway interface device 208. Connected
`to power supply 340 is an uninterruptable power supply
`19
`
`19
`
`

`

`US 6,230,194 B1
`
`7
`In one embodiment of the present
`(UPS) battery 344.
`invention, UPSbattery 344 is a small compact unit which
`provides a charge sufficient only to keep gateway interface
`device 208 powered up for a smooth shutdownin the event
`of a hardware or network problem. A smooth