REGISTER  |  SIGN IN
United States Patent7222359
Freund , ; et al.May 22, 2007
Title
System methodology for automatic local network discovery and firewall reconfiguration for mobile computing devices
Abstract
A system providing methodologies for automatically detecting when a computing device is plugged into a new network is described. The system includes methods for detecting a connection to a new network by receiving notice of, and evaluating, changes to an existing network configuration. The system profiles and generates an identity for the new network. This includes collecting information about the network to uniquely identify it and generating a unique identifier for the network. Once a network has been profiled, a user may decide whether or not to include it as part of a trusted zone. Alternatively, this decision may be guided by policy established by a system administrator or user. The system automatically reconfigures a firewall to include or exclude the network from the trusted zone based upon this decision. The profile of each network is stored so that the next time the device is connected to the same network it remembers the network and applies the same security settings previously adopted. The stored profile also facilitates the detection of changes to the network configuration or the connection to a new network.
Inventors:Freund; Gregor (San Francisco, CA), Haycock; Keith  (San Francisco, CA), Hermann; Conrad  (Oakland, CA)
Assignee:Check Point Software Technologies, Inc. (Redwood City, CA)
Appl. No.:10/003,161
Filed:November 14, 2001
PCT Pub Date:May 22, 2007
Current U.S. Class:726/3 709/227 
Current International Class:G06F 7/04 (20060101)
Field of Search:709/225,227,249,250,253 710/36,8,104-105,107 726/3
U.S. Patent Documents
20010002204May 2001Jebens et al.
20030023725January 2003Bradfield et al.
20030050973March 2003Tracton et al.
20050088980April 2005Olkkonen et al.
4295039October 1981Stuckert
4914586April 1990Swinehart et al.
5241594August 1993Kung
5430793July 1995Ueltzen et al.
5434918July 1995Kung et al.
5475817December 1995Waldo et al.
5557654September 1996Maenpaa
5586260December 1996Hu
5588059December 1996Chandos et al.
5602918February 1997Chen et al.
5603031February 1997White et al.
5623601April 1997Vu
5655148August 1997Richman et al.
5710884January 1998Dedrick
5740361April 1998Brown
5764887June 1998Kells et al.
5815574September 1998Fortinsky
5828833October 1998Belville et al.
5832211November 1998Blakley et al.
5838903November 1998Blakely et al.
5857191January 1999Blackwell et al.
5864665January 1999Tran
5875296February 1999Shi et al.
5881230March 1999Christensen et al.
5987611November 1999Freund
6065040May 2000Mima et al.
6075860June 2000Ketcham
6105100August 2000Dean et al.
6141755October 2000Dowd et al.
6233618May 2001Shannon
6233688May 2001Montenegro
6269399July 2001Dyson et al.
6470378October 2002Tracton et al.
6550012April 2003Villa et al.
6678827January 2004Rothermel et al.
6681232January 2004Sistanizadeh et al.
6738908May 2004Bonn et al.
6957263October 2005Galou et al.
6976087December 2005Westfall et al.
6988208January 2006Hrabik et al.
7017183March 2006Frey et al.
Primary Examiner: Smithers; Matthew
Attorney, Agent or Firm:Smart; John A. Riddle; G. Mack
Claims

What is claimed is:
1. A method for a mobile client device to regulate access to different networks that the client device may be connected to, the method comprising: automatically obtaining information to identify adapters connected to a particular client device and networks to which said adapters are connected; automatically generating a profile for each network, including a current network to which said particular client device is connected; automatically comparing said profile of said current network to previously generated profiles to determine if said particular client device has previously connected to said current network; and if said particular client device has previously connected to said current network, automatically applying security settings previously utilized for said current network for regulating access to said current network.

2. The method of claim 1, further comprising: determining the security settings to be applied for said current network if said particular client device has not previously connected to said current network; and applying said security settings for regulating access to said current network.

3. The method of claim 2, further comprising: storing said security settings for said current network; and automatically applying said security settings when said particular client device subsequently connects to said current network.

4. The method of claim 2, wherein said step of determining the security settings to be applied for said current network includes applying an established policy.

5. The method of claim 4, wherein said established policy includes treating a current network to which said device has not previously connected as untrusted.

6. The method of claim 4, wherein said established policy includes treating a current network to which said device has not previously connected as trusted.

7. The method of claim 4. wherein said established policy includes obtaining user input regarding said security settings.

8. The method of claim 7, wherein said established policy includes security settings to be applied when said user input is not obtained.

9. The method of claim 1, wherein said security settings are applied to a firewall module for regulating access to said current network.

10. The method of claim 1, wherein said step of obtaining information to identify adapters and networks is initiated each time said particular client device is connected to a network.

11. The method of claim 1, wherein information to identify adapters and networks is obtained from an operating system kernel facility.

12. The method of claim 11, wherein changes to network information in said operating kernel facility are examined to determine if an adapter's configuration has changed.

13. The method of claim 11, wherein changes to network information in said operating kernel facility are examined to determine if said current network has changed.

14. The method of claim 1, wherein a list of all adapters is constructed upon connection of said particular client device to a network.

15. The method of claim 14, wherein each said adapter's network configuration is constructed upon connection of said particular client device to a network.

16. The method of claim 14, wherein a profile of all adapters and said adapters' network configuration is constructed each time said particular client device is connected to a network.

17. The method of claim 16, wherein said profile of an adapter includes a selected one or more of: connection method, physical address, IP address, subnet mask, and gateway IP address.

18. The method of claim 16, wherein said profile of an adapter's network configuration includes a selected one or more of: network IP address, network mask, gateway MAC address, and connection name.

19. The method of claim 1, wherein a profile of said adaptors and networks connected to said adapters is constructed each time a change in said adapters' network configuration is detected.

20. The method of claim 1, wherein a network is identified by connection name if said network is a dialup connection with a resolvable connection name.

21. The method of claim 1, wherein a network is identified by connection name if said network is a PPP over Ethernet (PPPoE) connection with a resolvable connection name.

22. The method of claim 1, wherein a network is identified by gateway IP address and subnet mask if said network is an Ethernet network with a public IP address.

23. The method of claim 1, wherein a network is identified by gateway IP address, subnet mask and physical address if said network is an Ethernet network with a private IP address.

24. The method of claim 23, wherein said physical address is a MAC address.

25. The method of claim 1, wherein a network is identified by gateway IP address and subnet mask if said network is a token ring network.

26. The method of claim 1, wherein a network is identified by gateway IP address and subnet mask if said network is an infrared network.

27. The method of claim 1, wherein a unique identifier is assigned to each network that is profiled.

28. The method of claim 27, wherein said unique identifier is based upon a selected one or more of connection name, gateway IP address, subnet mask and physical address.

29. The method of claim 27, wherein each said unique identifier is stored.

30. The method of claim 27, wherein said unique identifier for a current network that is identified is compared to prior identifiers to determine if said particular client device has previously connected to said current network.

31. A method for a mobile device to identify different networks to which said device is connected, the method comprising: automatically obtaining information to identify adapters connected to said device and current networks to which said adapters are connected; automatically generating a profile for said current networks, including a current network to which said device is connected; automatically comparing said profile of said current network to which said device is connected to prior profiles to determine if said device has previously connected to said current network; and if said device has not previously connected to said current network, automatically notifying the device's user of a new connection to said current network.

32. The method of claim 31, further comprising: if said device has not previously connected to said current network, obtaining user input on particular security settings to be applied for said current network.

33. The method of claim 32, further comprising: applying said security settings to regulate access to said device.

34. The method of claim 33, wherein said security settings are applied to a firewall module for regulating access to said device.

35. The method of claim 32, further comprising: storing said security settings; and applying said security settings when said device subsequently connects to said current network.

36. The method of claim 31, further comprising: if said device has previously connected to said current network, applying any security settings previously utilized for said current network for regulating access to said device.

37. The method of claim 31, wherein said profiles of said current networks are used by a policy management application.

38. The method of claim 31, wherein said profiles of said current networks are used by a security management application.

39. The method of claim 31, wherein said profiles of said current networks are used by an end point security product to regulate access to said device.

40. A method for a mobile device to identify different networks to which said device is connected, the method comprising: automatically obtaining information to identify a current network to which said device is connected; automatically generating a profile for said current network; automatically comparing said profile of said current network to previously generated profiles to determine if said device has previously connected to said current network; and if said device has not previously connected to said current network, automatically treating said current network as untrusted for purposes of regulating access to said device.

41. The method of claim 40, wherein a firewall module regulates access to said device.

42. The method of claim 40, further comprising: notifying the device's user if said device has not previously connected to said current network.

43. The method of claim 42, further comprising: obtaining user input on particular security settings to be applied to regulate access to said device.

44. The method of claim 43, further comprising: automatically applying said security settings to a firewall module to regulate access to said device.

45. A method for a mobile device to identify different networks to which said device is connected, the method comprising: automatically obtaining information to identify a current network to which said device is connected; automatically generating a profile for said current network; automatically comparing said profile of said current network to previously stored profiles to determine if said device has previously connected to said current network; and if said device has not previously connected to said current network, automatically treating said current network as trusted for purposes of regulating access to said device.

46. The method of claim 45, wherein a firewall module regulates access to said device.

47. The method of claim 45, further comprising: notifying the devise's user if said device has not previously connected to said current network.

48. The method of claim 47, further comprising: obtaining user input on particular security settings to be applied to regulate access to said device.

49. The method of claim 48, further comprising: automatically applying said security settings to a firewall module to regulate access to said device.

50. A system for a mobile device to identify different networks to which said device is connected and regulate access to said device, the system comprising: a network information engine for automatically obtaining and processing information on networks to which said device is connected; a network information data structure for storing said information automatically collected on said networks, said information uniquely identifying each network, including uniquely identifying local networks having duplicate network addresses; and a zone configuration module for establishing security settings to regulate access to said device, said security settings being applied automatically in a manner to regulate access to said device based on which uniquely-identified network said device is currently connected to.

51. The system of claim 50, wherein said network information engine constructs a list of all connected adapters upon connection of said device to a network.

52. The system of claim 51, wherein said network information engine constructs a list of all networks connected to said adapters upon connection of said device to a network.

53. The system of claim 51, wherein said network information engine constructs a list of all adapters and networks to which said adapters are connected each time a change in network connection is detected.

54. The system of claim 50, wherein said network information engine obtains information to identify adapters connected to said device from an operating system kernel facility.

55. The system of claim 54, wherein said network information engine obtains information to identify networks connected to said adapters from said operating system kernel facility.

56. The system of claim 54, wherein changes to network information in said operating kernel facility are examined to determine if a current network to which said device is connected has changed.

57. The system of claim 50, wherein said network information engine identifies a network by connection name if said network is a dialup connection with a resolvable connection name.

58. The system of claim 50, wherein said network information engine identifies a network by connection name if said network is a PPPoE connection wit a resolvable connection name.

59. The system of claim 50, wherein said network information engine identifies a network by gateway IP address and subnet mask if said network is an Ethernet network with a public IP address.

60. The system of claim 50, wherein said network information engine identifies a network by gateway IP address, subnet mask and physical address if said network is an Ethernet network with a private IP address.

61. The system of claim 60, wherein said physical address is a MAC address.

62. The system of claim 50, wherein said network information engine identifies a network by gateway IP address and subnet mask if said network is a token ring network.

63. The system of claim 50, wherein said network information engine identifies a network by gateway IP address and subnet mask if said network is an infrared network.

64. The system of claim 50, wherein said network information engine assigns a unique identifier to each network.

65. The system of claim 64, wherein said network information engine constructs said unique identifier based upon a selected one or more of connection name, gateway IP address, subnet mask and physical address.

66. The system of claim 64, wherein each said unique identifier is stored in said network information data structure.

67. The system of claim 64, wherein each said unique identifier is stored in a database.

68. The system of claim 64, wherein said network information engine compares said unique identifier for a current network to previously stored identifiers to determine if said device has previously connected to said current network.

69. The system of claim 50, wherein said zone configuration module stores security settings for regulating access to said device.

70. The system of claim 69, wherein said security settings include whether to treat a network as trusted.

71. The system of claim 69, wherein said security settings include whether to treat a network as untrusted.

72. The system of claim 69, wherein said security settings include treating a current network to which said device has not previously connected as untrusted.

73. The system of claim 69, wherein said security settings include obtaining user input regarding the security settings to be applied for a network.

74. The system of claim 73, wherein said security settings include rules to be applied when user input is not obtained.

75. The system of claim 50, wherein said zone configuration module stores security settings for regulating access from said device to different networks.

76. The system of claim 50, wherein said zone configuration module automatically applies said security settings to a firewall module for purposes of regulating access to said device.

77. The system of claim 50, further comprising: a firewall module for regulating access to and from said device.

78. The system of claim 77, wherein said zone configuration module automatically applies said security settings to said firewall module for purposes of regulating access to said device.
Description


RELATED APPLICATIONS

The present application is related to and claims the benefit of priority of the following commonly-owned provisional application(s): application Ser. No. 60/308,498 filed Jul. 27, 2001, entitled "Automatic Local Network Discovery and Firewall Reconfiguration Methodology for a Mobile Computing Device", of which the present application is a non-provisional application thereof. The disclosure of the foregoing application is hereby incorporated by reference in its entirety, including any appendices or attachments thereof, for all purposes.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to information processing and, more particularly, to systems and methods for regulating access and maintaining security of individual computer systems connected to local area networks (LANs) or larger open networks (Wide Area Networks or WANs), including the Internet.

2. Description of the Background Art

The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or "LANs". In both cases, maintaining security and controlling what information a computer user could access was relatively simple because the overall computing environment was limited and clearly defined.

In traditional computing networks, a desktop computer largely remained in a fixed location and was physically connected to a single local network via Ethernet. More recently, however, an increasingly large number of business and individual users are using portable computing devices, such as laptop computers, that are moved frequently and that connect into more than one network. For example, many users now have laptop computers that are plugged into a corporate network during the day and are plugged into a home network during the evening. The number of mobile computing devices, and the networks that they connect to, has increased dramatically in recent years. Computing devices can be connected to networks at home, at work, and in numerous other locations.

In addition, various different types of connections may be utilized to connect to these different networks. A dial-up modem may be used for remote access to an office network. Various types of wireless connectivity, including IEEE (Institute of Electrical and Electronics Engineers) 802.11 and Bluetooth, are also increasingly popular. Wireless networks often have a large number of different users that are occasionally connected from time to time. Moreover, connection to these networks is often very easy, as connection does not require a physical link. For example, a user can install an 802.11 wireless transceiver on the roof of his or her home to share an Internet connection with his or her neighbors. As another example, a user can be temporarily connected to a wireless network while commuting by an office building in which the network's wireless transceiver is located. Many users also connect to an increasingly large public network infrastructure. Wireless and other types of networks are frequently provided in cafes, airports, convention centers, and other public locations to enable mobile computer users to connect to the Internet. Thus, it is becoming easier for users to connect to a number of different networks from time to time through a number of different means.

In addition, a greater number of different types of mobile devices are connecting to these networks, including laptop computers, personal digital assistants (PDAs), cell phones, and various other computing devices. These mobile devices typically move frequently from location to location and connect to different networks at different times.

One of the implications of this increasing number of mobile devices occasionally connected to different networks is that traditional corporate firewall technologies are no longer effective to protect information on a mobile device. Traditional firewall products guard a boundary (or gateway) between a local network, such as a corporate network, and a larger network, such as the Internet. These products primarily regulate traffic between physical networks by establishing and enforcing rules that regulate access based upon the type of access request, the source requesting access, the connection port to be accessed, and other factors. For example, a firewall may permit access to a particular computer on port 80, but deny remote access to other computers on the network. A firewall may also permit access from a specific IP address or range (or zone) of IP addresses, but deny access from other addresses. Different security rules may be defined for different zones of addresses.

However, mobile devices that are moving from network to network are not always connected to the same physical network. The corporate firewall provides protection when the mobile device is connected to that particular corporate network, but provides no protection when the device is connected to other networks. Traditional firewall technology guarding a network boundary does not protect against traffic that does not traverse that boundary. It does not regulate traffic between two devices within the network or two devices outside the network. In addition, a mobile user often has little knowledge or control over the security systems in place on the various networks to which he or she may be connected from time to time.

One security measure that can be implemented by a mobile user is to install a personal firewall (or end point security) product on his or her mobile device to control traffic into and out of this mobile device irrespective of the network to which he or she may be connected. A personal firewall product can regulate all traffic into and out of a particular computer or device. However, in this mobile environment it is very desirable for a user to be able to distinguish between the various networks and devices to which he or she is connecting. For example, if a user is at home, he or she most likely wants to allow very open communication with other home computers and devices. On the other hand, if the user is staying in a hotel, he or she would typically prefer much more limited communication with other computers and devices in the hotel.

In the highly mobile environment described above, a significant problem is that many local networks have the same IP addresses. IP addresses on the Internet are unique, but certain address ranges are reserved for local use and not available on the Internet (e.g., 10.10.x.x, 192.168.x.x, 172.x.x.x., etc.). Many local networks show a single address (for example, their gateway server's address) to those outside the network even though there are multiple machines on the local network. A network address translation (or NAT) mechanism routes communications from outside the network to the appropriate local machine. Within a local network, IP addresses are often dynamically assigned within particular ranges by a Dynamic Host Configuration Protocol (or DHCP) server. NAT and DHCP devices used on different networks frequently use addresses within the same range (i.e., a DHCP server on network A and a DHCP server on network B will often issue the same IP address to a machine on their own network). As a result, the IP addresses of machines and devices on local networks are not unique and, in fact, are frequently duplicated on other networks.

As an illustration of this problem, assume a woman named Alice owns a laptop computer LC1, which was supplied to her by her employer. At home, Alice normally plugs the laptop into her home network N1, which is served by her home-based NAT-enabled router R1. This Ethernet network connects R1, LC1, and the other computers in her home (PC1 and PC2) together into one network. Because R1 is also a DHCP server configured with a network address of 192.168.1.0/8 (or
192.168.1.0/255.255.255.0), the DHCP server assigns LC1, PC1, and PC2 distinct IP addresses in the subnet 192.168.1.0/8 as follows: R1: IP address=192.168.1.1 LC1: IP address=192.168.1.100; subnet mask=255,255.255.0; gateway=192.168.1.1 PC1: IP address=192.168.1.101; subnet mask=255.255.255.0; gateway=192.168.1.1 PC2: IP address=192.168.1.102; subnet mask=255.255.255.0; gateway=192.168.1.1 Alice configures her personal firewalls on LC1, PC1, and PC2 to include the subnet 192.168.1.0/8, and configures each computer's firewall rules to permit file-sharing service traffic (port 139, in Windows 98) among the computers on the local network. This allows Alice to share files between her computers, while preventing access to her files from outside the network.

When Alice takes her laptop to her office, she plugs it into a corporate network, N2, which also operates a NAT/DHCP/router R2. Although it was configured by the company's network administrator (not Alice), R2 is configured identically to Alice's home network (i.e., it provides DHCP addresses on the 192.168.1.0/8 network). Bob, Alice's coworker, uses another computer, PC3, which is plugged into the same Ethernet network N2. R2: IP address=192.168.1.1 LC1: IP address=192.168.1.105; subnet mask=255.255.255.0; gateway=192.168.1.1 PC2: IP address=192.168.1.101; subnet mask=255.255.255.0; gateway=192.168.1.1 Although Alice's laptop LC1 is plugged into a different physical network N2 containing different computers (R2, PC3), her personal firewall treats these computers as if they were attached to her home network N1 because they have the same IP addresses. This means that, as far as the firewall is concerned, Bob's computer should be able to share Alice's files. In this case, Alice may wish to permit Bob access to files on her laptop LC1, because she knows it is a company computer and contains company data.

On a business trip Alice stays in a hotel that provides in-room Internet networking. The hotel's Ethernet network N3 uses a router R3 that is configured identically to Alice's home network N1 and the corporate network N2, so when Alice plugs her laptop LC1 into the hotel's network N3, she is assigned an identical subnet mask. Staying in the same hotel is Craig, who works for a rival company. Craig also has a laptop computer LC2, which he can plug into the hotel network and obtain an IP address from the network. R3: IP address=192.168.1.1 LC1: IP address=192.168.1.109; subnet mask=255.255.255.0; gateway=192.168.1.1 LC2: IP address=192.168.1.120; subnet mask=255.255.255.0; gateway=192.168.1.1 Because the network is configured identically, Alice's personal firewall will permit access from anywhere in the hotel to her computer's file sharing services. This will permit Craig to read confidential company data from Alice's laptop computer LC1.

As illustrated above, mobile machines connecting to various different addresses cannot rely solely on IP addresses and subnet masks to identify a network or the machines and devices residing on the network. A mobile computer user clearly needs a way to permit reconfiguration of the personal firewall as his or her laptop is plugged into each network. However, the user may lack the technical skills to reconfigure the personal firewall, or may simply forget that the firewall needs to be reconfigured each time the laptop is connected to a different network.

One approach to handle this problem is to include or exclude a network from the trusted zone based on the physical adapter being used to connect to the network. Each network interface adapter attached to the network could be included or excluded from the trusted zone. This is perhaps a viable alternative in the case of desktop computers that are typically connected to the same network every day, but is not an effective alternative in the case of mobile computers as it requires the mobile computer user to use a different network adapter card in order to distinguish between networks. This is an excessive burden on mobile computer users.

As the above example illustrates, many networks that a mobile computer can encounter may have the same basic IP network settings. Mobile computers configured with a static trusted zone IP address configuration cannot distinguish between these networks. This may significantly compromise security as a computer is moved from network to network. In order to protect the security of the information on his or her mobile computing device in this environment, the user must either (1) configure an overly restrictive trusted zone (i.e., not trust anyone and prohibit sharing of information with other computers), or (2) reconfigure the firewall each time the computer is connected to a different network. The first option devalues the ability to have a trusted zone of computers that can share information. The second option requires the user to remember to reconfigure the firewall each time he or she connects to a different network and may also require more technical skill than many end-users possess.

Given the increasing number of mobile devices connecting to different networks, there is much interest in a mechanism to reliably identify networks and specify whether or not the network should be included or excluded from the trusted zone.

GLOSSARY

The following definitions are offered for purposes of illustration, not limitation, in order to assist with understanding the discussion that follows. 802.11: 802.11 refers to a family of specifications developed by the Institute of Electrical and Electronics Engineers (IEEE) for wireless LAN technology. IEEE 802.11, the disclosure of which is hereby incorporated by reference, specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. Copies of the IEEE specifications are currently available at http://www.ieee.org. There are several specifications in the 802.11 family:

802.11--applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).

802.11a--an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5 GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS.

802.11b (also referred to as 802.11 High Rate or Wi-Fi)--an extension to 802.11 that applies to wireless LANS and provides up to 11 Mbps transmission in the 2.4 GHz band. 802.11b uses only DSSS. 802.11 b is a 1999 ratification to the original
802.11 standard, allowing wireless functionality comparable to Ethernet.

802.11g--applies to wireless LANs and provides 20+Mbps in the 2.4 GHz band. Bluetooth: Bluetooth refers to a short-range radio technology aimed at simplifying communications among Net devices and between devices and the Internet. It also aims to simplify data synchronization between Net devices and other computers. Products with Bluetooth technology must be qualified and pass interoperability testing by the Bluetooth Special Interest Group prior to release. The Bluetooth 1.0 specification, the disclosure of which is hereby incorporated by reference, consists of two documents: (1) the Foundation Core, which provides design specifications, and (2) the Foundation Profile, which provides interoperability guidelines. The Bluetooth specifications are currently available at http://www.bluetooth.com.

DHCP: DHCP or Dynamic Host Configuration Protocol is a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. In some systems the device's IP address can even change while it is still connected. DHCP also supports a mix of static and dynamic IP addresses. Dynamic addressing simplifies network administration because the software keeps track of IP addresses rather than requiring an administrator to manage the task. This means that a new computer can be added to a network without the need to manually assign the computer a unique IP address. Many Internet Service Providers (ISPs) use dynamic IP addressing for dial-up users.

Endpoint security: Endpoint security is a way of managing and enforcing security on each computer instead of relying upon a remote firewall or a remote gateway to provide security for the local machine or environment. End point security involves a security agent that resides locally on each machine. This agent monitors and controls the interaction of the local machine with other machines and devices that are connected on a LAN or a larger wide area network (WAN) such as the Internet in order to provide security to the machine.

HTTP: HTTP is the acronym for HyperText Transfer Protocol, which is the underlying communication protocol used by the World Wide Web on the Internet. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when a user enters a Uniform Resource Locator (URL) in his or her browser, this actually sends an HTTP command to the Web server directing it to fetch and transmit the requested Web page. Further description of HTTP is available in RFC 2616: Hypertext Transfer Protocol--HTTP/1.1, the disclosure of which is hereby incorporated by reference. RFC 2616 is available from the World Wide Web Consortium (W3), and is currently available via the Internet at http://www.w3.org/Protocols/. Additional description of HTTP is available in the technical and trade literature, see e.g., William Stallings, The Backbone of the Web, BYTE, October 1996, the disclosure of which is hereby incorporated by reference.

IP Address: IP Address is an identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address. Within an isolated network, IP addresses can be assigned at random as long as each one is unique. However, connecting a private network to the Internet requires using registered IP addresses (called Internet addresses) to avoid duplicate addresses. The four numbers in an IP address are used in different ways to identify a particular network and a host on that network.

MAC Address: Media Access Control Address or MAC Address is a hardware address that uniquely identifies each node of a network. In IEEE 802 networks, the Data Link Control (DLC) layer of the Open System Interconnection (OSI) Reference Model is divided into two sub layers: (1) the Logical Link Control (LLC) layer, and (2) the Media Access Control (MAC) layer. The MAC layer interfaces directly with the network media. Consequently, each different type of network media requires a different MAC layer. On networks that do not conform to the IEEE 802 standards but do conform to the OSI Reference Model, the node address is called the Data Link Control (DLC) address.

NAT: NAT or Network Address Translation is an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box located where the LAN meets the Internet makes all necessary IP address translations between the LAN and the Internet. The NAT box serves two main purposes: (1) providing a type of firewall by hiding internal IP addresses, and (2) enabling a company to use more internal IP addresses. Since these internal addresses are only used internally, there is no possibility of conflict with IP addresses used by other companies and organizations. PPPoE: PPPoE is an acronym for Point-to-Point Protocol over Ethernet. PPPoE is a specification for connecting the users on an Ethernet to the Internet through a common broadband medium, such as a single DSL line, wireless device or cable modem. Further description of PPPoE is available in RFC 2516: A Method for Transmitting PPP over Ethernet (PPPoE), the disclosure of which is hereby incorporated by reference. RFC 2516 is available from the Internet Engineering Task Force and is currently available via the Internet at http://www.ietf.org/rfc/rfc2516.txt.

Subnet: A subnet is a portion of a network that shares a common address component. On TCP/IP networks, subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices with IP addresses that start with
100.100.100. would be part of the same subnet. Dividing a network into subnets is useful for both security and performance reasons. IP networks are divided using a subnet mask. For purposes of this document, subnet will generally refer to a portion of a network that is served by the same router and to which data packets are typically exchanged via Ethernet connection. External machines and devices receiving packets that have been sent by the router are not part of the local subnet.

TCP: TCP stands for Transmission Control Protocol. TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. For an introduction to TCP, see, e.g., RFC 793, the disclosure of which is hereby incorporated by reference. A copy of RFC 793 is currently available at http://www.ietf org/rfc.

TCP/IP: TCPIIP stands for Transmission Control Protocol/Internet Protocol, the suite of communications protocols used to connect hosts on the Internet. TCP/IP uses several protocols, the two main ones being TCP and IP. TCP/IP is built into the UNIX operating system and is used by the Internet, making it the de facto standard for transmitting data over networks. For an introduction to TCP/IP, see e.g., RFC 1180: A TCP/IP Tutorial, the disclosure of which is hereby incorporated by reference. A copy of RFC 1180 is currently available atftp://ftp.isi. edu/in-notes/rfc1180.txt.

URL: URL is an abbreviation of Uniform Resource Locator, the global address of documents and other resources on the World Wide Web. The first part of the address indicates what protocol to use, and the second part of the address specifies the IP address or the domain name where the resource is located.

SUMMARY OF THE INVENTION

The present invention provides a system including methodologies for automatically detecting when a computer or device is plugged into a new network (or subnet). The system enables the user of the computer or device to decide whether or not he or she wants to permit the new network to be included as part of a trusted zone (i.e., a group of computers and devices amongst which information is exchanged relatively freely). Alternatively, the decision to include or exclude a newly identified network can be made by a previously established policy adopted by the user or an administrator. The system also automatically reconfigures a firewall to include or exclude the new network from the trusted zone.

The system first detects a connection to a new network by receiving notice of changes to an existing network configuration and evaluating these changes. Next, the new network is profiled and an identity is generated for the new network. The process of profiling a network involves collecting a number of items of information about the network in order to uniquely identify that specific network. This profiling process enables the system to generate a unique identifier for the network. Once a network has been identified, a user may elect whether or not that network is to be included as part of his or her trusted zone. Alternatively, the decision about whether or not to include a network as part of a trusted zone may be determined by a policy established by a system administrator or user. The new trusted zone definition, which either includes or excludes the new network, is automatically sent to the firewall for enforcement. The profile of each network is stored so that the next time the device is connected to the same network it will remember the network and apply the same security settings previously adopted for that network. The stored profile also facilitates the detection of changes to the network configuration or the connection of the device to a new network.

The system also includes configuration options that permit a system administrator or user to pre-configure the security settings of each system to identify networks that are part of the trusted zone. The system administrator or user may also pre-configure the system so that all unknown networks will be automatically excluded from the trusted zone.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a computer system in which software-implemented processes of the present invention may be embodied.

FIG. 2 is a block diagram of a software system for controlling the operation of the computer system.

FIG. 3 is a block diagram of the network detection and firewall reconfiguration system of the present invention.

FIG. 4 illustrates a flow chart of the operations of the network detection and firewall reconfiguration system of the present invention.

FIG. 5 illustrates a preferred zone configuration interface for configuration of the network detection and firewall configuration system.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

The following description will focus on the presently-preferred embodiment of the present invention, which is implemented in a desktop application operating in an Internet-connected environment running under a desktop operating system, such as the Microsoft.RTM. Windows operating environment running on an IBM-compatible PC. The present invention, however, is not limited to any one particular application or any particular environment. Instead, those skilled in the art will find that the system and methods of the present invention may be advantageously embodied on a variety of different platforms, including Macintosh, Linux, BeOS, Solaris, UNIX, NextStep, FreeBSD, and the like. Therefore, the description of the exemplary embodiments that follows is for purposes of illustration and not limitation.

I. Computer-Based Implementation

A. Basic System Hardware (e.g., for Desktop and Server Computers)

The present invention may be implemented on a conventional or general-purpose computer system, such as an IBM-compatible personal computer (PC) or server computer. FIG. 1 is a very general block diagram of an IBM-compatible system 100. As shown, system 100 comprises a central processing unit(s) (CPU) or processor (s) 101 coupled to a random-access memory (RAM) 102, a read-only memory (ROM) 103, a keyboard 106, a printer 107, a pointing device 108, a display or video adapter 104 connected to a display device 105, a removable (mass) storage device 115 (e.g., floppy disk, CD-ROM, CD-R, CD-RW, DVD, or the like), a fixed (mass) storage device 116 (e.g., hard disk), a communication (COMM) port(s) or interface(s) 110, a modem 112, and a network interface card (NIC) or controller 111 (e.g., Ethernet). Although not shown separately, a real-time system clock is included with the system 100,in a conventional manner.

CPU 101 comprises a processor of the Intel Pentium.RTM. family of microprocessors. However, any other suitable processor may be utilized for implementing the present invention. The CPU 101communicates with other components of the system via a bi-directional system bus (including any necessary input/output (I/O) controller circuitry and other "glue" logic). The bus, which includes address lines for addressing system memory, provides data transfer between and among the various components. Description of Pentium-class microprocessors and their instruction set, bus architecture, and control lines is available from Intel Corporation of Santa Clara, Calif. Random-access memory 102 serves as the working memory for the CPU 101. In a typical configuration, RAM of sixty-four megabytes or more is employed. More or less memory may be used without departing from the scope of the present invention. The read-only memory (ROM) 103 contains the basic input/output system code (BIOS)--a set of low-level routines in the ROM that application programs and the operating systems can use to interact with the hardware, including reading characters from the keyboard, outputting characters to printers, and so forth.

Mass storage devices 115, 116 provide persistent storage on fixed and removable media, such as magnetic, optical or magnetic-optical storage systems, flash memory, or any other available mass storage technology. The mass storage may be shared on a network, or it may be a dedicated mass storage. As shown in FIG. 1, fixed storage 116 stores a body of program and data for directing operation of the computer system, including an operating system, user application programs, driver and other support files, as well as other data files of all sorts. Typically, the fixed storage 116serves as the main hard disk for the system.

In basic operation, program logic (including that which implements methodology of the present invention described below) is loaded from the storage device or mass storage 116 into the main (RAM) memory 102, for execution by the CPU 101. During operation of the program logic, the system 100accepts user input from a keyboard 106 and pointing device 108, as well as speech-based input from a voice recognition system (not shown). The keyboard 106 permits selection of application programs, entry of keyboard-based input or data, and selection and manipulation of individual data objects displayed on the display screen 105. Likewise, the pointing device 108, such as a mouse, track ball, pen device, or the like, permits selection and manipulation of objects on the display screen. In this manner, these input devices support manual user input for any process running on the system.

The computer system 100 displays text and/or graphic images and other data on the display device 105. The video adapter 104, which is interposed between the display 105 and the system, drives the display device 105. The video adapter 104, which includes video memory accessible to the CPU 101, provides circuitry that converts pixel data stored in the video memory to a raster signal suitable for use by a cathode ray tube (CRT) raster or liquid crystal display (LCD) monitor. A hard copy of the displayed information, or other information within the system 100,may be obtained from the printer 107, or other output device. Printer 107 may include, for instance, an HP LaserJet.RTM. printer (available from Hewlett-Packard of Palo Alto, Calif.), for creating hard copy images of output of the system.

The system itself communicates with other devices (e.g., other computers) via the network interface card (NIC) 111 connected to a network (e.g., Ethernet network, Bluetooth wireless network, or the like), and/or modem 112 (e.g., 56K baud, ISDN, DSL, or cable modem), examples of which are available from 3Com of Santa Clara, Calif. The system 100 may also communicate with local occasionally-connected devices (e.g., serial cable-linked devices) via the communication (COMM) interface 110, which may include a RS-232 serial port, a Universal Serial Bus (USB) interface, or the like. Devices that will be commonly connected locally to the interface 110 include laptop computers, handheld organizers, digital cameras, and the like.

IBM-compatible personal computers and server computers are available from a variety of vendors. Representative vendors include Dell Computers of Round Rock, Tex., Compaq Computers of Houston, Tex., and IBM of Armonk, N.Y. Other suitable computers include Apple-compatible computers (e.g., Macintosh), which are available from Apple Computer of Cupertino, Calif., and Sun Solaris workstations, which are available from Sun Microsystems of Mountain View, Calif.

B. Basic System Software

Illustrated in FIG. 2, a computer software system 200 is provided for directing the operation of the computer system 100. Software system 200, which is stored in system memory (RAM) 102 and on fixed storage (e.g., hard disk) 116, includes a kernel or operating system (OS) 210. The OS 210 manages low-level aspects of computer operation, including managing execution of processes, memory allocation, file input and output (I/O), and device I/O One or more application programs, such as client application software or "programs" 201 (e.g., 201a, 201b, 201c, 201d) may be "loaded" (i.e., transferred from fixed storage 116 into memory 102) for execution by the system 100.

System 200 includes a graphical user interface (GUI) 215, for receiving user commands and data in a graphical (e.g., "point-and-click") fashion. These inputs, in turn, may be acted upon by the system 100 in accordance with instructions from operating system 210, and/or client application module(s) 201. The GUI 215 also serves to display the results of operation from the OS 210 and application(s) 201, whereupon the user may supply additional inputs or terminate the session. Typically, the OS 210 operates in conjunction with device drivers 220 (e.g., "Winsock" driver--Windows' implementation of a TCP/IP stack) and the system BIOS microcode 230 (i.e., ROM-based microcode), particularly when interfacing with peripheral devices. OS 210 can be provided by a conventional operating system, such as Microsoft.RTM. Windows 9x, Microsoft.RTM. Windows NT, Microsoft.RTM. Windows 2000, or Microsoft.RTM. Windows XP, all available from Microsoft Corporation of Redmond, Wash. Alternatively, OS 210
can also be an alternative operating system, such as the previously-mentioned operating systems.

The above-described computer hardware and software are presented for purposes of illustrating the basic underlying desktop and server computer components that may be employed for implementing the present invention. For purposes of discussion, the following description will present examples in which it will be assumed that there exists a "server" (e.g., Web server) that communicates with one or more "clients" (e.g., personal computers running Web browsers such as Netscape Navigator or Microsoft Internet Explorer). The present invention, however, is not limited to any particular environment or device configuration. In particular, a client/server distinction is not necessary to the invention, but is used to provide a framework for discussion. Instead, the present invention may be implemented in any type of system architecture or processing environment capable of supporting the methodologies of the present invention presented in detail below.

II. Automatic Local Network Discovery and Firewall Reconfiguration

A. General Design Considerations

The present invention includes a system providing methodologies for detecting and distinguishing between different networks to which a mobile computer or device is connected from time to time. The ability to detect and distinguish between networks enables different security settings to be applied by the user (or by an established security policy) depending on which network the device is connected to at that time. These security settings are then automatically applied to reconfigure the device's firewall.

Profiles of networks that have been previously detected are stored to enable identification of that same network in the future and to save the security settings previously used for that network. As new networks are identified, the user has the opportunity to choose what level of access he or she wants to permit on each network. This enables the user to reconfigure the personal firewall on his or her computer (or, in other words to apply different security settings) for each different network to which he or she is connected from time to time. Alternatively, rules can be established in advance by the user or an administrator. For example, a user may elect to exclude all new networks from the trusted zone.

New network information that is discovered can also be consulted and used in various other applications. In the currently preferred embodiment of the present invention, updated network information is consulted not only in configuration of the device's firewall, but also in several other security and policy management applications. When changes to the network are detected and network information is updated, other applications may also use the new information. For example, a security application may use the updated network information to determine whether or not to permit an application running on the local machine to access another computer.

B. Components of Network Detection and Firewall Reconfiguration System

FIG. 3 is a block diagram of an environment 300 in which the network detection and firewall reconfiguration system 330 of the present invention may be embodied. As shown on FIG. 3, environment 300 includes a zone configuration user interface
310, a database 320, a network detection and firewall reconfiguration system 330, an operating system kernel 340 and a firewall 350. Network detection and firewall reconfiguration system 330 includes a zone configuration settings data structure 331, a network information data structure 332,an OS network information API 333, an engine 334, and a firewall API 335. Each of these components will now be described in more detail. Zone configuration user interface 310 is a configuration tool that enables a user or administrator to establish security settings and apply those settings to various subnets or groups of machines. Zone configuration user interface 310 is connected to the system 330. The zone configuration settings (or security settings) established for the current network are stored in the zone configuration settings data structure 331. The zone configuration settings for particular networks or groups of machines are also persistently stored in database 320. In the currently preferred embodiment, database 320 is a hierarchical object-oriented database. However, database 320 could alternatively be a relational database, a file system, or any other form of persistent storage. Network information data structure 332 includes information about the network or networks to which a device is currently connected and also contains the profile of these networks. Information regarding networks to which a device has been connected is persistently stored in database 320.

OS network information API 333 is an interface used to obtain network information from the operating system kernel 340. For example, the OS network information API 333 may be used to obtain an IP address of a particular adapter, or multiple IP addresses of devices on a particular subnet. The OS network information API 333 is also used to determine the MAC address of any router or other gateway device that is serving the local subnet. A MAC address is a unique identification number that is assigned by the manufacturer to a specific router or device. For example, when a router sends a packet to another router, the router transmitting the packet identifies itself by both an IP address and a MAC address. Each operating system provides some facility to discover network information, including IP and MAC addresses. The OS network information API 333 enables the network detection system 330 to utilize this underlying operating system facility to obtain network information that is required to detect and profile different networks. As described below, different operating systems provide different facilities for the provision of network information.

The engine 334 receives messages regarding events and uses event handlers to process and respond to these messages. The engine 334 also sends messages to other components, for example a message through firewall API 335 to make a configuration change to firewall 350. The operations of engine 334 are described in more detail below.

Firewall API 335 is used to enable dynamic configuration of firewall 350. Firewall 350 is a firewall that includes a means to configure IP address groups, which are used to specify trusted zones and other zones. For example, using the firewall API 335, a computer or device (or a group of computers and devices) can be added to a trusted zone maintained by firewall 350 without having to change the security settings applicable to that trusted zone.

C. System Data Structures

1. Network and Adapter Configuration Information

This network information data structure contains information about the local network to which a computer is connected. It includes the following information for each network interface adapter (real or virtual):

1. Connection (OSI layers 1 2) method, such as dialup, Ethernet, wireless, VPN, AOL, RAS, Token Ring, Infrared, etc.;

2. MAC address (or other OSI layer 2 address); and

3. One or more of IP address, subnet mask or gateway IP address.

For each network (corresponding to IP/subnet/gateway IP) the following information about the network is also recorded:

1. Network IP address;

2. Network mask;

3. Gateway MAC address (if private IP); and

4. Connection name (if dialup).

2. Network Profile

The system profiles the collection of data properties necessary to distinguish one network from another where appropriate, and to recognize as identical a previously profiled network. This network profile information is stored so that an existing network profile can be recreated from the stored information and compared with the profile of a newly encountered network. The process of profiling a network is described in more detail below.

D. Operation of Network Detection and Firewall Reconfiguration System

FIG. 4 is a flow chart illustrating detailed method steps of the operations of the network detection and firewall reconfiguration system of the present invention. Initially, the system starts with no knowledge of any connected networks or adapters. At step 401, the engine constructs an initial list of adapters and networks to which these adapters are connected by obtaining information through the OS network information API. When a mobile computer or device (on which the system is installed) is connected to a different network, the engine, at step 402, uses the OS network information API and the associated operating system kernel facility to discover that an adapter has been added or removed or an adapter's network configuration has changed.

At step 403, a message is sent to the engine to notify the engine of the change in the network configuration. In steps 404 through 407, the engine receives the message including new configuration information and passes this message on to the appropriate functions of the network detection and firewall reconfiguration system. At step 408, the engine updates the network information data structures with the newly received network configuration information. After the adapter has been recognized and the network has been profiled (i.e., information regarding the network obtained and stored), at step 409 the engine decides how to handle this new network. This is accomplished by comparing the current network with the list of network profiles stored in the database.

If a new network is detected, at step 410 a message is sent to the user interface to resolve the network detection event. A dialog box is displayed to the user asking the user whether or not the new network should be added to the local zone. Alternatively, the resolution of a network detection event can be determined by a policy previously established by the user or an administrator. For example, the system may be configured to treat all newly discovered networks as untrusted. After the list of networks is updated, at step 411 the list is automatically passed to the firewall through the firewall API. The firewall is updated to contain the newly defined trusted zone, which either includes or excludes the newly discovered network. The updated network information can also be consulted by other applications as described below.

E. Details of Internal Operations of Network Detection and Firewall Reconfiguration System

The internal operations of the network detection and firewall reconfiguration system are described in more detail below, following the same method steps outlined in the flow chart attached as FIG. 4. Upon the initial connection of a mobile computer to a network, the system of the present invention (which is installed on such mobile computer) enumerates (in step 401) the adapter list from the appropriate operating system kernel facility. This allows the construction of an initial list of adapters and networks to which these adapters are connected. This adapter information is obtained through the OS network information API. When a mobile computer (on which the network detection engine is installed) is connected to a different network, at step 402, the engine uses the OS network information API and the same operating system facility to discover that the network configuration has changed.

In the currently preferred embodiment running in a Windows NT operating environment, notification of configuration changes is received from the Windows NT operating system by a filter hook that is installed on the Windows Transport Driver Interface (TDI) device's dispatch driver function. After this filter hook is installed, every invocation of the dispatch driver function will call the following filter handler function, TDIDeviceDispatch, to process the request.

TABLE-US-00001 1: NTSTATUS TDIDeviceDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) 2: { 3: if (DeviceObject) 4: { 5: NTSTATUS Status = STATUS_SUCCESS; 6: PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation (Irp); 7: DWORD dwSocketID = GetSocketID (IrpSp); 8: PDEVICE_OBJECT HookedDevice = DeviceObject; 9: 10: ... 11: 12: switch (IrpSp->MajorFunction) 13: { 14: case IRP_MJ_DEVICE_CONTROL: 15: { 16: ... 17: switch 18: (IrpSp->Parameters.DeviceIoControl.IoControlCode); 19: { 20: ... 21: case IOCTL_TCP_SET_INFORMATION_EX: 22: { 23: DWORD *pdwBuffer = 24: Irp->AssociatedIrp.SystemBuffer; 25: DWORD dwLen = 26: IrpSp->Parameters.DeviceIoControl.InputBufferLength; 27: 28: // if a buffer was provided, and the buffer is the right size 29: // 30: if ((dwLen >= sizeof(DWORD))&& 31: pdwBuffer && ((*pdwBuffer < 32) 32: || (*pdwBuffer == CL_NL_ENTITY))) 33: { 34: // Copy the parameter data into a new buffer 35: CHAR cBuffer[sizeof(VSMSG) - 36: sizeof(VSMSG_CONFIG)]; 37:
38: if (dwLen > sizeof(cBuffer)) 39: dwLen = sizeof(cBuffer); 40: 41: memcpy(&cBuffer, pdwBuffer, dwLen); 42: // pass the function call to the previous hook layer 43: // 44: Status = TDIHookDeviceCall(HookedDevice, Irp, 45: IrpSp->MajorFunction);
46: 47: // Call the TdiConfigChanged 48: // 49: Status = TdiConfigChanged(dwSocketID, &cBuffer, dwLen, Status); 50: ... 51: return Status; 52: } 53: } 54: break; 55: } 56: } 67: } 68: ... 69: } 70: ... 71: return STATUS_SUCCESS; 72: }

The above TDIDeviceDispatch function associates the request with an internal data structure used to track socket use, where relevant. The function checks to determine if the request is a request to change the network configuration. If the request is a request to change the network configuration, the function copies the parameter data and relays the request parameter data to the TdiConfigChanged function described below. The TDIDevice Dispath function also passes all requests to the original hooked driver function.

The "TdiConfigChanged" function is illustrated below.

TABLE-US-00002 1: VSTDI.C: 2: NTSTATUS __stdcall TdiConfigChanged( 3: DWORD dwSocketID, 4: PVOID pData, 5: DWORD dwDataLen, 6: NTSTATUS Status) 7: { 8: PVSMSG_CONFIG pMsg = NULL; 9: 10: if (pData && dwDataLen) 11: { 12: pMsg = 13: NewMessage(
14: pWSockHook, 15: sizeof(VSMSG_CONFIG), 16: GetCurrentProcessID( ), 17: GetCurrentThreadID( ), 18: dwSocketID, 19: 0, NM_DONT_BLOCK); 20: 21: if (pMsg) 22: { 23: pMsg->dwDataFlags |= DF_COPY_ALWAYS; 24: pMsg->dwResult = Status; 25: 26: PutMessage( 27: pWSockHook, &pMsg, 28: MCWSOCK_CONFIG_AFTER, 29: pData, dwDataLen, dwDataLen); 30: 31: FreeMessage(pWSockHook, pMsg); 32: } 33: } 34: return Status; 35:

The above "TdiConfigChanged" function is invoked by the above TDIDeviceDispatch function when a change in the network configuration is detected. In line 3, the above function passes a socket ID identifying a communication socket to be used to obtain information from the operating system. The socket ID that is specified varies depending upon the operating system on which the system is installed.

On line 10 above, "pData" and "dwDataLen" are buffers that point to a data structure. This data structure receives information from the operating system (through the above TDIDevice Dispatch function) describing the new configuration. The data structure contains a list of the adapters and a list of the new configuration for those adapters. The adapter information that is received from this operating system API call is referenced by the pData parameter.

On lines 10 through 19, if the data structure that is received contains something valid (i.e., it is not null), then "NewMessage" initializes a data structure and returns that data structure in "pMsg". The data structure is a message structure that communicates an event from the driver to the engine. If memory is allocated and the data structure is initialized (i.e., if pMsg is not null as shown on line 21), then "PutMessage" (on line 26) takes the pre-initialized data structure and fills more information into this structure, including pointers to data (pData and dwDataLen), and the type of event ("MCWSOCK_CONFIG_AFTER"). On line 27 above, "pWSockHook" is the internal data structure used to describe the client application using the driver. This data structure contains information such as the memory that has been allocated, a count of the number of clients, and other information about the client application.

The "Status" value on line 34 above is the value that the operating system returns when it has completed its own processing of the message. TdiConfigChanged is a post-filter function that filters the operating system API after the operating system processes the request for information. The Status value returned by the operating system advises whether or not the operating system may have already returned an error.

As shown in the above TdiConfigChanged function, a PutMessage function is invoked and at step 403 the message notifies the engine of the change in the configuration. The following code illustrates this engine process:

TABLE-US-00003 1: DWORD _stdcall PutMessage( 2: PHOOKREQUEST pHook, 3: LPVOID *ppMsg, 4: DWORD dwMsg, 5: LPVOID pData, 6: DWORD dwDataLen, 7: DWORD dwDataMax) 8: // 9: // allocates new message 10: // 11: // pHook client hook request structure
12: // pMsg PVSMSG - pointer to message 13: // dwMsg Message # 14: // pData extra data 15: // dwDataLen size of extra data 16: // dwDataMax size of extra data buffer 17: // 18: // return value from client 19: { 20: PBASEVSMSG pVSMsg = *ppMsg; 21: MAPDATA MData; 22: PVOID pvDataMapped = NULL; 23: DWORD dwMsgIndex; 24: 25: if (dwDataMax < dwDataLen) 26: dwDataMax = dwDataLen; 27: 28: if (pData && dwDataMax) 29: { 30: pVSMsg->pDataOld = pData; 31: 32: if ((pVSMsg->dwDataFlags & DF_DATA_MAPPED) ||
33: ((!(pVSMsg->dwDataFlags & DF_COPY_ALWAYS)) && 34: (GlobalMemory (pData)))) 35: // Already mapped into global space 36: 37: { 38: pVSMsg->pData = pData; 39: } 40: else if (pHook->wAllocCount) 41: { 42: if ((sizeof(VSMSG) - pVSMsg->dwMsgSize) >= dwDataMax) 43: { 44: char* lpcCopy = ((char*)pVSMsg) + pVSMsg->dwMsgSize; 45: memcpy (lpcCopy, pData, dwDataLen); 46: 47: pVSMsg->dwDataFlags |= (DF_DATA_COPY | DF_DATA_COPY_TO_MSG); 48: pVSMsg->dwDataFlags &= (
 
Copyright 2006-2008 Patent Looker, LLC