AS Pseudo Claim Charting Due Diligence US7739302B2

Purpose: Invalidity Analysis

Patent: US7739302B2
Filed: 1998-09-01
Issued: 2010-06-15
Patent Holder: (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC
Inventor(s): Stacy Kenworthy

Title: Network attached device with dedicated firewall security

Abstract: Dedicated firewall security for a network attached device (NAD) is provided by a firewall management system integrated directly into the NAD or into a NAD server. A local area network arrangement includes a network client and the NAD and the firewall management system includes computer readable medium having computer-executable instructions that perform the steps of receiving a request for network access to the NAD from the network client, determining whether the request for network access to the NAD is authorized, and only if the request for network access is authorized, providing the network client with network access to the NAD.

Disclaimer: The promise of Apex Standards Pseudo Claim Charting (PCC) [ Request Form ] is not to replace expert opinion but to provide due diligence and transparency prior to high precision charting. PCC conducts aggressive mapping (based on Broadest Reasonable, Ordinary or Customary Interpretation and Multilingual Translation) between a target patent's claim elements and other documents (potential technical standard specification or prior arts in the same or across different jurisdictions), therefore allowing for a top-down, apriori evaluation, with which, stakeholders can assess standard essentiality (potential strengths) or invalidity (potential weaknesses) quickly and effectively before making complex, high-value decisions. PCC is designed to relieve initial burden of proof via an exhaustive listing of contextual semantic mapping as potential building blocks towards a litigation-ready work product. Stakeholders may then use the mapping to modify upon shortlisted PCC or identify other relevant materials in order to formulate strategy and achieve further purposes.

Click on references to view corresponding claim charts.

Non-Patent Literature

WIPO Prior Art

EP Prior Art

US Prior Art

CN Prior Art

JP Prior Art

KR Prior Art

Ground	References	Owner of the Reference	Title	Semantic Mapping	Challenged Claims
Ground	References	Owner of the Reference	Title	Semantic Mapping	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	27	28	29
1	IEEE COMMUNICATIONS MAGAZINE. 35 (6): 164-169 JUN 1997 (Low, 1997)	Hewlett Packard Labs	Integrating Communication Services	▪ intermediary computing ≈ enterprise computer ▪ header contains information ≈ three areas									X						X
2	13TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, PROCEEDINGS. : 205-214 1997 (Niemeyer, 1997)	Computer Sciences Corporation (CSC)	Using Web Technologies In Two MLS Environments: A Security Analysis	▪ requests comprise one ≈ different security ▪ network client ≈ network client	X				X																				X
3	COMPUTER NETWORKS AND ISDN SYSTEMS. 30 (13): 1185-1200 AUG 3 1998 (Michard, 1998)	Institut national de recherche en informatique et en automatique (INRIA France), Conservatoire national des arts et métiers (France), System Simulation (UK), Foundation for Research & Technology – Hellas (FORTH, Ίδρυμα Τεχνολογίας και Έρευνας - ΙΤΕ Greece)	The Aquarelle Resource Discovery System	▪ data management component ≈ database records ▪ executable instructions ≈ direct link	X				X
4	SEVENTH IEEE INTERNATIONAL WORKSHOPS ON ENABLING TECHNOLOGIES: INFRASTRUCTURE FOR COLLABORATIVE ENTERPRISES (WET ICE 98). : 376-383 1998 (Caronni, 1998)	Sun Microsystems, Inc., Eidgenössische Technische Hochschule Zürich (ETH)	Efficient Security For Large And Dynamic Multicast Groups	▪ application layer ≈ group communication ▪ network protocols ≈ third parties																	X	X	X							X
5	1997 IEEE SYMPOSIUM ON SECURITY AND PRIVACY - PROCEEDINGS. : 120-129 1997 (Guttman, 1997)	The MITRE Corporation	Filtering Postures: Local Enforcement For Global Policies	▪ network access ≈ network access ▪ filtering means ≈ packet filter	X	X		X	X				X	X	X	X										X				X
6	COMPSAC 97 : TWENTY-FIRST ANNUAL INTERNATIONAL COMPUTER SOFTWARE & APPLICATIONS CONFERENCE. : 478-481 1997 (Leu, 1997)	Institute for Information Industry, Network and Communication Laboratory, Taipei, Taiwan	Implementation Considerations For Mobile IP	▪ network destination, network protocols ≈ IP datagrams ▪ IP addresses ≈ home address, home agent	X				X					X		X						X	X			X
7	IEEE INFOCOM 97 - THE CONFERENCE ON COMPUTER COMMUNICATIONS, PROCEEDINGS, VOLS 1-3. : 701-710 1997 (Sudan, 1997)	SRI International (formerly Stanford Research Institute)	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains	▪ network access, network source ≈ resource reservation ▪ network client, IP addresses ≈ media session	X	X		X	X				X	X	X	X										X
8	BT TECHNOLOGY JOURNAL. 15 (2): 145-157 APR 1997 (Babbage, 1997)	BT Labs	Internet Phone - Changing The Telephony Paradigm?	▪ network protocol programs ≈ system architecture ▪ IP addresses ≈ telephone network		X			X
9	COMPUTER NETWORKS AND ISDN SYSTEMS. 26 (3): 357-369 NOV 1993 (Perkins, 1993)	International Business Machines Corporation (IBM)	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP	▪ filtering means ≈ existing system ▪ network access ≈ network access	X	X		X	X				X	X	X	X										X				X
10	IEEE INFOCOM 98 - THE CONFERENCE ON COMPUTER COMMUNICATIONS, VOLS. 1-3. : 1037-1045 1998 (Maltz, 1998)	Carnegie Mellon University (CMU)	MSOCKS: An Architecture For Transport Layer Mobility	▪ network access, network destination ≈ network interfaces, mobile nodes ▪ data packet ≈ multiple network ▪ application layer ≈ when m	X	X		X	X	X			X	X	X	X	X				X					X				X
11	IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY. 8 (1): 13-17 FEB 1998 (Serpanos, 1998)	The Foundation for Research & Technology – Hellas (FORTH, Ίδρυμα Τεχνολογίας και Έρευνας - ΙΤΕ), Aristotle University of Thessaloniki (A.U.Th. Αριστοτέλειο Πανεπιστήμιο Θεσσαλονίκης), Treasury Department, Bank of Boston	MMPacking: A Load And Storage Balancing Algorithm For Distributed Multimedia Servers	▪ application layer ≈ different rates ▪ NAD server, network access ≈ load balancing, client request ▪ filtering comprises means ≈ video stream	X	X		X	X	X			X	X	X	X	X				X					X				X
12	1977 IEEE INTERNATIONAL PERFORMANCE, COMPUTING AND COMMUNICATIONS CONFERENCE. : 525-531 1997 (Venkatesan, 1997)	Arizona State University	Threat-adaptive Security Policy	▪ requests comprise one ≈ different security ▪ managing means ≈ EC application																								X	X
13	GB2318031A (Michael W Green, 1998)	(Original Assignee) Secure Computing LLC (Current Assignee) Secure Computing LLC	Network firewall with proxy	▪ application layer ≈ application layer ▪ different operating ≈ remote operation ▪ network protocol programs ≈ computer program ▪ electronic communication, network interface ≈ session manager ▪ device interface, storage device ≈ following steps ▪ intermediary computing ≈ remote device		X			X	X						X	X		X	X	X			X	X		X			X	X
14	US5642337A (Orhun Oskay, 1997)	(Original Assignee) Sony Corp; Sony Electronics Inc (Current Assignee) Sony Corp ; Sony Electronics Inc	Network with optical mass storage devices	▪ different operating systems ≈ data reproducing apparatus ▪ network protocols ≈ protocol connection ▪ electronic communication, data management component ≈ receiving requests ▪ processing unit ≈ processing unit ▪ storing instructions ≈ requested data ▪ SCSI interface ≈ data request ▪ data packet ≈ data packet ▪ program modules ≈ data buffer ▪ filtering means ≈ hard disk	X	X	X	X	X	X			X	X		X	X	X	X	X		X	X	X		X		X		X
15	US5692124A (James M. Holden, 1997)	(Original Assignee) ITT Industries Inc (Current Assignee) Micron Technology Inc	Support of limited write downs through trustworthy predictions in multilevel security of computer network communications	▪ data packet ≈ feedback message, data packet ▪ intermediary computing, receiving requests ≈ data transfers ▪ IP addresses ≈ source address, IP addresses ▪ network destination ≈ n information	X			X	X	X			X	X		X			X							X
16	US5757924A (Aharon Friedman, 1998)	(Original Assignee) Digital Secured Networks Tech Inc (Current Assignee) Broadband Capital Corp	Network security device which performs MAC address translation without affecting the IP address	▪ network destination, network interface ≈ database containing information, network interface ▪ IP addresses ≈ destination address, second IP address ▪ data packet ≈ second data ▪ network client, network access ≈ work layer, public key ▪ intermediary computing, intermediary computing device ≈ other node	X	X		X	X	X			X	X	X	X	X		X							X
17	US5655077A (Gregory A. Jones, 1997)	(Original Assignee) Microsoft Corp (Current Assignee) Microsoft Technology Licensing LLC	Method and system for authenticating access to heterogeneous computing services	▪ different operating systems, network clients having different operating systems ≈ determination means, enable access ▪ storing instructions ≈ computer processor ▪ network destination ≈ electronic mail ▪ accepting requests ≈ additional user ▪ network access ≈ network access ▪ storage device ≈ storage device ▪ managing means ≈ face component ▪ managing access ≈ system network ▪ requests comprise one ≈ d log	X	X		X	X				X	X	X	X									X	X	X	X	X		X
18	US5623601A (Hung T. Vu, 1997)	(Original Assignee) Milkway Networks Corp (Current Assignee) Milkway Networks Corp ; RPX Corp	Apparatus and method for providing a secure gateway for communication and data exchanges between networks	▪ data management component ≈ potential security ▪ intermediary computing ≈ requested service ▪ application layer ≈ application layer ▪ providing network access ≈ new communication ▪ data packet ≈ data packet, IP packets ▪ filtering means ≈ hard disk	X			X	X	X			X	X		X			X		X					X				X
19	US5577209A (John M. Boyle, 1996)	(Original Assignee) ITT Corp (Current Assignee) Round Rock Research LLC	Apparatus and method for providing multi-level security for communication among computers and terminals on a network	▪ network interface, electronic communication ≈ network interface, session manager ▪ receiving requests ≈ other service ▪ NAD server ≈ said network ▪ network protocols ≈ ion layer	X	X			X	X						X	X					X	X			X
20	US5416842A (Ashar Aziz, 1995)	(Original Assignee) Sun Microsystems Inc (Current Assignee) Sun Microsystems Inc	Method and apparatus for key-management scheme for use with internet protocols at site firewalls	▪ SCSI interface ≈ first storage device ▪ IP addresses ≈ destination address, source address ▪ network access ≈ temporary address ▪ filtering means, filtering comprises means ≈ secret value ▪ NAD server ≈ said network ▪ data packet ≈ second data ▪ intermediary computing device ≈ steps b	X	X		X	X	X			X	X	X	X			X					X		X		X		X
21	US5719786A (David L. Nelson, 1998)	(Original Assignee) Micro Focus Software Inc (Current Assignee) Micro Focus Software Inc ; Fluent Inc	Digital media data stream network management system	▪ processing unit ≈ continuous time, data capture ▪ network access, network destination ≈ node request ▪ local area ≈ local area	X	X		X	X				X	X	X	X	X	X	X	X						X
22	US5440719A (Charles F. Hanes, 1995)	(Original Assignee) Cadence Design Systems Inc (Current Assignee) Cadence Design Systems Inc	Method simulating data traffic on network in accordance with a client/sewer paradigm	▪ network clients ≈ client nodes, more client ▪ network client, network protocol programs ≈ remote data ▪ IP addresses ≈ local data ▪ providing network access ≈ work mode	X	X			X					X												X
23	US5247670A (Yoshifumi Matsunaga, 1993)	(Original Assignee) Fuji Xerox Co Ltd (Current Assignee) Fuji Xerox Co Ltd	Network server	▪ managing means ≈ said communication network ▪ intermediary computing ≈ service processing, requested service ▪ processing unit ≈ processing unit												X	X	X	X	X								X
24	WO9837680A2 (Robert H. Franz, 1998)	(Original Assignee) Intervoice Limited Partnership	E-mail server for message filtering and routing	▪ electronic communication ≈ preselected time period ▪ external thereto ≈ notification means ▪ network destination ≈ electronic mail, filter data ▪ IP addresses ≈ address data	X				X					X		X										X
25	EP0855659A1 (Eran Gabber, 1998)	(Original Assignee) Nokia of America Corp (Current Assignee) Nokia of America Corp	System and method for providing anonymous personalized browsing in a network	▪ IP addresses ≈ network address ▪ network destination ≈ n information ▪ NAD server ≈ said network ▪ filtering means ≈ said key	X	X			X					X		X										X				X
26	EP0856974A2 (Partha P. Dutta, 1998)	(Original Assignee) AT&T Corp (Current Assignee) AT&T Corp	Session cache and rule caching method for a dynamic filter	▪ network destination ≈ network destination ▪ IP addresses ≈ destination address, source address ▪ network protocol programs ≈ computer program ▪ network source ≈ network source ▪ data packet ≈ first port	X	X		X	X	X			X	X		X										X
27	EP0849680A2 (Gary W. Winiger, 1998)	(Original Assignee) Sun Microsystems Inc (Current Assignee) Sun Microsystems Inc	Multilevel security port methods, apparatuses, and computer program products	▪ data management component, managing means ≈ different sensitivity ▪ intermediary computing, network protocols ≈ security protocol ▪ network source ≈ first destination ▪ network protocol programs ≈ computer program ▪ storing instructions ≈ readable program ▪ network stack ≈ protocol header ▪ storage device ≈ storage device ▪ network client, network access ≈ computer code, work layer ▪ application layer ≈ data link	X	X		X	X				X	X	X	X			X		X	X	X		X	X		X		X	X
28	WO9822886A1 (Chandrashekhar W. Bhide, 1998)	(Original Assignee) Intel Corporation	Performance optimizations for computer networks using http	▪ network access ≈ network access ▪ intermediary computing ≈ third request ▪ network client ≈ HTTP requests	X	X		X	X				X	X	X	X			X
29	US5781632A (Gregory Glen Odom, 1998)	(Original Assignee) Odom; Gregory Glen	Method and apparatus for secured transmission of confidential data over an unsecured network	▪ filtering means ≈ transmission channel ▪ receiving requests ≈ request data																						X				X
30	WO9816044A1 (Rakesh Prasad, 1998)	(Original Assignee) Mitel Corporation	Remote on-demand applications server	▪ IP addresses ≈ public switched telephone network ▪ NAD server ≈ said network	X	X			X
31	WO9818248A1 (Prashanth Jade, 1998)	(Original Assignee) International Business Machines Corporation; Ibm United Kingdom Limited	Outside access to computer resources through a firewall	▪ storing instructions ≈ readable storage medium ▪ network protocols ≈ communication protocol												X						X	X
32	GB2317539A (Edward B Stockwell, 1998)	(Original Assignee) Secure Computing LLC (Current Assignee) Secure Computing LLC	Firewall for interent access	▪ network protocol programs ≈ computer program ▪ storing instructions ≈ readable program ▪ electronic communication ≈ predefined time ▪ IP addresses ≈ IP addresses		X			X							X
33	WO9814014A2 (Mark Andrew Collins, 1998)	(Original Assignee) Predacomm, Inc.	Reconfigurable network interface apparatus and method	▪ different operating systems, network clients having different operating systems ≈ determination means ▪ network interface ≈ network interface ▪ network destination ≈ external source	X	X				X				X		X										X
34	WO9826548A1 (Jim Y. Li, 1998)	(Original Assignee) Whistle Communications Corporation	Automatic configuration for internet access device	▪ network client, network access ≈ Internet service provider ▪ network protocol programs ≈ computer program ▪ storing instructions ≈ readable program ▪ device interface, storage device ≈ following steps ▪ processing unit ≈ processing unit ▪ IP addresses ≈ server address ▪ local area ≈ local area	X	X		X	X				X	X	X	X	X	X	X	X				X	X		X				X
35	WO9749038A1 (James P. Hughes, 1997)	(Original Assignee) Storage Technology Corporation	Policy caching method and apparatus for use in a communication device	▪ IP addresses ≈ public switched telephone network, transmission control protocol ▪ NAD server ≈ first receiving unit ▪ network client ≈ transport protocol ▪ network interface ≈ network interface ▪ network protocols ≈ network protocols ▪ intermediary computing ≈ network device ▪ managing access ≈ system network ▪ network destination ≈ n information ▪ program modules ≈ sending means	X	X	X		X	X				X		X	X		X			X	X			X	X
36	WO9727546A1 (John M. Payne, 1997)	(Original Assignee) Ex Machina, Inc.	System and method for transmission of data	▪ data packet ≈ said transmission, data packet ▪ filtering means ≈ filtering means ▪ network stack ≈ required number ▪ managing access ≈ virtual address ▪ network destination ≈ n information ▪ SCSI interface ≈ new data	X			X	X	X			X	X		X								X		X	X	X		X
37	WO9726734A1 (Alan J. Kirby, 1997)	(Original Assignee) Raptor Systems, Inc.	Transferring encrypted packets over a public network	▪ network interface ≈ network interface ▪ IP addresses ≈ virtual network					X	X						X	X
38	WO9726735A1 (Roger H. Levesque, 1997)	(Original Assignee) Raptor Systems, Inc.	Key management for network communication	▪ data packet ≈ network packets ▪ IP addresses ≈ network address	X			X	X	X			X	X		X										X
39	WO9724841A2 (David R. Cheriton, 1997)	(Original Assignee) Cisco Systems, Inc.	Datagram transmission over virtual circuits	▪ network access, providing network access ≈ processing step ▪ network destination ≈ forwarding data ▪ requests contain information to gain access ≈ overall network ▪ IP addresses ≈ source address ▪ data packet ≈ output ports, flow rate	X	X		X	X	X			X	X	X	X				X						X
40	EP0848338A1 (William Bunney, 1998)	(Original Assignee) Sony Deutschland GmbH (Current Assignee) Sony Deutschland GmbH	Server providing documents according to user profiles	▪ IP addresses ≈ source address ▪ requests comprise one ≈ d log					X																				X
41	US5796393A (Bruce A. MacNaughton, 1998)	(Original Assignee) CompuServe Inc (Current Assignee) Facebook Inc	System for intergrating an on-line service community with a foreign service	▪ network access ≈ process request ▪ network destination ≈ n information	X	X		X	X				X	X	X	X										X
42	WO9716023A1 (Uresh K. Vahalia, 1997)	(Original Assignee) Emc Corporation	Staggered stream support for video on demand	▪ network clients ≈ multiple client, client request ▪ storing instructions ≈ requested data ▪ SCSI interface ≈ data storage ▪ application layer ≈ data link		X										X					X			X		X		X		X
43	WO9712321A1 (Eva Chen, 1997)	(Original Assignee) Trend Micro, Incorporated	Virus detection and removal apparatus for computer networks	▪ electronic communication ≈ processor control ▪ network protocol programs ≈ control signals ▪ processing unit ≈ processing unit ▪ intermediary computing, receiving requests ≈ data transfers ▪ device interface ≈ control output ▪ network access, providing network access ≈ transfer data	X	X		X	X				X	X	X	X	X	X	X	X				X		X	X
44	WO9711443A1 (Robert Khello, 1997)	(Original Assignee) Telefonaktiebolaget Lm Ericsson (Publ)	Method and apparatus for user authentication	▪ managing access ≈ data processing circuitry ▪ different operating, processing unit ≈ authentication program ▪ requests comprise one ≈ different security ▪ network source, network clients ≈ variable number ▪ allowing access ≈ second person	X	X		X	X					X		X	X	X	X	X						X	X		X
45	US5774660A (Juergen Brendel, 1998)	(Original Assignee) Resonate Inc (Current Assignee) Resonate Inc	World-wide-web server with delayed resource-binding for resource-based load balancing on a distributed resource multi-node network	▪ application layer ≈ application layer ▪ IP addresses ≈ network address ▪ NAD server, network access ≈ load balancing ▪ providing network access ≈ load balancers ▪ data packet ≈ IP packets ▪ network arrangement ≈ ink layer	X	X	X	X	X	X	X	X	X	X	X	X	X				X					X				X
46	US5778178A (Lakshmi Arunachalam, 1998)	(Original Assignee) Arunachalam; Lakshmi (Current Assignee) ARUNACHALAM LAKSHMI DR	Method and apparatus for enabling real-time bi-directional transactions on a network	▪ IP addresses ≈ network address ▪ network protocol programs ≈ id attribute		X			X
47	US5790789A (Larry Suarez, 1998)	(Original Assignee) Suarez; Larry	Method and architecture for the creation, control and deployment of services within a distributed computer environment	▪ managing means ≈ said communication network ▪ device interface, SCSI interface ≈ exchange information, more task ▪ network interface ≈ storing messages ▪ requests comprise one ≈ identity service ▪ storing instructions ≈ same compute					X	X						X	X		X	X				X			X	X	X
48	US5742768A (Giuseppe Gennaro, 1998)	(Original Assignee) Silicon Graphics Inc (Current Assignee) Microsoft Technology Licensing LLC	System and method for providing and displaying a web page having an embedded menu	▪ storage device ≈ storage device ▪ SCSI interface ≈ data storage ▪ computer executable instructions ≈ storing code ▪ network client, network protocol programs ≈ one action	X	X			X															X	X			X			X
49	WO9702734A2 (Kurt A. Dobbins, 1997)	(Original Assignee) Cabletron Systems, Inc.	Internet protocol (ip) work group routing	▪ NAD server ≈ enhanced security ▪ network destination, network protocols ≈ IP datagrams, forward IP ▪ IP addresses ≈ IP addresses	X	X			X					X		X						X	X			X
50	US5799154A (George W. Kuriyan, 1998)	(Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc	System and method for the remote monitoring of wireless packet data networks	▪ network client, data management component ≈ central location ▪ receiving requests ≈ setting means, casting step ▪ NAD server ≈ said network	X	X			X																	X
51	US5727145A (Dan M. Nessett, 1998)	(Original Assignee) Sun Microsystems Inc (Current Assignee) Oracle America Inc	Mechanism for locating objects in a secure fashion	▪ managing access ≈ different computer ▪ network protocol programs ≈ computer program ▪ storing instructions ≈ readable program ▪ device interface, storage device ≈ following steps, storage device ▪ processing unit ≈ processing unit ▪ SCSI interface ≈ mass storage		X								X		X	X	X	X	X				X	X		X	X			X
52	WO9700471A2 (Gil Shwed, 1997)	(Original Assignee) Check Point Software Technologies Ltd.	A system for securing the flow of and selectively modifying packets in a computer network	▪ storage device ≈ storage device ▪ NAD server ≈ said network	X	X																			X						X
53	US5727129A (Robert Carl Barrett, 1998)	(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp	Network system for profiling and actively facilitating user activities	▪ managing access ≈ facilitating communication ▪ network interface ≈ network interface ▪ network protocol programs ≈ computer program ▪ accepting requests ≈ facilitating use ▪ network destination ≈ n information	X	X				X				X		X	X									X	X
54	WO9639668A1 (Adrian Toader, 1996)	(Original Assignee) Interactive Media Works, L.L.C.	Promotional and product on-line help methods via internet	▪ network destination ≈ electronic mail ▪ allowing access ≈ allowing access	X									X		X										X
55	US5787253A (Timothy David McCreery, 1998)	(Original Assignee) AG Group (Current Assignee) SILKSTREAM Corp	Apparatus and method of analyzing internet activity	▪ IP addresses ≈ transmission control protocol, source address ▪ network destination ≈ n information	X				X					X		X										X
56	EP0743777A2 (Geoffrey G. Baehr, 1996)	(Original Assignee) Sun Microsystems Inc (Current Assignee) Sun Microsystems Inc	System for packet filtering of data packets at a computer network interface	▪ network interface, network access ≈ network interface, third network ▪ IP addresses ≈ network address, source address ▪ device interface ≈ said module ▪ storing instructions ≈ said memory ▪ network client, network protocol programs ≈ one action	X	X		X	X	X			X	X	X	X	X			X		X	X	X		X	X			X
57	WO9635994A1 (Michael S. Finney, 1996)	(Original Assignee) Compuserve Incorporated	Rules based electronic message management system	▪ accepting requests ≈ information service ▪ data packet ≈ said transmission ▪ electronic communication ≈ line information ▪ storing instructions ≈ said memory	X	X		X	X	X			X	X		X										X
58	US5787412A (Robert M. Bosch, 1998)	(Original Assignee) Sabre Group Inc (Current Assignee) PAICINES PINNACLES LLC	Object oriented data access and analysis system	▪ processing unit ≈ processing unit ▪ network destination ≈ n information ▪ intermediary computing device ≈ network path	X									X		X	X	X	X	X						X
59	US5754830A (Thomas H. Butts, 1998)	(Original Assignee) Openconnect Systems Inc (Current Assignee) Openconnect Systems Inc	Server and web browser terminal emulator for persistent connection to a legacy host system and method of operation	▪ network protocols ≈ communication protocol ▪ electronic communication ≈ socket connection					X													X	X
60	US5706502A (Jill Paula Foley, 1998)	(Original Assignee) Sun Microsystems Inc (Current Assignee) Oracle America Inc	Internet-enabled portfolio manager system and method	▪ external thereto ≈ software entity ▪ network destination ≈ n information ▪ network protocol programs ≈ id attribute ▪ network interface, storing instructions ≈ said subset, said memory	X	X				X				X		X	X									X
61	US5673322A (David Mathew Pepe, 1997)	(Original Assignee) Telcordia Technologies Inc (Current Assignee) Rakuten Inc	System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks	▪ network protocol programs ≈ transmitted data ▪ storage device ≈ first location		X																			X						X
62	WO9716911A1 (Robert Cecil Gore, 1997)	(Original Assignee) International Business Machines Corporation; Ibm United Kingdom Limited	Secured gateway interface	▪ electronic communication ≈ socket connection ▪ storing instructions ≈ readable program ▪ executable instructions, computer executable instructions ≈ child process ▪ requests comprise one ≈ d log	X				X							X													X
63	US5671354A (Tsutomu Ito, 1997)	(Original Assignee) Hitachi Ltd; Hitachi Computer Engineering Co Ltd (Current Assignee) Hitachi Ltd ; Hitachi Computer Engineering Co Ltd	Method of assisting server access by use of user authentication information held in one of servers and a method of assisting management user account for use of servers	▪ application layer ≈ information management ▪ intermediary computing ≈ respective server ▪ NAD server, network clients ≈ client terminal, said network ▪ accepting requests, requests originating one ≈ server request ▪ IP addresses ≈ server address ▪ requests comprise one ≈ d log	X	X			X										X		X					X			X	X
64	US5740375A (James W. Dunne, 1998)	(Original Assignee) Bay Networks Inc (Current Assignee) Avaya Inc	Forwarding internetwork packets by replacing the destination address	▪ IP addresses ≈ destination address, network address ▪ network client, network access ≈ work layer ▪ network arrangement ≈ ink layer ▪ application layer ≈ data link	X	X	X	X	X	X	X	X	X	X	X	X					X									X
65	US5781550A (Fred L. Templin, 1998)	(Original Assignee) Digital Equipment Corp (Current Assignee) Hewlett Packard Enterprise Development LP	Transparent and secure network gateway	▪ application layer ≈ application layer, data link ▪ IP addresses ≈ local address ▪ network arrangement ≈ ink layer	X	X	X	X	X	X	X	X	X								X									X
66	US5790797A (Junichi Shimada, 1998)	(Original Assignee) Fujitsu Ltd (Current Assignee) Fujitsu Ltd	Load distribution system for monitoring device	▪ different operating ≈ operation control ▪ managing means ≈ monitoring system, determined area		X																						X
67	US5764756A (Arthur E. Onweller, 1998)	(Original Assignee) US West Inc (Current Assignee) Qwest Communications International Inc	Networked telephony central offices	▪ network protocols ≈ communication protocol ▪ IP addresses ≈ particular address ▪ device interface, storage device ≈ following steps ▪ network source ≈ said converter ▪ NAD server ≈ said network ▪ local area ≈ local area ▪ data packet ≈ first port	X	X		X	X	X			X	X		X				X		X	X	X	X	X	X				X
68	US5742763A (Mark Alan Jones, 1998)	(Original Assignee) AT&T Corp (Current Assignee) AT&T Corp	Universal message delivery system for handles identifying network presences	▪ network protocol programs ≈ id attribute ▪ NAD server ≈ said network ▪ accepting requests ≈ media format ▪ different operating ≈ said handle	X	X
69	US5602918A (James F. Chen, 1997)	(Original Assignee) Virtual Open Network Environment Corp (Current Assignee) SSL SERVICES LLC	Application level security system and method	▪ communication path ≈ communication path ▪ application layer ≈ unsecured network ▪ IP addresses ≈ private network					X							X					X									X
70	US5761397A (Elizabeth L. Bagley, 1998)	(Original Assignee) HP Inc (Current Assignee) Hewlett Packard Development Co LP	Controlling logical channel use based upon printing system environment	▪ executable instructions ≈ executable instructions ▪ intermediary computing, receiving requests ≈ data transfers ▪ application layer ≈ high data	X														X		X					X				X
71	EP0713311A1 (Hung T. Vu, 1996)	(Original Assignee) Milkyway Networks Corp (Current Assignee) Milkyway Networks Corp	Secure gateway and method for communication between networks	▪ IP addresses ≈ destination address ▪ data management component ≈ potential security ▪ intermediary computing ≈ requested service ▪ application layer ≈ application layer ▪ providing network access ≈ new communication ▪ data packet ≈ data packet, IP packets	X			X	X	X			X	X		X			X		X					X				X
72	US5790809A (Ralph Holmes, 1998)	(Original Assignee) MCI Corp (Current Assignee) MCI Corp ; Verizon Patent and Licensing Inc	Registry communications middleware	▪ different operating systems ≈ executing applications ▪ different operating ≈ different operating ▪ network destination ≈ network destination, n information ▪ IP addresses ≈ destination address	X	X			X					X		X										X
73	US5793763A (John C. Mayes, 1998)	(Original Assignee) Cisco Technology Inc (Current Assignee) Cisco Technology Inc	Security system for network address translation systems	▪ network destination ≈ network destination ▪ device interface, storage device ≈ following steps ▪ IP addresses ≈ local address, IP addresses	X				X					X		X				X				X	X	X	X				X
74	WO9613113A1 (William E. Boebert, 1996)	(Original Assignee) Secure Computing Corporation	System and method for providing secure internetwork services	▪ network access, network destination ≈ network interfaces, first work ▪ IP addresses ≈ private network ▪ network protocol programs ≈ second client	X	X		X	X	X			X	X	X	X	X									X
75	US5751914A (Brett Angus Coley, 1998)	(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp	Method and system for correlating a plurality of events within a data processing system	▪ network protocol programs ≈ computer program ▪ NAD server ≈ said network	X	X
76	US5774670A (Lou Montulli, 1998)	(Original Assignee) Netscape Communications Corp (Current Assignee) Facebook Inc	Persistent client state in a hypertext transfer protocol based client-server system	▪ NAD server ≈ said network ▪ storing instructions ≈ said memory	X	X										X
77	US5623600A (Shuang Ji, 1997)	(Original Assignee) Trend Micro Inc (Current Assignee) Trend Micro Inc	Virus detection and removal apparatus for computer networks	▪ electronic communication ≈ processor control ▪ network protocol programs ≈ control signals ▪ processing unit ≈ processing unit ▪ intermediary computing, receiving requests ≈ data transfers ▪ device interface ≈ control output ▪ network access, providing network access ≈ transfer data	X	X		X	X				X	X	X	X	X	X	X	X				X		X	X
78	JPH0964870A (Hatsuo Hoshino, 1997)	(Original Assignee) Nippon Telegr & Teleph Corp <Ntt>; 日本電信電話株式会社	ネットワークシステムとその運用処理方法および使用アクセス方法	▪ IP address ≈ デジタルネットワーク, インターネット ▪ network client ≈ クライアント装置 ▪ storage device ≈ 少なくとも ▪ accepting requests, allow requests ≈ の要求	X	X			X					X		X		X		X					X	X			X		X
79	US5764863A (Jeffrey E. Fall, 1998)	(Original Assignee) HP Inc (Current Assignee) Hewlett Packard Development Co LP	Multiple original copy data printer	▪ data management component ≈ communicatively couple ▪ storage device ≈ storage device ▪ SCSI interface ≈ data storage ▪ electronic communication, network protocol programs ≈ other port		X			X															X	X			X			X
80	US5621727A (Gregory M. Vaudreuil, 1997)	(Original Assignee) Octel Communications Corp (Current Assignee) Avaya Inc	System and method for private addressing plans using community addressing	▪ IP addresses ≈ private address, global address ▪ local area, IP address ≈ public access	X				X					X		X		X								X
81	US5793762A (John Henry Hubert Penners, 1998)	(Original Assignee) US West Advanced Technologies Inc (Current Assignee) Qwest Communications International Inc	System and method for providing packet data and voice services to mobile subscribers	▪ filtering comprises means ≈ mobile terminals ▪ network destination ≈ n information	X									X		X										X
82	US5706507A (Robert Jeffrey Schloss, 1998)	(Original Assignee) International Business Machines Corp (Current Assignee) Activision Publishing Inc	System and method for controlling access to data located on a content server	▪ video codec ≈ generates information ▪ SCSI interface ≈ data request																				X	X			X			X
83	US5636371A (Kin C. Yu, 1997)	(Original Assignee) Bull HN Information Systems Inc (Current Assignee) Bull HN Information Systems Inc	Virtual network mechanism to access well known port application programs running on a single host system	▪ network client ≈ standard communication ▪ IP addresses ≈ destination address ▪ network interface ≈ network interface ▪ storage device ≈ first structure ▪ managing means ≈ face component ▪ IP address ≈ pointer value, IP address ▪ data packet ≈ data packet ▪ local area ≈ local area	X				X	X				X		X	X	X							X	X		X			X
84	US5708780A (Thomas Mark Levergood, 1998)	(Original Assignee) Open Market Inc (Current Assignee) Soverain Ip LLC ; Open Market Inc	Internet server access control and monitoring systems	▪ intermediary computing ≈ requested service ▪ network clients ≈ client request ▪ network destination ≈ n information	X	X								X		X			X							X
85	US5721908A (Konrad Charles Lagarde, 1998)	(Original Assignee) International Business Machines Corp (Current Assignee) Google LLC	Computer network for WWW server data access over internet	▪ network access, network source ≈ support functions ▪ data packet ≈ multiple network ▪ network clients ≈ client request ▪ local area, IP address ≈ public access ▪ network destination ≈ n information ▪ receiving requests ≈ other service	X	X		X	X	X			X	X	X	X	X	X								X
86	US5745754A (Konrad Charles Lagarde, 1998)	(Original Assignee) International Business Machines Corp (Current Assignee) Google LLC	Sub-agent for fulfilling requests of a web browser using an intelligent agent and providing a report	▪ electronic communication ≈ specific functions ▪ network access, providing network access ≈ processing step ▪ managing access ≈ search requests ▪ deny requests ≈ more responses ▪ data packet ≈ said format	X	X		X	X	X			X	X	X	X										X	X
87	US5793964A (Richard Michael Rogers, 1998)	(Original Assignee) International Business Machines Corp (Current Assignee) Google LLC	Web browser system	▪ network access, network source ≈ support functions ▪ data packet ≈ multiple network, second data ▪ local area, IP address ≈ public access ▪ receiving requests ≈ other service ▪ executable instructions ≈ direct link	X	X		X	X	X			X	X	X	X	X	X								X
88	US5696898A (Brenda Sue Baker, 1997)	(Original Assignee) Nokia of America Corp (Current Assignee) Nokia of America Corp	System and method for database access control	▪ network access ≈ network access ▪ NAD server ≈ said network	X	X		X	X				X	X	X	X
89	US5692030A (Eugene William Teglovic, 1997)	(Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc	Electronic interface for exchange of trouble administration information in telecommunications	▪ application layer ≈ second interface, data link ▪ network clients ≈ data networks ▪ NAD server ≈ said network ▪ data packet ≈ second data ▪ IP addresses ≈ local data	X	X		X	X	X			X	X		X					X					X				X
90	US5742762A (Thomas H. Scholl, 1998)	(Original Assignee) Telogy Networks Inc (Current Assignee) Telogy Networks Inc	Network management gateway	▪ network protocol programs ≈ computer program ▪ filtering means ≈ hard disk		X																				X				X
91	US5650994A (Kathleen Daley, 1997)	(Original Assignee) Verizon Services Corp (Current Assignee) Verizon Patent and Licensing Inc	Operation support system for service creation and network provisioning for video dial tone networks	▪ accepting requests ≈ corresponding service, information service ▪ network clients, communication path ≈ communication paths ▪ receiving requests ≈ transmitting signal ▪ network destination ≈ information source, n information ▪ network interface ≈ network interface ▪ network protocol programs ≈ control signals ▪ IP addresses ≈ network address ▪ network client ≈ user database ▪ requests comprise one ≈ d log	X	X			X	X				X		X	X									X			X
92	US5699403A (U. George Ronnen, 1997)	(Original Assignee) Nokia of America Corp (Current Assignee) Nokia of America Corp	Network vulnerability management apparatus and method	▪ program modules ≈ processing module ▪ NAD server ≈ said network ▪ device interface ≈ said module	X	X	X									X				X				X			X
93	US5555290A (Clark E. McLeod, 1996)	(Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc	Long distance telephone switching system with enhanced subscriber services	▪ accepting requests ≈ information service ▪ IP addresses ≈ telephone network ▪ network destination ≈ n information	X	X			X					X		X										X
94	US5699513A (Ronald Glen Feigen, 1997)	(Original Assignee) Motorola Solutions Inc (Current Assignee) General Dynamics C4 Systems Inc	Method for secure network access via message intercept	▪ network interface ≈ acknowledgment message ▪ network client ≈ more application	X				X	X						X	X
95	US5610915A (Isaac Elliott, 1997)	(Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc	System and method therefor of viewing call traffic of a telecommunications network	▪ device interface ≈ predetermined time intervals ▪ executable instructions ≈ specialized instruction ▪ header contains information ≈ one communication line ▪ electronic communication, data management component ≈ receiving requests, order r ▪ NAD server ≈ said network ▪ storage device ≈ one terminal	X	X			X				X			X				X				X	X	X	X				X
96	US5649182A (Carl A. Reitz, 1997)	(Original Assignee) Reitz; Carl A. (Current Assignee) RPX Corp	Apparatus and method for organizing timeline data	▪ storing instructions, network interface ≈ computer processor, said subset ▪ video codec ≈ media data ▪ data packet, filtering means ≈ said time	X			X	X	X			X	X		X	X								X	X				X	X
97	US5696906A (J. Michael Peters, 1997)	(Original Assignee) Continental Cablevision Inc (Current Assignee) Comcast MO Group Inc	Telecommunicaion user account management system and method	▪ IP addresses ≈ television service ▪ network destination ≈ electronic mail	X				X					X		X										X
98	US5557748A (David Norris, 1996)	(Original Assignee) Intel Corp (Current Assignee) Intel Corp	Dynamic network configuration	▪ processing unit ≈ processing unit ▪ storing instructions ≈ computer device, said memory ▪ electronic communication ≈ memory stores					X							X	X	X	X	X
99	US5538007A (Peter G. Gorman, 1996)	(Original Assignee) Gorman; Peter G.	Biomedical response monitor and method using identification signal	▪ data management component ≈ information representative ▪ managing means, receiving requests ≈ transmitting unit ▪ device interface, storage device ≈ following steps, said signals ▪ network destination ≈ n information ▪ intermediary computing device ≈ sensor output ▪ electronic communication ≈ sensor means ▪ network protocol programs ≈ display unit ▪ data packet ≈ first port	X	X		X	X	X			X	X		X			X	X				X	X	X	X	X			X
100	US5724581A (Fumihiko Kozakura, 1998)	(Original Assignee) Fujitsu Ltd (Current Assignee) Fujitsu Ltd	Data base management system for recovering from an abnormal condition	▪ network destination ≈ n information ▪ processing unit ≈ obtained data ▪ executable instructions, computer executable instructions ≈ main storage ▪ SCSI interface ≈ when data ▪ NAD server ≈ point a ▪ requests comprise one ≈ d log	X	X								X		X	X	X	X	X				X		X			X
101	US5550984A (Edward J. Gelb, 1996)	(Original Assignee) Panasonic Corp of North America (Current Assignee) Panasonic Corp of North America	Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information	▪ IP addresses ≈ destination address, address information ▪ network interface ≈ network interface ▪ network destination ≈ original source ▪ receiving requests ≈ storage devices ▪ intermediary computing ≈ up information ▪ IP address ≈ IP address	X				X	X				X		X	X	X	X							X
102	US5689645A (Robert Dwight Schettler, 1997)	(Original Assignee) HP Inc (Current Assignee) Hewlett Packard Development Co LP	Persistence specification system and method for producing persistent and transient submaps in a management station for a data communication network	▪ communication path ≈ computer readable medium ▪ network arrangement, network protocol programs ≈ processing time ▪ NAD server ≈ said network	X	X	X	X	X	X	X	X	X			X
103	US5551025A (Daniel L. O'Reilly, 1996)	(Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc	Relational database system for storing different types of data	▪ data management component ≈ predefined time period ▪ providing network access ≈ slower response ▪ NAD server ≈ said network ▪ IP addresses ≈ address data	X	X			X					X
104	US5778377A (James Warden Marlin, 1998)	(Original Assignee) International Business Machines Corp (Current Assignee) Lenovo Singapore Pte Ltd	Table driven graphical user interface	▪ IP address ≈ corresponding data element ▪ storing instructions ≈ requested data ▪ NAD server ≈ said network ▪ network protocol programs ≈ id attribute ▪ SCSI interface ≈ data request ▪ receiving requests ≈ request data ▪ network protocols ≈ said column ▪ processing unit ≈ first row	X	X								X		X	X	X	X	X		X	X	X		X		X
105	US5586269A (Seiichi Kubo, 1996)	(Original Assignee) Panasonic Corp; Koninklijke Philips NV (Current Assignee) Panasonic Corp ; Koninklijke Philips NV	Communication control device and method for automatically determining a self-address	▪ IP addresses ≈ destination address ▪ different operating, managing access ≈ nonvolatile memory ▪ network clients having different operating systems ≈ judgment means ▪ filtering comprises means ≈ control device ▪ network destination ≈ n information	X	X			X					X		X										X	X
106	US5526257A (Sam Lerner, 1996)	(Original Assignee) Finlay Fine Jewelry Corp (Current Assignee) Finlay Fine Jewelry Corp	Product evaluation system	▪ data packet ≈ second data structure ▪ device interface, storage device ≈ specific category, following steps ▪ storing instructions ≈ said memory	X			X	X	X			X	X		X				X				X	X	X	X				X
107	US5530744A (Salomi T. Charalambous, 1996)	(Original Assignee) AT&T Corp (Current Assignee) AT&T Corp	Method and system for dynamic customized call routing	▪ data management component ≈ work implement ▪ IP addresses ≈ includes time ▪ filtering means, data packet ≈ said time, second data ▪ network arrangement ≈ data links ▪ NAD server ≈ point a	X	X	X	X	X	X	X	X	X	X		X										X				X
108	US5742905A (David Matthew Pepe, 1998)	(Original Assignee) Telcordia Technologies Inc (Current Assignee) Access Co Ltd	Personal communications internetworking	▪ IP addresses ≈ telephone network ▪ network interface ≈ network interface ▪ application layer ≈ second interface ▪ network destination ≈ electronic mail, n information ▪ accepting requests ≈ media format	X	X			X	X				X		X	X				X					X				X
109	US5548646A (Ashar Aziz, 1996)	(Original Assignee) Sun Microsystems Inc (Current Assignee) Sun Microsystems Inc	System for signatureless transmission and reception of data packets between computer networks	▪ storing instructions ≈ storing instructions, said memory ▪ IP addresses ≈ destination address, network address ▪ executable instructions, computer executable instructions ≈ security data ▪ network source ≈ third memory	X			X	X					X		X										X
110	US5481720A (Larry K. Loucks, 1996)	(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp	Flexible interface to authentication services in a distributed data processing environment	▪ providing network access ≈ service process ▪ network destination ≈ n information	X									X		X										X
111	US5621889A (Jean-Marc Lermuzeaux, 1997)	(Original Assignee) Alcatel SA (Current Assignee) Alcatel SA	Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility	▪ computer executable instructions ≈ policy check ▪ IP addresses ≈ said sensors	X
112	US5694546A (Richard R. Reisman, 1997)	(Original Assignee) Reisman; Richard R. (Current Assignee) Tmi Solutions LLC ; Intellectual Ventures I LLC	System for automatic unattended electronic information transport between a server and a client by a vendor provided transport software with a manifest list	▪ network protocols ≈ communication protocol ▪ network interface ≈ communications module ▪ program modules ≈ communication module ▪ accepting requests ≈ distribution server ▪ IP addresses ≈ telephone network, source address ▪ intermediary computing device ≈ steps b ▪ requests comprise one ≈ d log		X			X	X						X	X		X			X	X
113	US5636216A (Richard H. Fox, 1997)	(Original Assignee) Metricom Inc (Current Assignee) Google LLC	Method for translating internet protocol addresses to other distributed network addressing schemes	▪ network client ≈ consulting step ▪ different operating systems ≈ inquiry message	X	X			X
114	US5533108A (Rosemary H. Harris, 1996)	(Original Assignee) AT&T Corp (Current Assignee) AT&T Corp	Method and system for routing phone calls based on voice and data transport capability	▪ IP addresses ≈ public switched telephone network ▪ storing instructions ≈ requested data ▪ data packet ≈ second data ▪ SCSI interface, managing means ≈ TS data	X			X	X	X			X	X		X								X		X		X
115	US5517622A (Mario J. Ivanoff, 1996)	(Original Assignee) Galileo International Partnership (Current Assignee) Galileo International LLC	Method and apparatus for pacing communications in a distributed heterogeneous network	▪ network interface ≈ network protocol stack ▪ network arrangement ≈ respective plurality ▪ NAD server ≈ said network	X	X	X	X	X	X	X	X	X			X
116	GB2287619A (Paul Gover, 1995)	(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp	Security device for data communications networks	▪ requests comprise one ≈ different security ▪ executable instructions, computer executable instructions ≈ security data	X																								X
117	US5483596A (Peter D. Rosenow, 1996)	(Original Assignee) Paralon Tech Inc (Current Assignee) PARALON TECHNOLOGIES Inc ; Paralon Tech Inc	Apparatus and method for controlling access to and interconnection of computer system resources	▪ network protocol programs ≈ communication media ▪ communication path ≈ communication path ▪ network clients having different operating systems ≈ authorizing access ▪ electronic communication ≈ exchanging data ▪ data packet ≈ second data	X	X		X	X	X			X	X		X										X
118	US5412654A (Charles E. Perkins, 1995)	(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp	Highly dynamic destination-sequenced destination vector routing for mobile computers	▪ IP addresses ≈ network address ▪ network client, network access ≈ work layer	X	X		X	X				X	X	X	X
119	US5473687A (Thomas H. Lipscomb, 1995)	(Original Assignee) Infosafe Systems Inc (Current Assignee) HARMONY LOGIC SYSTEMS LLC	Method for retrieving secure information from a database	▪ requests originating one ≈ linear feedback shift register ▪ network destination ≈ external source ▪ requests contain information to gain access ≈ different way ▪ application layer ≈ binary digit ▪ data packet ≈ data packet ▪ filtering means ≈ said key	X			X	X	X			X	X		X				X	X					X				X
120	US5548726A (Christopher E. Pettus, 1996)	(Original Assignee) Taligent Inc (Current Assignee) Apple Inc	System for activating new service in client server network by reconfiguring the multilayer network protocol stack dynamically within the server node	▪ network protocol programs ≈ computer program ▪ storing instructions ≈ readable program ▪ program modules ≈ sending means ▪ receiving requests ≈ first sending ▪ intermediary computing, intermediary computing device ≈ other node ▪ requests comprise one ≈ d log		X	X									X			X							X			X
121	US5606668A (Gil Shwed, 1997)	(Original Assignee) Checkpoint Software Technologies Ltd (Current Assignee) Checkpoint Software Technologies Ltd	System for securing inbound and outbound data packet flow in a computer network	▪ storage device ≈ storage device ▪ data packet ≈ data packet	X			X	X	X			X	X		X									X	X					X
122	US5481542A (Gary L. Logston, 1996)	(Original Assignee) Scientific Atlanta LLC (Current Assignee) Synamedia Ltd	Interactive information services control system	▪ network stack ≈ correction algorithm ▪ network clients, communication path ≈ communication paths ▪ storing instructions ≈ requested data ▪ network arrangement ≈ counter value ▪ network destination ≈ n information ▪ data packet, filtering means ≈ said format, first port	X	X	X	X	X	X	X	X	X	X		X										X				X
123	US5455953A (Edward A. Russell, 1995)	(Original Assignee) Wang Laboratories Inc (Current Assignee) Rakuten Inc ; BT Commercial Corp	Authorization system for obtaining in single step both identification and access rights of client to server directly from encrypted authorization ticket	▪ different operating, different operating systems ≈ encryption key ▪ SCSI interface ≈ client access		X																		X
124	US5369571A (Rodney H. Metts, 1994)	(Original Assignee) Metts; Rodney H.	Method and apparatus for acquiring demographic information	▪ network client, data management component ≈ central location ▪ electronic communication ≈ pressed position	X				X
125	US5327486A (Richard S. Wolff, 1994)	(Original Assignee) Telcordia Technologies Inc (Current Assignee) BRAZOS HOLDINGS LLC ; Honeywell International Inc	Method and system for managing telecommunications such as telephone calls	▪ requests originating one ≈ second messages ▪ executable instructions, computer executable instructions ≈ graphic object ▪ data packet ≈ receiving end	X			X	X	X			X	X		X										X
126	US5361259A (Steven D. Hunt, 1994)	(Original Assignee) American Telephone and Telegraph Co Inc (Current Assignee) IPR 3 Pty Ltd	Wide area network (WAN)-arrangement	▪ managing means ≈ said communication network ▪ communication path ≈ communication path ▪ IP addresses ≈ telephone network ▪ NAD server ≈ said network	X	X			X							X												X
127	US5586260A (Wei-Ming Hu, 1996)	(Original Assignee) Digital Equipment Corp (Current Assignee) Hewlett Packard Development Co LP	Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms	▪ requests comprise one ≈ different security ▪ device interface, storage device ≈ following steps ▪ SCSI interface ≈ client access												X				X				X	X		X	X	X		X
128	US5287270A (Robert M. Hardy, 1994)	(Original Assignee) Compucom Communications Corp (Current Assignee) CENTILLION DATA SYSTEMS LLC	Billing system	▪ storage device ≈ additional processing ▪ electronic communication ≈ usage record					X																X						X
129	US5452446A (Steven F. Johnson, 1995)	(Original Assignee) SPX Corp (Current Assignee) SPX Corp ; SPX Development Corp	Method and apparatus for managing dynamic vehicle data recording data by current time minus latency	▪ electronic communication, data management component ≈ receiving requests ▪ managing means ≈ different period ▪ SCSI interface ≈ data request ▪ network destination ≈ data source	X				X					X		X								X		X		X
130	US5491796A (James Wanderer, 1996)	(Original Assignee) Net Labs Inc (Current Assignee) NortonLifeLock Inc	Apparatus for remotely managing diverse information network resources	▪ external thereto ≈ user interface module ▪ network arrangement, network protocol programs ≈ processing time ▪ network destination ≈ n information ▪ NAD server ≈ said network ▪ data packet ≈ said format	X	X	X	X	X	X	X	X	X	X
131	US5371852A (Clement R. Attanasio, 1994)	(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp	Method and apparatus for making a cluster of computers appear as a single host on a network	▪ network destination ≈ same destination node, external source ▪ IP addresses ≈ destination address ▪ IP address ≈ IP address ▪ NAD server ≈ N type	X	X			X					X		X		X								X
132	US5490252A (Mario Macera, 1996)	(Original Assignee) Bay Networks Group Inc (Current Assignee) Rockstar Consortium US LP	System having central processor for transmitting generic packets to another processor to be altered and transmitting altered packets back to central processor for routing	▪ network interface ≈ electronic components ▪ intermediary computing device ≈ fault tolerance ▪ network stack ≈ generic format ▪ network destination ≈ n information	X					X				X		X	X		X							X				X
133	JPH0697905A (Noriaki Kono, 1994)	(Original Assignee) Mitsubishi Electric Corp; 三菱電機株式会社	インチャネルシグナリング伝送装置	▪ program modules ≈ の所定 ▪ requests contain information to gain access ≈ 代わり			X													X
134	US5377060A (Anil Nigam, 1994)	(Original Assignee) Antek Peripherals Inc (Current Assignee) ANTEK PERIPHERALS Inc A CORP OF CALIFORNIA ; Antek Peripherals Inc	Ultra slim data storage module utilizing plural flexible disks	▪ application layer ≈ disk surface ▪ processing unit ≈ second air												X	X	X	X	X	X									X
135	US5241594A (Kenneth C. Kung, 1993)	(Original Assignee) Hughes Aircraft Co (Current Assignee) Raytheon Co	One-time logon means and methods for distributed computing systems	▪ network protocols ≈ communication protocol ▪ accepting requests, requests originating one ≈ server request ▪ requests comprise one ≈ d log		X																X	X			X			X
136	US5491779A (Richard D. Bezjian, 1996)	(Original Assignee) Bezjian; Richard D.	Three dimensional presentation of multiple data sets in unitary format with pie charts	▪ application layer ≈ third dimension ▪ data packet ≈ second data	X			X	X	X			X	X		X					X					X				X
137	US5249292A (J. Noel Chiappa, 1993)	(Original Assignee) Chiappa J Noel	Data packet switch using a primary processing unit to designate one of a plurality of data stream control circuits to selectively handle the header processing of incoming packets in one data packet stream	▪ network clients, communication path ≈ communication paths ▪ network protocol programs ≈ control signals ▪ network destination ≈ n information ▪ managing means ≈ storage units ▪ program modules ≈ data buffer ▪ SCSI interface ≈ new data	X	X	X							X		X								X		X		X
138	US5325290A (Lynn S. Cauffman, 1994)	(Original Assignee) Compucom Communications Corp (Current Assignee) CENTILLION DATA SYSTEMS LLC	Billing system with data indexing	▪ different operating systems ≈ different operating systems ▪ storage device ≈ additional processing ▪ network destination ≈ n information ▪ filtering means ≈ said key	X	X								X		X									X	X				X	X
139	US5321395A (Ronald B. Van Santbrink, 1994)	(Original Assignee) US Philips Corp (Current Assignee) US Philips Corp	System providing verified information exchange between an electronic record carrier and a read/write unit	▪ network destination ≈ n information ▪ storing instructions ≈ said memory	X									X		X										X
140	US5262760A (Kazuaki Iwamura, 1993)	(Original Assignee) Hitachi Ltd (Current Assignee) Hitachi Ltd	Modifying a graphics display image	▪ network arrangement ≈ further data ▪ storing instructions ≈ said memory	X	X	X	X	X	X	X	X	X			X
141	US5245533A (Robert Marshall, 1993)	(Original Assignee) A C Nielsen Co (Current Assignee) NCH PROMOTIONAL SERVICES Inc	Marketing research method and system for management of manufacturer's discount coupon offers	▪ data management component ≈ predefined time period ▪ SCSI interface ≈ central controller					X															X				X
142	US5490060A (John Malec, 1996)	(Original Assignee) Information Resources Inc (Current Assignee) Information Resources Inc	Passive data collection system for market research data	▪ intermediary computing ≈ transaction records, transaction file ▪ different operating, managing access ≈ nonvolatile memory ▪ electronic communication ≈ central station ▪ processing unit ≈ transfer system ▪ network destination ≈ n information ▪ NAD server ≈ said network ▪ SCSI interface ≈ data storage	X	X			X					X		X	X	X	X	X				X		X	X	X
143	US5161192A (Steven H. Carter, 1992)	(Original Assignee) 3Com Technologies Ltd (Current Assignee) 3Com Ireland	Repeaters for secure local area networks	▪ IP addresses ≈ destination address, source address ▪ NAD server ≈ said network ▪ application layer ≈ binary digit ▪ local area ≈ local area	X	X			X												X									X
144	US5223699A (Lorraine Flynn, 1993)	(Original Assignee) Nokia Bell Labs (Current Assignee) Nokia Bell Labs ; AT&T Corp	Recording and billing system	▪ different operating ≈ processor information ▪ network arrangement ≈ first codes ▪ data packet ≈ second data	X	X	X	X	X	X	X	X	X	X		X										X
145	US5159592A (Charles E. Perkins, 1992)	(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp	Network address management for a wired network supporting wireless communication to a plurality of mobile users	▪ network interface ≈ wireless Local Area Network ▪ intermediary computing ≈ mobile communications ▪ application layer ≈ unique identifiers						X						X	X		X		X									X
146	US5124984A (Ferdinand Engel, 1992)	(Original Assignee) Concord Communications LLC (Current Assignee) Concord Communications LLC	Access controller for local area network	▪ network protocols ≈ communication protocol ▪ IP addresses ≈ destination address, source address ▪ electronic communication ≈ exchanging data ▪ network access, network client ≈ network access, work layer ▪ NAD server ≈ said network ▪ data packet ≈ data packet ▪ network arrangement ≈ ink layer ▪ application layer ≈ data link	X	X	X	X	X	X	X	X	X	X	X	X					X	X	X			X				X
147	US5287269A (John Dorrough, 1994)	(Original Assignee) Boardwalk Starcity Corp (Current Assignee) Cardtronics Inc	Apparatus and method for accessing events, areas and activities	▪ network clients having different operating systems ≈ authorizing access ▪ SCSI interface ≈ data storage ▪ program modules ≈ data buffer ▪ data packet, filtering means ≈ second data, said time	X	X	X	X	X	X			X	X		X										X				X
148	US5149945A (Jerry W. Johnson, 1992)	(Original Assignee) Micro Card Tech Inc (Current Assignee) MICRO CARD TECHNOLOGIES Inc A CORP OF TX ; CP8 Technologies ; Bull CP8 ; Micro Card Tech Inc	Method and coupler for interfacing a portable data carrier with a host processor	▪ network protocol programs, electronic communication ≈ control signals, other port ▪ receiving requests ≈ bit error		X			X																	X
149	US5309437A (Radia J. Perlman, 1994)	(Original Assignee) Digital Equipment Corp (Current Assignee) Enterasys Networks Inc	Bridge-like internet protocol router	▪ IP addresses ≈ local area networks, address information ▪ network protocols ≈ network addressing, network protocols ▪ network client, network access ≈ work layer ▪ data packet ≈ IP packets	X	X		X	X	X			X	X	X	X						X	X			X
150	US5204961A (Douglas C. Barlow, 1993)	(Original Assignee) Digital Equipment Corp (Current Assignee) DIGITAL Corp A MA CORP ; Hewlett Packard Development Co LP	Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols	▪ network protocol programs ≈ received protocol data units ▪ NAD server ≈ said network	X	X
151	US5226120A (Brian Brown, 1993)	(Original Assignee) SynOptics Communications Inc (Current Assignee) Nortel Networks Ltd	Apparatus and method of monitoring the status of a local area network	▪ header contains information ≈ identifying means ▪ device interface, storage device ≈ following steps ▪ network arrangement ≈ electrical back ▪ NAD server ≈ said network ▪ network destination ≈ light source ▪ electronic communication, network protocol programs ≈ other port ▪ network source ≈ same time	X	X	X	X	X	X	X	X	X	X		X				X				X	X	X	X				X
152	US4972504A (James N. Daniel, 1990)	(Original Assignee) A C Nielsen Co (Current Assignee) Nielsen Company US LLC	Marketing research system and method for obtaining retail data on a real time basis	▪ network client, data management component ≈ central location ▪ processing unit ≈ processing unit ▪ managing means ≈ detecting data ▪ SCSI interface ≈ data storage ▪ filtering means, filtering comprises means ≈ pass filter ▪ storing instructions ≈ said memory	X				X							X	X	X	X	X				X		X		X		X
153	US5030807A (Jeremy A. Landt, 1991)	(Original Assignee) Amtech Corp (Current Assignee) Intermec IP Corp	System for reading and writing data from and into remote tags	▪ intermediary computing ≈ sufficient strength ▪ network protocol programs ≈ transmitted data ▪ SCSI interface ≈ data storage		X													X					X				X
154	US5131020A (John P. Liebesny, 1992)	(Original Assignee) SmartRoutes Systems LP (Current Assignee) Fleet National Bank ; SmartRoutes Systems LP	Method of and system for providing continually updated traffic or other information to telephonically and other communications-linked customers	▪ accepting requests ≈ information request ▪ filtering means ≈ said key		X																				X				X
155	US5019697A (Joel R. Postman, 1991)	(Original Assignee) TPS Electronics (Current Assignee) POSTMAN JOEL	Data collection system using memory card	▪ data packet ≈ said format ▪ storing instructions ≈ said memory ▪ filtering means ≈ said key	X			X	X	X			X	X		X										X				X
156	US5113499A (Richard C. Ankney, 1992)	(Original Assignee) Sprint International Communications Corp (Current Assignee) Sprint International Communications Corp	Telecommunication access management system for a packet switching network	▪ data management component ≈ information representative ▪ network protocols ≈ data communications link ▪ communication path ≈ multiple communications, communication path ▪ executable instructions, computer executable instructions ≈ instruction signals ▪ IP addresses ≈ destination address ▪ video codec ≈ respective entry ▪ managing access ≈ managing access ▪ network destination ≈ n information ▪ network protocol programs ≈ plural access ▪ NAD server ≈ said network ▪ network stack ≈ various user ▪ electronic communication ≈ one source	X	X			X					X		X						X	X		X	X	X			X	X
157	US5142622A (Gary L. Owens, 1992)	(Original Assignee) International Business Machines Corp (Current Assignee) Cisco Technology Inc	System for interconnecting applications across different networks of data processing systems by mapping protocols across different network domains	▪ electronic communication ≈ socket connection ▪ computer executable instructions ≈ intermediate data	X				X
158	US5136707A (Frederick P. Block, 1992)	(Original Assignee) Nokia Bell Labs (Current Assignee) Nokia Bell Labs ; AT&T Information Systems Inc ; AT&T Corp	Reliable database administration arrangement	▪ receiving requests ≈ corresponding database ▪ storing instructions ≈ requested data ▪ intermediary computing, intermediary computing device ≈ other node												X			X							X
159	US5088052A (Howard A. Spielman, 1992)	(Original Assignee) Digital Equipment Corp (Current Assignee) Hewlett Packard Development Co LP	System for graphically representing and manipulating data stored in databases	▪ storage device ≈ determining characteristics ▪ data management component ≈ database records					X																X						X
160	US4806743A (Jean-Jacques Thenery, 1989)	(Original Assignee) Thenery Jean Jacques (Current Assignee) THENERY JEAN JACQUES	Installation for managing the "visitor" resource at a trade show, or fair, or the like	▪ IP addresses ≈ respective memory ▪ storing instructions ≈ said memory					X							X
161	US4823373A (Chusei Takahashi, 1989)	(Original Assignee) Oki Electric Industry Co Ltd (Current Assignee) Canon Inc	Line switching control system for mobile communication	▪ requests contain information to gain access ≈ predetermined data pattern ▪ network protocol programs ≈ control signals ▪ different operating ≈ function key		X														X
162	US4799153A (J. David Hann, 1989)	(Original Assignee) TELENET COMMUNICATIONS CORP (Current Assignee) Sprint International Communications Corp	Method and apparatus for enhancing security of communications in a packet-switched data communications system	▪ IP addresses ≈ packet including data, address data ▪ network clients having different operating systems ≈ enable access ▪ NAD server ≈ said network ▪ data packet ≈ said format	X	X			X
163	GB2187009A (Shoichi Masui, 1987)	(Original Assignee) Hitachi Ltd (Current Assignee) Hitachi Ltd	A knowledge-based system having a plurality of processors	▪ data packet ≈ said transmission ▪ intermediary computing ≈ third request ▪ network source ≈ third memory	X			X	X	X			X	X		X			X							X
164	US4893248A (W. Hampton Pitts, 1990)	(Original Assignee) Access Corp (Current Assignee) DIGEQUIP SECURITY INDUSTRIES Inc ; NATIONAL RURAL TELECOMMUNICATIONS COOPERATIVE	Monitoring and reporting system for remote terminals	▪ storing instructions ≈ computer processor ▪ data packet ≈ said transmission ▪ managing means ≈ monitoring system ▪ network protocol programs ≈ transmitted data, computer program ▪ electronic communication ≈ central station ▪ video codec ≈ current view	X	X		X	X	X			X	X		X									X	X		X			X
165	US4817050A (Kenichi Komatsu, 1989)	(Original Assignee) Toshiba Corp (Current Assignee) Toshiba Corp	Database system	▪ network clients having different operating systems ≈ recording medium ▪ electronic communication ≈ exchanging data ▪ processing unit ≈ data recording ▪ NAD server ≈ said network ▪ SCSI interface ≈ when data	X	X			X							X	X	X	X	X				X				X
166	US4745560A (John W. Decker, 1988)	(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp	Method of controlling a bit-image printer	▪ executable instructions ≈ memory location ▪ storage device ≈ first location ▪ storing instructions ≈ said memory ▪ network access, filtering means ≈ top edge	X	X		X	X				X	X	X	X									X	X				X	X
167	EP0177210A1 (Frederick John Wixley, 1986)	(Original Assignee) GEC Avionics Ltd; GEC Marconi Ltd (Current Assignee) BAE Systems Electronics Ltd	Electric circuit testing equipment	▪ network destination ≈ integrated circuit package, input signal ▪ NAD server ≈ point a	X	X								X		X										X
168	US4727243A (Eugene Savar, 1988)	(Original Assignee) TELENET COMMUNICATIONS CORP (Current Assignee) Sprint International Communications Corp	Financial transaction system	▪ network access, providing network access ≈ respective point ▪ network destination ≈ n information ▪ processing unit ≈ data capture ▪ storage device ≈ one terminal ▪ SCSI interface ≈ new data	X	X		X	X				X	X	X	X	X	X	X	X				X	X	X		X			X
169	US4654793A (Philip C. Elrod, 1987)	(Original Assignee) SHOWDATA Inc (Current Assignee) SHOW DATA Inc ; SOUTHEASTERN REGISTRATION SERVICES A GENERAL PARTNERSHIP OF TX ; SOUTHWESTERN REGISTRATION SERVICES A CORP OF TX	System and method for registering and keeping track of the activities of attendees at a trade show, convention or the like	▪ network arrangement ≈ selected location ▪ network destination ≈ n information ▪ managing means ≈ storage units ▪ storing instructions ≈ said memory ▪ data packet, filtering means ≈ said time	X	X	X	X	X	X	X	X	X	X		X										X		X		X
170	US4425618A (Thomas P. Bishop, 1984)	(Original Assignee) Nokia Bell Labs (Current Assignee) Nokia Bell Labs	Method and apparatus for introducing program changes in program-controlled systems	▪ different operating, different operating systems ≈ processor system ▪ executable instructions ≈ memory location ▪ data packet, filtering means ≈ said time	X	X		X	X	X			X	X		X										X				X
171	GB2063532A (, 1981)	(Original Assignee) Oracle StorageTek (Current Assignee) Oracle StorageTek	Data storage system for a computer	▪ data packet ≈ interface units, second data ▪ different operating systems ≈ disk interface ▪ program modules ≈ data buffer ▪ storing instructions ≈ data cache	X	X	X	X	X	X			X	X		X										X
172	US4345315A (Ernest R. Cadotte, 1982)	(Original Assignee) MSI Data Corp (Current Assignee) Symbol Technologies LLC	Customer satisfaction terminal	▪ network arrangement ≈ selected location ▪ network protocol programs ≈ control signals ▪ network clients, network protocols ≈ timing signals ▪ storage device ≈ storage device ▪ different operating ≈ key operation ▪ managing means ≈ said keys ▪ SCSI interface ≈ new data	X	X	X	X	X	X	X	X	X									X	X	X		X		X		X
173	US4233661A (Edgar A. Bolton, 1980)	(Original Assignee) Bolton Edgar A; Dallen Larry D (Current Assignee) REGISTRATION CONTROL SYSTEMS INC 2601 EAST 28TH ST LONG BEACH CA A CORP OF	Computer controlled registration and inquiry system	▪ SCSI interface ≈ data storage ▪ data packet ≈ second data	X			X	X	X			X	X		X								X		X		X
174	US4160129A (Alan Peyser, 1979)	(Original Assignee) TDX SYSTEMS Inc (Current Assignee) TDX SYSTEMS Inc	Telephone communications control system having a plurality of remote switching units	▪ header contains information ≈ one communication line ▪ different operating, different operating systems ≈ communication signals ▪ network protocol programs ≈ control signals		X			X				X
175	CA2643148A1 (Edwin J. Hall, 1998)	(Original Assignee) Intertrust Technologies Corp.; Edwin J. Hall; Victor H. Shear; Luke S. Tomasello; David M. Van Wie; Robert P. Weber; Kim Worsencroft; Xuejun Xu (Current Assignee) Intertrust Technologies Corp	Technique for defining, using and manipulating rights management data structures	▪ device interface, storage device ≈ following steps ▪ network access ≈ process request ▪ network destination ≈ n information ▪ data packet ≈ second data	X	X		X	X	X			X	X	X	X				X				X	X	X	X				X

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	IEEE COMMUNICATIONS MAGAZINE. 35 (6): 164-169 JUN 1997 Publication Year: 1997 Integrating Communication Services Hewlett Packard Labs Low
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information (three areas) identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access to the NAD .	Integrating Communication Services . The need for communication services which span multiple communication technologies is growing . Communication services are being developed in three areas (header contains information) : in the public switched telephony networks , on the Internet in the form of integrated multimedia including voice-over-Internet , and in private switched telephony networks in the form of enterprise computer-telephony integration applications : This article shows it is plausible to create unified services which span the Internet and public switched telephony networks , and goes on to describe Nexus , an architecture and prototype for integrated communication services .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (enterprise computer) device , the selectively generated packet containing the request for access to the directly attached device .	Integrating Communication Services . The need for communication services which span multiple communication technologies is growing . Communication services are being developed in three areas : in the public switched telephony networks , on the Internet in the form of integrated multimedia including voice-over-Internet , and in private switched telephony networks in the form of enterprise computer (intermediary computing) -telephony integration applications : This article shows it is plausible to create unified services which span the Internet and public switched telephony networks , and goes on to describe Nexus , an architecture and prototype for integrated communication services .

US7739302B2

Filed: 1998-09-01 Issued: 2010-06-15

Network attached device with dedicated firewall security

(Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC

Stacy Kenworthy

IEEE COMMUNICATIONS MAGAZINE. 35 (6): 164-169 JUN 1997

Publication Year: 1997

Integrating Communication Services

Hewlett Packard Labs

Low

US7739302B2
CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information (three areas) identifying a proper port of the NAD ;

pass the data packet to the proper port ;

and at the proper port , provide the requested network access to the NAD .

Integrating Communication Services . The need for communication services which span multiple communication technologies is growing . Communication services are being developed in three areas (header contains information) : in the public switched telephony networks , on the Internet in the form of integrated multimedia including voice-over-Internet , and in private switched telephony networks in the form of enterprise computer-telephony integration applications : This article shows it is plausible to create unified services which span the Internet and public switched telephony networks , and goes on to describe Nexus , an architecture and prototype for integrated communication services .

US7739302B2
CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (enterprise computer) device , the selectively generated packet containing the request for access to the directly attached device .

Integrating Communication Services . The need for communication services which span multiple communication technologies is growing . Communication services are being developed in three areas : in the public switched telephony networks , on the Internet in the form of integrated multimedia including voice-over-Internet , and in private switched telephony networks in the form of enterprise computer (intermediary computing) -telephony integration applications : This article shows it is plausible to create unified services which span the Internet and public switched telephony networks , and goes on to describe Nexus , an architecture and prototype for integrated communication services .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	13TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, PROCEEDINGS. : 205-214 1997 Publication Year: 1997 Using Web Technologies In Two MLS Environments: A Security Analysis Computer Sciences Corporation (CSC) Niemeyer, Ieee Comp Soc, Ieee Comp Soc, Ieee Comp Soc
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (network client) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	Using Web Technologies In Two MLS Environments : A Security Analysis . This paper presents an analysis of the use of the HyperText Transfer Protocol (HTTP) and other web technologies for multilevel secure (MLS) systems that are connected to single-level network environments (e . g . , Internet-like and Intranet-like environments) . Multiple single level networks may be connected to these MLS systems . This analysis considers two examples of MLS systems . Known HTTP and web security vulnerabilities are considered in the context of multilevel operations planned for an MLS database server to be accessed by web browser software and for an MLS infrastructure supporting web browsing on multiple webs that each have a different security sensitivity level . The analysis focuses on the transfer of information across security boundaries where the security classification of information on one side of the boundary differs from that of the other side (a high-to-low or low-to-high transfer of information) . The transfer of information is initiated by the web browser (a network client (network client) ) and the bulk of information transferred is data returned from the web server . The analysis also focuses on threats from the less secure side of the boundary , including the threats of insertion of malicious code (e . g . , virus or Trojan horse code) and denial of service attacks . The applications are referred to as the "High-to-Low" Example and the "Low-to-High" Example denoting the direction of primary information flow .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (network client) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	Using Web Technologies In Two MLS Environments : A Security Analysis . This paper presents an analysis of the use of the HyperText Transfer Protocol (HTTP) and other web technologies for multilevel secure (MLS) systems that are connected to single-level network environments (e . g . , Internet-like and Intranet-like environments) . Multiple single level networks may be connected to these MLS systems . This analysis considers two examples of MLS systems . Known HTTP and web security vulnerabilities are considered in the context of multilevel operations planned for an MLS database server to be accessed by web browser software and for an MLS infrastructure supporting web browsing on multiple webs that each have a different security sensitivity level . The analysis focuses on the transfer of information across security boundaries where the security classification of information on one side of the boundary differs from that of the other side (a high-to-low or low-to-high transfer of information) . The transfer of information is initiated by the web browser (a network client (network client) ) and the bulk of information transferred is data returned from the web server . The analysis also focuses on threats from the less secure side of the boundary , including the threats of insertion of malicious code (e . g . , virus or Trojan horse code) and denial of service attacks . The applications are referred to as the "High-to-Low" Example and the "Low-to-High" Example denoting the direction of primary information flow .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (different security) of a plurality of protocols .	Using Web Technologies In Two MLS Environments : A Security Analysis . This paper presents an analysis of the use of the HyperText Transfer Protocol (HTTP) and other web technologies for multilevel secure (MLS) systems that are connected to single-level network environments (e . g . , Internet-like and Intranet-like environments) . Multiple single level networks may be connected to these MLS systems . This analysis considers two examples of MLS systems . Known HTTP and web security vulnerabilities are considered in the context of multilevel operations planned for an MLS database server to be accessed by web browser software and for an MLS infrastructure supporting web browsing on multiple webs that each have a different security (requests comprise one) sensitivity level . The analysis focuses on the transfer of information across security boundaries where the security classification of information on one side of the boundary differs from that of the other side (a high-to-low or low-to-high transfer of information) . The transfer of information is initiated by the web browser (a network client) and the bulk of information transferred is data returned from the web server . The analysis also focuses on threats from the less secure side of the boundary , including the threats of insertion of malicious code (e . g . , virus or Trojan horse code) and denial of service attacks . The applications are referred to as the "High-to-Low" Example and the "Low-to-High" Example denoting the direction of primary information flow .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	COMPUTER NETWORKS AND ISDN SYSTEMS. 30 (13): 1185-1200 AUG 3 1998 Publication Year: 1998 The Aquarelle Resource Discovery System Institut national de recherche en informatique et en automatique (INRIA France), Conservatoire national des arts et métiers (France), System Simulation (UK), Foundation for Research & Technology – Hellas (FORTH, Ίδρυμα Τεχνολογίας και Έρευνας - ΙΤΕ Greece) Michard, Christophides, Scholl, Stapleton, Sutcliffe, Vercoustre
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (direct link) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	The Aquarelle Resource Discovery System . Aquarelle is a three-year project supported by the Telematics Applications Programme of the European Union , aiming at designing a resource discovery system on the Internet , applied to cultural heritage documentation . The system relies on the Z39 . 50 protocol to support access to heterogeneous databases , including SGML document repositories , Its most original features are direct link (executable instructions) ing from SGML documents to database records , an advanced link management facility , and query broadcasting to dynamically selected databases . (C) 1998 Elsevier Science B . V . All rights reserved .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (database records) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	The Aquarelle Resource Discovery System . Aquarelle is a three-year project supported by the Telematics Applications Programme of the European Union , aiming at designing a resource discovery system on the Internet , applied to cultural heritage documentation . The system relies on the Z39 . 50 protocol to support access to heterogeneous databases , including SGML document repositories , Its most original features are direct linking from SGML documents to database records (data management component) , an advanced link management facility , and query broadcasting to dynamically selected databases . (C) 1998 Elsevier Science B . V . All rights reserved .

COMPUTER NETWORKS AND ISDN SYSTEMS. 30 (13): 1185-1200 AUG 3 1998

Publication Year: 1998

The Aquarelle Resource Discovery System

Institut national de recherche en informatique et en automatique (INRIA France), Conservatoire national des arts et métiers (France), System Simulation (UK), Foundation for Research & Technology – Hellas (FORTH, Ίδρυμα Τεχνολογίας και Έρευνας - ΙΤΕ Greece)

Michard, Christophides, Scholl, Stapleton, Sutcliffe, Vercoustre

US7739302B2
CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ;

a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (direct link) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ;

and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .

The Aquarelle Resource Discovery System . Aquarelle is a three-year project supported by the Telematics Applications Programme of the European Union , aiming at designing a resource discovery system on the Internet , applied to cultural heritage documentation . The system relies on the Z39 . 50 protocol to support access to heterogeneous databases , including SGML document repositories , Its most original features are direct link (executable instructions) ing from SGML documents to database records , an advanced link management facility , and query broadcasting to dynamically selected databases . (C) 1998 Elsevier Science B . V . All rights reserved .

US7739302B2
CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ;

a data management component (database records) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .

The Aquarelle Resource Discovery System . Aquarelle is a three-year project supported by the Telematics Applications Programme of the European Union , aiming at designing a resource discovery system on the Internet , applied to cultural heritage documentation . The system relies on the Z39 . 50 protocol to support access to heterogeneous databases , including SGML document repositories , Its most original features are direct linking from SGML documents to database records (data management component) , an advanced link management facility , and query broadcasting to dynamically selected databases . (C) 1998 Elsevier Science B . V . All rights reserved .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	SEVENTH IEEE INTERNATIONAL WORKSHOPS ON ENABLING TECHNOLOGIES: INFRASTRUCTURE FOR COLLABORATIVE ENTERPRISES (WET ICE 98). : 376-383 1998 Publication Year: 1998 Efficient Security For Large And Dynamic Multicast Groups Sun Microsystems, Inc., Eidgenössische Technische Hochschule Zürich (ETH) Caronni, Waldvogel, Sun, Plattner, Ieee, Ieee
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (group communication) .	Efficient Security For Large And Dynamic Multicast Groups . Proposals for multicast security that have been published so far are complex , often require trust in network components or are inefficient . In this paper we propose a series of novel approaches for achieving scalable security in IP multicast , providing privacy and authentication on a group-wide basis . They can be employed to efficiently secure multi-party applications where members of highly dynamic groups of arbitrary size may participate . Supporting dynamic groups implies that newly joining members must not be able to understand past group communication (application layer) s , and that leaving members may not follow future communications . Key changes are required for all group members when a leave or join occurs , which poses a problem if groups are large . The algorithms presented here require no trust in third parties , support either centralized or fully distributed management of keying material and have low complexity (O(log N) or less) . This grants scalability even for large groups .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (third parties) .	Efficient Security For Large And Dynamic Multicast Groups . Proposals for multicast security that have been published so far are complex , often require trust in network components or are inefficient . In this paper we propose a series of novel approaches for achieving scalable security in IP multicast , providing privacy and authentication on a group-wide basis . They can be employed to efficiently secure multi-party applications where members of highly dynamic groups of arbitrary size may participate . Supporting dynamic groups implies that newly joining members must not be able to understand past group communications , and that leaving members may not follow future communications . Key changes are required for all group members when a leave or join occurs , which poses a problem if groups are large . The algorithms presented here require no trust in third parties (network protocols) , support either centralized or fully distributed management of keying material and have low complexity (O(log N) or less) . This grants scalability even for large groups .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (third parties) is TCP/IP .	Efficient Security For Large And Dynamic Multicast Groups . Proposals for multicast security that have been published so far are complex , often require trust in network components or are inefficient . In this paper we propose a series of novel approaches for achieving scalable security in IP multicast , providing privacy and authentication on a group-wide basis . They can be employed to efficiently secure multi-party applications where members of highly dynamic groups of arbitrary size may participate . Supporting dynamic groups implies that newly joining members must not be able to understand past group communications , and that leaving members may not follow future communications . Key changes are required for all group members when a leave or join occurs , which poses a problem if groups are large . The algorithms presented here require no trust in third parties (network protocols) , support either centralized or fully distributed management of keying material and have low complexity (O(log N) or less) . This grants scalability even for large groups .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (group communication) of a network stack .	Efficient Security For Large And Dynamic Multicast Groups . Proposals for multicast security that have been published so far are complex , often require trust in network components or are inefficient . In this paper we propose a series of novel approaches for achieving scalable security in IP multicast , providing privacy and authentication on a group-wide basis . They can be employed to efficiently secure multi-party applications where members of highly dynamic groups of arbitrary size may participate . Supporting dynamic groups implies that newly joining members must not be able to understand past group communication (application layer) s , and that leaving members may not follow future communications . Key changes are required for all group members when a leave or join occurs , which poses a problem if groups are large . The algorithms presented here require no trust in third parties , support either centralized or fully distributed management of keying material and have low complexity (O(log N) or less) . This grants scalability even for large groups .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	1997 IEEE SYMPOSIUM ON SECURITY AND PRIVACY - PROCEEDINGS. : 120-129 1997 Publication Year: 1997 Filtering Postures: Local Enforcement For Global Policies The MITRE Corporation Guttman, Ieee Comp Soc
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (network access) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	Filtering Postures : Local Enforcement For Global Policies . When packet filtering is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access (network access) control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (network access) to the NAD from a plurality of network clients having different operating systems .	Filtering Postures : Local Enforcement For Global Policies . When packet filtering is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access (network access) control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (network access) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	Filtering Postures : Local Enforcement For Global Policies . When packet filtering is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access (network access) control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (network access) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	Filtering Postures : Local Enforcement For Global Policies . When packet filtering is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access (network access) control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (network access) to the NAD .	Filtering Postures : Local Enforcement For Global Policies . When packet filtering is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access (network access) control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (network access) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	Filtering Postures : Local Enforcement For Global Policies . When packet filtering is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access (network access) control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (network access) to the NAD is only available through the server .	Filtering Postures : Local Enforcement For Global Policies . When packet filtering is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access (network access) control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (network access) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	Filtering Postures : Local Enforcement For Global Policies . When packet filtering is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access (network access) control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (packet filter) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	Filtering Postures : Local Enforcement For Global Policies . When packet filter (filtering means) ing is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (packet filter) is further configured to carry out the filtering at an application layer of a network stack .	Filtering Postures : Local Enforcement For Global Policies . When packet filter (filtering means) ing is used as a security mechanism , different routers may need to cooperate to enforce the desired security policy . It is difficult to ensure that they will do so correctly . We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing . We then introduce an algorithm that , given the network topology , will compute a set of filters for the individual routers ; these filters are guaranteed to enforce the policy correctly . Since these filters may not provide optimal service , a human must sometimes alter them . A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations , or to report that none exist . A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	COMPSAC 97 : TWENTY-FIRST ANNUAL INTERNATIONAL COMPUTER SOFTWARE & APPLICATIONS CONFERENCE. : 478-481 1997 Publication Year: 1997 Implementation Considerations For Mobile IP Institute for Information Industry, Network and Communication Laboratory, Taipei, Taiwan Leu, Cheng, Ieee Comp Soc
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (IP datagrams) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	Implementation Considerations For Mobile IP . The Mobile IP protocol [1] allows transparent routing of IP datagrams (network destination, network protocols) in the Internet . Each mobile node is identified by its home address disregarding of its current location in the Internet . While away from home , a mobile node is associated with a care-of address which gives information about its current location . Mobile IP specifies how a mobile node registers with its home agent and how the home agent routes datagrams to the mobile node through a tunnel . In this paper , we will first outline the Mobile IP protocol and its Extension mechanism defined for carrying information . Then , we will present the architecture of our working implementation which is based on the objected-oriented methodology Finally some implementation considerations and challenges for Mobile IP will be investigated .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (home address, home agent) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	Implementation Considerations For Mobile IP . The Mobile IP protocol [1] allows transparent routing of IP datagrams in the Internet . Each mobile node is identified by its home address (IP addresses) disregarding of its current location in the Internet . While away from home , a mobile node is associated with a care-of address which gives information about its current location . Mobile IP specifies how a mobile node registers with its home agent (IP addresses) and how the home agent routes datagrams to the mobile node through a tunnel . In this paper , we will first outline the Mobile IP protocol and its Extension mechanism defined for carrying information . Then , we will present the architecture of our working implementation which is based on the objected-oriented methodology Finally some implementation considerations and challenges for Mobile IP will be investigated .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (IP datagrams) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	Implementation Considerations For Mobile IP . The Mobile IP protocol [1] allows transparent routing of IP datagrams (network destination, network protocols) in the Internet . Each mobile node is identified by its home address disregarding of its current location in the Internet . While away from home , a mobile node is associated with a care-of address which gives information about its current location . Mobile IP specifies how a mobile node registers with its home agent and how the home agent routes datagrams to the mobile node through a tunnel . In this paper , we will first outline the Mobile IP protocol and its Extension mechanism defined for carrying information . Then , we will present the architecture of our working implementation which is based on the objected-oriented methodology Finally some implementation considerations and challenges for Mobile IP will be investigated .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (IP datagrams) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	Implementation Considerations For Mobile IP . The Mobile IP protocol [1] allows transparent routing of IP datagrams (network destination, network protocols) in the Internet . Each mobile node is identified by its home address disregarding of its current location in the Internet . While away from home , a mobile node is associated with a care-of address which gives information about its current location . Mobile IP specifies how a mobile node registers with its home agent and how the home agent routes datagrams to the mobile node through a tunnel . In this paper , we will first outline the Mobile IP protocol and its Extension mechanism defined for carrying information . Then , we will present the architecture of our working implementation which is based on the objected-oriented methodology Finally some implementation considerations and challenges for Mobile IP will be investigated .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (IP datagrams) .	Implementation Considerations For Mobile IP . The Mobile IP protocol [1] allows transparent routing of IP datagrams (network destination, network protocols) in the Internet . Each mobile node is identified by its home address disregarding of its current location in the Internet . While away from home , a mobile node is associated with a care-of address which gives information about its current location . Mobile IP specifies how a mobile node registers with its home agent and how the home agent routes datagrams to the mobile node through a tunnel . In this paper , we will first outline the Mobile IP protocol and its Extension mechanism defined for carrying information . Then , we will present the architecture of our working implementation which is based on the objected-oriented methodology Finally some implementation considerations and challenges for Mobile IP will be investigated .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (IP datagrams) is TCP/IP .	Implementation Considerations For Mobile IP . The Mobile IP protocol [1] allows transparent routing of IP datagrams (network destination, network protocols) in the Internet . Each mobile node is identified by its home address disregarding of its current location in the Internet . While away from home , a mobile node is associated with a care-of address which gives information about its current location . Mobile IP specifies how a mobile node registers with its home agent and how the home agent routes datagrams to the mobile node through a tunnel . In this paper , we will first outline the Mobile IP protocol and its Extension mechanism defined for carrying information . Then , we will present the architecture of our working implementation which is based on the objected-oriented methodology Finally some implementation considerations and challenges for Mobile IP will be investigated .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (IP datagrams) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	Implementation Considerations For Mobile IP . The Mobile IP protocol [1] allows transparent routing of IP datagrams (network destination, network protocols) in the Internet . Each mobile node is identified by its home address disregarding of its current location in the Internet . While away from home , a mobile node is associated with a care-of address which gives information about its current location . Mobile IP specifies how a mobile node registers with its home agent and how the home agent routes datagrams to the mobile node through a tunnel . In this paper , we will first outline the Mobile IP protocol and its Extension mechanism defined for carrying information . Then , we will present the architecture of our working implementation which is based on the objected-oriented methodology Finally some implementation considerations and challenges for Mobile IP will be investigated .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	IEEE INFOCOM 97 - THE CONFERENCE ON COMPUTER COMMUNICATIONS, PROCEEDINGS, VOLS 1-3. : 701-710 1997 Publication Year: 1997 Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains SRI International (formerly Stanford Research Institute) Sudan, Shacham, Ieee Comp Soc
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (media session) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (resource reservation) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (resource reservation) , an IP address of a network destination (resource reservation) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains . Emerging networking technologies are being introduced with their own management protocols for routing , resource reservation (network access, network source, network destination) and signaling . This diversity restricts the interoperability among QOS-aware multimedia applications written for different networks . We present an approach for managing multiparty , multimedia session (network client, IP addresses) s in a heterogeneous internetwork spanning multiple signaling domains . Participants utilize the native signaling on their respective domains and interact with participants on other domains through signaling gateways that bridge the domains and provide translation of signaling procedures and QOS semantics . Data streams are transmitted using a hierarchical representation , which allows participants to independently adjust the reception quality of each stream according to their resources and interests . We present a particular design and implementation details for connecting ATM and IP signaling domains and conclude with its extension to an arbitrary number of interconnected domains .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (resource reservation) to the NAD from a plurality of network clients having different operating systems .	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains . Emerging networking technologies are being introduced with their own management protocols for routing , resource reservation (network access, network source, network destination) and signaling . This diversity restricts the interoperability among QOS-aware multimedia applications written for different networks . We present an approach for managing multiparty , multimedia sessions in a heterogeneous internetwork spanning multiple signaling domains . Participants utilize the native signaling on their respective domains and interact with participants on other domains through signaling gateways that bridge the domains and provide translation of signaling procedures and QOS semantics . Data streams are transmitted using a hierarchical representation , which allows participants to independently adjust the reception quality of each stream according to their resources and interests . We present a particular design and implementation details for connecting ATM and IP signaling domains and conclude with its extension to an arbitrary number of interconnected domains .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (resource reservation) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source (resource reservation) , destination , and route of the data packet .	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains . Emerging networking technologies are being introduced with their own management protocols for routing , resource reservation (network access, network source, network destination) and signaling . This diversity restricts the interoperability among QOS-aware multimedia applications written for different networks . We present an approach for managing multiparty , multimedia sessions in a heterogeneous internetwork spanning multiple signaling domains . Participants utilize the native signaling on their respective domains and interact with participants on other domains through signaling gateways that bridge the domains and provide translation of signaling procedures and QOS semantics . Data streams are transmitted using a hierarchical representation , which allows participants to independently adjust the reception quality of each stream according to their resources and interests . We present a particular design and implementation details for connecting ATM and IP signaling domains and conclude with its extension to an arbitrary number of interconnected domains .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (media session) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (resource reservation) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (media session) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (resource reservation) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains . Emerging networking technologies are being introduced with their own management protocols for routing , resource reservation (network access, network source, network destination) and signaling . This diversity restricts the interoperability among QOS-aware multimedia applications written for different networks . We present an approach for managing multiparty , multimedia session (network client, IP addresses) s in a heterogeneous internetwork spanning multiple signaling domains . Participants utilize the native signaling on their respective domains and interact with participants on other domains through signaling gateways that bridge the domains and provide translation of signaling procedures and QOS semantics . Data streams are transmitted using a hierarchical representation , which allows participants to independently adjust the reception quality of each stream according to their resources and interests . We present a particular design and implementation details for connecting ATM and IP signaling domains and conclude with its extension to an arbitrary number of interconnected domains .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (resource reservation) to the NAD .	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains . Emerging networking technologies are being introduced with their own management protocols for routing , resource reservation (network access, network source, network destination) and signaling . This diversity restricts the interoperability among QOS-aware multimedia applications written for different networks . We present an approach for managing multiparty , multimedia sessions in a heterogeneous internetwork spanning multiple signaling domains . Participants utilize the native signaling on their respective domains and interact with participants on other domains through signaling gateways that bridge the domains and provide translation of signaling procedures and QOS semantics . Data streams are transmitted using a hierarchical representation , which allows participants to independently adjust the reception quality of each stream according to their resources and interests . We present a particular design and implementation details for connecting ATM and IP signaling domains and conclude with its extension to an arbitrary number of interconnected domains .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (resource reservation) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (resource reservation) , an IP address of a network destination (resource reservation) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains . Emerging networking technologies are being introduced with their own management protocols for routing , resource reservation (network access, network source, network destination) and signaling . This diversity restricts the interoperability among QOS-aware multimedia applications written for different networks . We present an approach for managing multiparty , multimedia sessions in a heterogeneous internetwork spanning multiple signaling domains . Participants utilize the native signaling on their respective domains and interact with participants on other domains through signaling gateways that bridge the domains and provide translation of signaling procedures and QOS semantics . Data streams are transmitted using a hierarchical representation , which allows participants to independently adjust the reception quality of each stream according to their resources and interests . We present a particular design and implementation details for connecting ATM and IP signaling domains and conclude with its extension to an arbitrary number of interconnected domains .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (resource reservation) to the NAD is only available through the server .	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains . Emerging networking technologies are being introduced with their own management protocols for routing , resource reservation (network access, network source, network destination) and signaling . This diversity restricts the interoperability among QOS-aware multimedia applications written for different networks . We present an approach for managing multiparty , multimedia sessions in a heterogeneous internetwork spanning multiple signaling domains . Participants utilize the native signaling on their respective domains and interact with participants on other domains through signaling gateways that bridge the domains and provide translation of signaling procedures and QOS semantics . Data streams are transmitted using a hierarchical representation , which allows participants to independently adjust the reception quality of each stream according to their resources and interests . We present a particular design and implementation details for connecting ATM and IP signaling domains and conclude with its extension to an arbitrary number of interconnected domains .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (resource reservation) includes at least one of an IP address of a network source (resource reservation) , an IP address of a network destination (resource reservation) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains . Emerging networking technologies are being introduced with their own management protocols for routing , resource reservation (network access, network source, network destination) and signaling . This diversity restricts the interoperability among QOS-aware multimedia applications written for different networks . We present an approach for managing multiparty , multimedia sessions in a heterogeneous internetwork spanning multiple signaling domains . Participants utilize the native signaling on their respective domains and interact with participants on other domains through signaling gateways that bridge the domains and provide translation of signaling procedures and QOS semantics . Data streams are transmitted using a hierarchical representation , which allows participants to independently adjust the reception quality of each stream according to their resources and interests . We present a particular design and implementation details for connecting ATM and IP signaling domains and conclude with its extension to an arbitrary number of interconnected domains .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source (resource reservation) , an IP address of a network destination (resource reservation) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	Gateway Based Approach For Conducting Multiparty Multimedia Sessions Over Heterogeneous Signaling Domains . Emerging networking technologies are being introduced with their own management protocols for routing , resource reservation (network access, network source, network destination) and signaling . This diversity restricts the interoperability among QOS-aware multimedia applications written for different networks . We present an approach for managing multiparty , multimedia sessions in a heterogeneous internetwork spanning multiple signaling domains . Participants utilize the native signaling on their respective domains and interact with participants on other domains through signaling gateways that bridge the domains and provide translation of signaling procedures and QOS semantics . Data streams are transmitted using a hierarchical representation , which allows participants to independently adjust the reception quality of each stream according to their resources and interests . We present a particular design and implementation details for connecting ATM and IP signaling domains and conclude with its extension to an arbitrary number of interconnected domains .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	BT TECHNOLOGY JOURNAL. 15 (2): 145-157 APR 1997 Publication Year: 1997 Internet Phone - Changing The Telephony Paradigm? BT Labs Babbage, Moffat, Oneill, Sivaraj
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (system architecture) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	Internet Phone - Changing The Telephony Paradigm? . This paper provides an overview of the history , current status , and underlying technology of 'Internet telephony' - the transport of speech information over a packet-switched connectionless network . The economics of Internet telephony and a number of possible system architecture (network protocol programs) s for interconnection with the switched telephone network are examined . The paper concludes with a look at the quality of service issues raised by internet telephony .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (telephone network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	Internet Phone - Changing The Telephony Paradigm? . This paper provides an overview of the history , current status , and underlying technology of 'Internet telephony' - the transport of speech information over a packet-switched connectionless network . The economics of Internet telephony and a number of possible system architectures for interconnection with the switched telephone network (IP addresses) are examined . The paper concludes with a look at the quality of service issues raised by internet telephony .

BT TECHNOLOGY JOURNAL. 15 (2): 145-157 APR 1997

Publication Year: 1997

Internet Phone - Changing The Telephony Paradigm?

BT Labs

Babbage, Moffat, Oneill, Sivaraj

US7739302B2
CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (system architecture) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .

Internet Phone - Changing The Telephony Paradigm? . This paper provides an overview of the history , current status , and underlying technology of 'Internet telephony' - the transport of speech information over a packet-switched connectionless network . The economics of Internet telephony and a number of possible system architecture (network protocol programs) s for interconnection with the switched telephone network are examined . The paper concludes with a look at the quality of service issues raised by internet telephony .

US7739302B2
CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ;

a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (telephone network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .

Internet Phone - Changing The Telephony Paradigm? . This paper provides an overview of the history , current status , and underlying technology of 'Internet telephony' - the transport of speech information over a packet-switched connectionless network . The economics of Internet telephony and a number of possible system architectures for interconnection with the switched telephone network (IP addresses) are examined . The paper concludes with a look at the quality of service issues raised by internet telephony .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	COMPUTER NETWORKS AND ISDN SYSTEMS. 26 (3): 357-369 NOV 1993 Publication Year: 1993 PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP International Business Machines Corporation (IBM) Perkins
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (network access) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access (network access) for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing systems . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (network access) to the NAD from a plurality of network clients having different operating systems .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access (network access) for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing systems . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (network access) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access (network access) for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing systems . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (network access) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access (network access) for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing systems . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (network access) to the NAD .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access (network access) for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing systems . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (network access) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access (network access) for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing systems . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (network access) to the NAD is only available through the server .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access (network access) for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing systems . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (network access) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access (network access) for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing systems . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (existing system) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing system (filtering means) s . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (existing system) is further configured to carry out the filtering at an application layer of a network stack .	PROVIDING CONTINUOUS NETWORK ACCESS TO MOBILE HOSTS USING TCP IP . We present a solution to the problem of providing continuous network access for mobile hosts using the Internet Protocol (IP) . Using IP's Loose Source Route option , mobile hosts are able to communicate with their correspondent hosts via an optimal route , no matter how often their location changes . Our solution is fault tolerant , scales well , is easy to administer , is invisible to applications running either on mobile hosts or their servers , and requires no changes to existing system (filtering means) s . Our solution will handle movement between connected networks (e . g . , different buildings) without noticeable degradation of performance (except , of course , when the mobile user is out of range of any cell) . We show also how our solution adapts to the use of encapsulation . We expect to enable mobility of computers in general , including wired computers .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	IEEE INFOCOM 98 - THE CONFERENCE ON COMPUTER COMMUNICATIONS, VOLS. 1-3. : 1037-1045 1998 Publication Year: 1998 MSOCKS: An Architecture For Transport Layer Mobility Carnegie Mellon University (CMU) Maltz, Bhagwat, Ieee, Ieee
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (multiple network) for network access (network interfaces, mobile nodes) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network interfaces, mobile nodes) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (network interfaces, mobile nodes) to the NAD from a plurality of network clients having different operating systems .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (network interfaces, mobile nodes) to the NAD is authorized comprises determining whether information in the header of a received data packet (multiple network) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (network interfaces, mobile nodes) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (multiple network) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (multiple network) arrived via an authorized network interface (network interfaces, mobile nodes) .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (multiple network) to the proper port ; and at the proper port , provide the requested network access (network interfaces, mobile nodes) to the NAD .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (network interfaces, mobile nodes) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (multiple network) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network interfaces, mobile nodes) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (network interfaces, mobile nodes) to the NAD is only available through the server .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interfaces, mobile nodes) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (multiple network) containing the request for network access (network interfaces, mobile nodes) includes at least one of an IP address of a network source , an IP address of a network destination (network interfaces, mobile nodes) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interfaces, mobile nodes) .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (when m) .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when m (application layer) ultiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (network interfaces, mobile nodes) , and a route of the data packet (multiple network) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces (network access, network destination, network interface) to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when multiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes (network access, network destination, network interface) to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (when m) of a network stack .	MSOCKS : An Architecture For Transport Layer Mobility . Mobile nodes of the future will be equiped with multiple network interfaces to take advantage of overlay networks , yet no current mobility systems provide full support for the simultaneous use of multiple interfaces . The need for such support arises when m (application layer) ultiple connectivity options are available with different cost , coverage , latency and bandwidth characteristics , and applications want their data to how over the interface that best matches the characteristics of the data . We present an architecture called Transport Layer Mobility that allows mobile nodes to not only change their point of attachment to the Internet , but also to control which network interfaces are used for the different kinds of data leaving from and arriving at the mobile node . We implement our transport layer mobility scheme using a split-connection proxy architecture and a new technique called TCP Splice that gives split-connection proxy systems the same end-to end semantics as normal TCP connections .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY. 8 (1): 13-17 FEB 1998 Publication Year: 1998 MMPacking: A Load And Storage Balancing Algorithm For Distributed Multimedia Servers The Foundation for Research & Technology – Hellas (FORTH, Ίδρυμα Τεχνολογίας και Έρευνας - ΙΤΕ), Aristotle University of Thessaloniki (A.U.Th. Αριστοτέλειο Πανεπιστήμιο Θεσσαλονίκης), Treasury Department, Bank of Boston Serpanos, Georgiadis, Bouloutas
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (load balancing, client request) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (load balancing, client request) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (load balancing, client request) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (load balancing, client request) comprises a plurality of network protocol programs for accepting requests for network access (load balancing, client request) to the NAD from a plurality of network clients (load balancing, client request) having different operating systems .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (load balancing, client request) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (load balancing, client request) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (load balancing, client request) .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (load balancing, client request) to the NAD .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (load balancing, client request) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (load balancing, client request) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (load balancing, client request) to the NAD is only available through the server .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (load balancing, client request) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (load balancing, client request) includes at least one of an IP address of a network source , an IP address of a network destination (load balancing, client request) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (load balancing, client request) .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (different rates) .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client requests for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates (application layer) , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means (video stream) for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (load balancing, client request) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (load balancing, client request) and other devices in a manner that is in addition to any protection afforded by a firewall .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video stream (filtering comprises means) s may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (different rates) of a network stack (load balancing, client request) .	MMPacking : A Load And Storage Balancing Algorithm For Distributed Multimedia Servers . In distributed multimedia servers where client request (NAD server, network access, network destination, network clients, network interface, network stack) s for different video streams may have different probabilities , placement of video streams is an important parameter because it may result in unbalanced requests to the system's stations , and thus to high blocking probabilities of requests . We present a method , MMPacking , to balance traffic load and storage use in a distributed server environment , Since different video streams are requested by clients with different rates (application layer) , video stream replication is used to balance the traffic patterns of the stations ; thus , the requests and I/O usage of the stations are balanced , since replication allows requests for the same video stream to be routed to different stations , MMPacking achieves load balancing (NAD server, network access, network destination, network clients, network interface, network stack) by producing at most N - 1 replicas of video streams in a system with N servers . These replicas are distributed among the stations so that storage balancing is achieved as well , since no station stores more than two video streams more than any other station in the system .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	1977 IEEE INTERNATIONAL PERFORMANCE, COMPUTING AND COMMUNICATIONS CONFERENCE. : 525-531 1997 Publication Year: 1997 Threat-adaptive Security Policy Arizona State University Venkatesan, Bhattacharya, Ieee
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (EC application) is further configured to manage access over a SCSI interface .	Threat-adaptive Security Policy . Secure systems have traditionally paid little attention to performance . This is because , current secure systems apply a uniform and statically decided upon security policy to each user and do not associate an individualized level of trust with each user at run-time . This paper describes a new framework of threat and performance driven security . A Threat-Adaptive model which enforces a dynamic and individualized security policy mechanism , with a Trust state machine capturing the different security levels is proposed . This paper discusses a Threat-Adaptive Firewall designed for an EC application (managing means) , which adaptively varies the security constraints for each user , thereby improving the system performance .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (different security) of a plurality of protocols .	Threat-adaptive Security Policy . Secure systems have traditionally paid little attention to performance . This is because , current secure systems apply a uniform and statically decided upon security policy to each user and do not associate an individualized level of trust with each user at run-time . This paper describes a new framework of threat and performance driven security . A Threat-Adaptive model which enforces a dynamic and individualized security policy mechanism , with a Trust state machine capturing the different security (requests comprise one) levels is proposed . This paper discusses a Threat-Adaptive Firewall designed for an EC application , which adaptively varies the security constraints for each user , thereby improving the system performance .

1977 IEEE INTERNATIONAL PERFORMANCE, COMPUTING AND COMMUNICATIONS CONFERENCE. : 525-531 1997

Publication Year: 1997

Threat-adaptive Security Policy

Arizona State University

Venkatesan, Bhattacharya, Ieee

US7739302B2
CLAIM 24 . The apparatus of claim 23 , wherein the managing means (EC application) is further configured to manage access over a SCSI interface .

Threat-adaptive Security Policy . Secure systems have traditionally paid little attention to performance . This is because , current secure systems apply a uniform and statically decided upon security policy to each user and do not associate an individualized level of trust with each user at run-time . This paper describes a new framework of threat and performance driven security . A Threat-Adaptive model which enforces a dynamic and individualized security policy mechanism , with a Trust state machine capturing the different security levels is proposed . This paper discusses a Threat-Adaptive Firewall designed for an EC application (managing means) , which adaptively varies the security constraints for each user , thereby improving the system performance .

US7739302B2
CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (different security) of a plurality of protocols .

Threat-adaptive Security Policy . Secure systems have traditionally paid little attention to performance . This is because , current secure systems apply a uniform and statically decided upon security policy to each user and do not associate an individualized level of trust with each user at run-time . This paper describes a new framework of threat and performance driven security . A Threat-Adaptive model which enforces a dynamic and individualized security policy mechanism , with a Trust state machine capturing the different security (requests comprise one) levels is proposed . This paper discusses a Threat-Adaptive Firewall designed for an EC application , which adaptively varies the security constraints for each user , thereby improving the system performance .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	GB2318031A Filed: 1997-09-12 Issued: 1998-04-08 Network firewall with proxy (Original Assignee) Secure Computing LLC (Current Assignee) Secure Computing LLC Michael W Green, Ricky Ronald Kruse
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (computer program) for accepting requests for network access to the NAD from a plurality of network clients having different operating (remote operation) systems .	GB2318031A CLAIM 6 . The network communication session manager of claim 1 wherein the communication session manager acts as a RK- 1006 proxy for open system interconnect (OSI) applications which employ Association Control Service Elements (ACSE) and remote operation (different operating) s service elements (ROSE .) 5 GB2318031A CLAIM 14 . A storage medium having a computer program (network protocol programs) stored thereon for causing a suitably programmed system to ensure secure communications between a requesting application entity and a serving application entity , by performing the following steps when such program is executed on the system : responding to an entity requesting a connection to the serving application entity ; establishing a transparent session connection between the proxy and the requesting entity ; monitoring communication from the requesting entity for conformance to a selected communication protocol ; and relaying communication from the requesting entity to the serving entity responsive to the conformance to the selected communication protocol . 23
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (session manager) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	GB2318031A CLAIM 1 What is claimed is : 1 A network communication session manager (electronic communication, network interface) comprising : a connection manager that responds to an entity requesting a connection to a remote responding entity by establishing a parent session connection between the communication session manager and the requesting entity ; a security monitor , operatively coupled to the connection manager that monitors communication from the requesting entity for conformance to predefined conditions and wherein the connection manager , responsive to the security monitor establishes an independent connection to the responding entity ; and a relay , operatively coupled to the connection manager , that relays communication from the requesting entity to the device under the control of the connection manager when both connections are operative .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (session manager) .	GB2318031A CLAIM 1 What is claimed is : 1 A network communication session manager (electronic communication, network interface) comprising : a connection manager that responds to an entity requesting a connection to a remote responding entity by establishing a parent session connection between the communication session manager and the requesting entity ; a security monitor , operatively coupled to the connection manager that monitors communication from the requesting entity for conformance to predefined conditions and wherein the connection manager , responsive to the security monitor establishes an independent connection to the responding entity ; and a relay , operatively coupled to the connection manager , that relays communication from the requesting entity to the device under the control of the connection manager when both connections are operative .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (session manager) coupled to the processing unit and to a network ; an attached device interface (following steps) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	GB2318031A CLAIM 1 What is claimed is : 1 A network communication session manager (electronic communication, network interface) comprising : a connection manager that responds to an entity requesting a connection to a remote responding entity by establishing a parent session connection between the communication session manager and the requesting entity ; a security monitor , operatively coupled to the connection manager that monitors communication from the requesting entity for conformance to predefined conditions and wherein the connection manager , responsive to the security monitor establishes an independent connection to the responding entity ; and a relay , operatively coupled to the connection manager , that relays communication from the requesting entity to the device under the control of the connection manager when both connections are operative . GB2318031A CLAIM 14 . A storage medium having a computer program stored thereon for causing a suitably programmed system to ensure secure communications between a requesting application entity and a serving application entity , by performing the following steps (device interface, storage device) when such program is executed on the system : responding to an entity requesting a connection to the serving application entity ; establishing a transparent session connection between the proxy and the requesting entity ; monitoring communication from the requesting entity for conformance to a selected communication protocol ; and relaying communication from the requesting entity to the serving entity responsive to the conformance to the selected communication protocol . 23
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (session manager) .	GB2318031A CLAIM 1 What is claimed is : 1 A network communication session manager (electronic communication, network interface) comprising : a connection manager that responds to an entity requesting a connection to a remote responding entity by establishing a parent session connection between the communication session manager and the requesting entity ; a security monitor , operatively coupled to the connection manager that monitors communication from the requesting entity for conformance to predefined conditions and wherein the connection manager , responsive to the security monitor establishes an independent connection to the responding entity ; and a relay , operatively coupled to the connection manager , that relays communication from the requesting entity to the device under the control of the connection manager when both connections are operative .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (remote device) device , the selectively generated packet containing the request for access to the directly attached device .	GB2318031A CLAIM 7 . A network communication session manager comprising : a connection manager that responds to a requesting entity for a connection to a remote device (intermediary computing) and transparently establishes an independent connection between the network communication session manager and the remote device ; a security monitor , operatively coupled to the connection manager that monitors and selectively modifies data communicated from the requesting entity for conformance to supported protocol standards and adherence to a defined security policy ; and a relay , operatively coupled to the connection manager , that relays communication from the requesting entity and the remote device when both connections are operative under the control of the security monitor .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (following steps) .	GB2318031A CLAIM 14 . A storage medium having a computer program stored thereon for causing a suitably programmed system to ensure secure communications between a requesting application entity and a serving application entity , by performing the following steps (device interface, storage device) when such program is executed on the system : responding to an entity requesting a connection to the serving application entity ; establishing a transparent session connection between the proxy and the requesting entity ; monitoring communication from the requesting entity for conformance to a selected communication protocol ; and relaying communication from the requesting entity to the serving entity responsive to the conformance to the selected communication protocol . 23
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (application layer) .	GB2318031A CLAIM 4 . The network communication session manager of claim 3 wherein the security monitor monitors . protocol information and data (PDUs) at the OSI transport , session , presentation and application layer (application layer) s and the relay relays such PDUs to the responding entity .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (following steps) comprises a SCSI interface .	GB2318031A CLAIM 14 . A storage medium having a computer program stored thereon for causing a suitably programmed system to ensure secure communications between a requesting application entity and a serving application entity , by performing the following steps (device interface, storage device) when such program is executed on the system : responding to an entity requesting a connection to the serving application entity ; establishing a transparent session connection between the proxy and the requesting entity ; monitoring communication from the requesting entity for conformance to a selected communication protocol ; and relaying communication from the requesting entity to the serving entity responsive to the conformance to the selected communication protocol . 23
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (following steps) , and a video codec .	GB2318031A CLAIM 14 . A storage medium having a computer program stored thereon for causing a suitably programmed system to ensure secure communications between a requesting application entity and a serving application entity , by performing the following steps (device interface, storage device) when such program is executed on the system : responding to an entity requesting a connection to the serving application entity ; establishing a transparent session connection between the proxy and the requesting entity ; monitoring communication from the requesting entity for conformance to a selected communication protocol ; and relaying communication from the requesting entity to the serving entity responsive to the conformance to the selected communication protocol . 23
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (following steps) if the request is allowed .	GB2318031A CLAIM 14 . A storage medium having a computer program stored thereon for causing a suitably programmed system to ensure secure communications between a requesting application entity and a serving application entity , by performing the following steps (device interface, storage device) when such program is executed on the system : responding to an entity requesting a connection to the serving application entity ; establishing a transparent session connection between the proxy and the requesting entity ; monitoring communication from the requesting entity for conformance to a selected communication protocol ; and relaying communication from the requesting entity to the serving entity responsive to the conformance to the selected communication protocol . 23
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (application layer) of a network stack .	GB2318031A CLAIM 4 . The network communication session manager of claim 3 wherein the security monitor monitors . protocol information and data (PDUs) at the OSI transport , session , presentation and application layer (application layer) s and the relay relays such PDUs to the responding entity .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (following steps) , and a video codec .	GB2318031A CLAIM 14 . A storage medium having a computer program stored thereon for causing a suitably programmed system to ensure secure communications between a requesting application entity and a serving application entity , by performing the following steps (device interface, storage device) when such program is executed on the system : responding to an entity requesting a connection to the serving application entity ; establishing a transparent session connection between the proxy and the requesting entity ; monitoring communication from the requesting entity for conformance to a selected communication protocol ; and relaying communication from the requesting entity to the serving entity responsive to the conformance to the selected communication protocol . 23

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5642337A Filed: 1996-09-09 Issued: 1997-06-24 Network with optical mass storage devices (Original Assignee) Sony Corp; Sony Electronics Inc (Current Assignee) Sony Corp ; Sony Electronics Inc Orhun Oskay, Sanjay Kapoor, Phillip Hiroshige
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (data packet) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5642337A CLAIM 2 . A data storage and retrieval system as set forth in claim 1 wherein the processing means further comprises means for encoding the SCSI commands into data packet (data packet) s in accordance with the protocol and sending the packets to the network controller for transmission over the network to the slave jukebox .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems (data reproducing apparatus) .	US5642337A CLAIM 1 . A data storage and retrieval system comprising ; a network having a network protocol communication scheme , a computer having a central processing section , a SCSI controller , and a network controller coupled to the network , the computer receiving requests for data stored in the data storage and retrieval system , a master jukebox having a first plurality of media for storing data , a data reproducing apparatus (different operating systems) for reproducing data stored on any of the media , and a SCSI controller coupled to communicate with the SCSI controller of the computer , a slave jukebox having a second plurality of media for storing data , a data reproducing apparatus for reproducing data stored on any of the media , and a SCSI controller , a slave interface unit having a central processing section , a SCSI controller coupled to the SCSI controller of the slave jukebox , and a network controller coupled to the network , and processing means within the central processing section of the computer for determining whether data responsive to a data request is on a medium located in the master jukebox or the slave jukebox , for formulating SCSI commands for causing the master or slave jukebox within which the responsive data is located to reproduce the data , for encoding the SCSI commands in accordance with the network protocol if the data is on a medium located in the slave jukebox , and for sending the instructions to the jukebox within which the responsive data is located .
US7739302B2 CLAIM 3 . The network arrangement of claim 1 , wherein the computer-executable instructions comprise distributed program modules (data buffer) .	US5642337A CLAIM 11 . A data storage and retrieval apparatus as set forth in claim 10 wherein the central processing section of the computer comprises a central processing unit , an instruction memory for storing software for running the central processing unit and a random access memory for data buffer (program modules) ing .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (data packet) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5642337A CLAIM 2 . A data storage and retrieval system as set forth in claim 1 wherein the processing means further comprises means for encoding the SCSI commands into data packet (data packet) s in accordance with the protocol and sending the packets to the network controller for transmission over the network to the slave jukebox .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (receiving requests) with each other over a same network , the NAD comprising ; a data management component (receiving requests) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (data packet) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5642337A CLAIM 1 . A data storage and retrieval system comprising ; a network having a network protocol communication scheme , a computer having a central processing section , a SCSI controller , and a network controller coupled to the network , the computer receiving requests (electronic communication, data management component, receiving requests) for data stored in the data storage and retrieval system , a master jukebox having a first plurality of media for storing data , a data reproducing apparatus for reproducing data stored on any of the media , and a SCSI controller coupled to communicate with the SCSI controller of the computer , a slave jukebox having a second plurality of media for storing data , a data reproducing apparatus for reproducing data stored on any of the media , and a SCSI controller , a slave interface unit having a central processing section , a SCSI controller coupled to the SCSI controller of the slave jukebox , and a network controller coupled to the network , and processing means within the central processing section of the computer for determining whether data responsive to a data request is on a medium located in the master jukebox or the slave jukebox , for formulating SCSI commands for causing the master or slave jukebox within which the responsive data is located to reproduce the data , for encoding the SCSI commands in accordance with the network protocol if the data is on a medium located in the slave jukebox , and for sending the instructions to the jukebox within which the responsive data is located . US5642337A CLAIM 2 . A data storage and retrieval system as set forth in claim 1 wherein the processing means further comprises means for encoding the SCSI commands into data packet (data packet) s in accordance with the protocol and sending the packets to the network controller for transmission over the network to the slave jukebox .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (data packet) arrived via an authorized network interface .	US5642337A CLAIM 2 . A data storage and retrieval system as set forth in claim 1 wherein the processing means further comprises means for encoding the SCSI commands into data packet (data packet) s in accordance with the protocol and sending the packets to the network controller for transmission over the network to the slave jukebox .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (data packet) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5642337A CLAIM 2 . A data storage and retrieval system as set forth in claim 1 wherein the processing means further comprises means for encoding the SCSI commands into data packet (data packet) s in accordance with the protocol and sending the packets to the network controller for transmission over the network to the slave jukebox .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5642337A CLAIM 2 . A data storage and retrieval system as set forth in claim 1 wherein the processing means further comprises means for encoding the SCSI commands into data packet (data packet) s in accordance with the protocol and sending the packets to the network controller for transmission over the network to the slave jukebox .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (processing unit) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (requested data) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5642337A CLAIM 2 . A data storage and retrieval system as set forth in claim 1 wherein the processing means further comprises means for encoding the SCSI commands into data packet (data packet) s in accordance with the protocol and sending the packets to the network controller for transmission over the network to the slave jukebox . US5642337A CLAIM 11 . A data storage and retrieval apparatus as set forth in claim 10 wherein the central processing section of the computer comprises a central processing unit (processing unit) , an instruction memory for storing software for running the central processing unit and a random access memory for data buffering . US5642337A CLAIM 15 . A method for storing and retrieving data from a data storage and retrieval system , the system comprising a plurality of disks contained in a plurality of jukeboxes intercoupled over a network , a computer which receives requests for data stored in the data storage system , a master jukebox coupled to the computer through an SCSI protocol connection and having a first plurality of media for storing data , a slave jukebox having a second plurality of media for storing data , and a slave interface unit coupled to the slave jukebox through a SCSI protocol connection and also coupled to the network , the method comprising the steps of ; (1) receiving a request from a client for data stored in the data storage and retrieval system , (2) determining which of the disks contains the requested data (storing instructions) , and which of the jukeboxes contains that disk , (3) creating a SCSI command for operating the jukebox which contains the disk identified in step (2) to reproduce the requested data , (4) encoding the SCSI command into a data packet in accordance with a protocol of the network , if the disk identified in step (2) is located in the slave jukebox , (5) sending the command to the jukebox identified in step (2) , (6) receiving data responsive to the request from the jukebox identified in step (2) , (7) if the data received in step (5) is received from the slave jukebox , decoding the data , and (8) transmitting the decoded data to the client .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (processing unit) to determine whether each packet arrived via an authorized network interface .	US5642337A CLAIM 11 . A data storage and retrieval apparatus as set forth in claim 10 wherein the central processing section of the computer comprises a central processing unit (processing unit) , an instruction memory for storing software for running the central processing unit and a random access memory for data buffering .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether each packet contains an unauthorized IP address .	US5642337A CLAIM 11 . A data storage and retrieval apparatus as set forth in claim 10 wherein the central processing section of the computer comprises a central processing unit (processing unit) , an instruction memory for storing software for running the central processing unit and a random access memory for data buffering .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (processing unit) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US5642337A CLAIM 11 . A data storage and retrieval apparatus as set forth in claim 10 wherein the central processing section of the computer comprises a central processing unit (processing unit) , an instruction memory for storing software for running the central processing unit and a random access memory for data buffering .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US5642337A CLAIM 11 . A data storage and retrieval apparatus as set forth in claim 10 wherein the central processing section of the computer comprises a central processing unit (processing unit) , an instruction memory for storing software for running the central processing unit and a random access memory for data buffering .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (protocol connection) .	US5642337A CLAIM 15 . A method for storing and retrieving data from a data storage and retrieval system , the system comprising a plurality of disks contained in a plurality of jukeboxes intercoupled over a network , a computer which receives requests for data stored in the data storage system , a master jukebox coupled to the computer through an SCSI protocol connection (network protocols) and having a first plurality of media for storing data , a slave jukebox having a second plurality of media for storing data , and a slave interface unit coupled to the slave jukebox through a SCSI protocol connection and also coupled to the network , the method comprising the steps of ; (1) receiving a request from a client for data stored in the data storage and retrieval system , (2) determining which of the disks contains the requested data , and which of the jukeboxes contains that disk , (3) creating a SCSI command for operating the jukebox which contains the disk identified in step (2) to reproduce the requested data , (4) encoding the SCSI command into a data packet in accordance with a protocol of the network , if the disk identified in step (2) is located in the slave jukebox , (5) sending the command to the jukebox identified in step (2) , (6) receiving data responsive to the request from the jukebox identified in step (2) , (7) if the data received in step (5) is received from the slave jukebox , decoding the data , and (8) transmitting the decoded data to the client .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (protocol connection) is TCP/IP .	US5642337A CLAIM 15 . A method for storing and retrieving data from a data storage and retrieval system , the system comprising a plurality of disks contained in a plurality of jukeboxes intercoupled over a network , a computer which receives requests for data stored in the data storage system , a master jukebox coupled to the computer through an SCSI protocol connection (network protocols) and having a first plurality of media for storing data , a slave jukebox having a second plurality of media for storing data , and a slave interface unit coupled to the slave jukebox through a SCSI protocol connection and also coupled to the network , the method comprising the steps of ; (1) receiving a request from a client for data stored in the data storage and retrieval system , (2) determining which of the disks contains the requested data , and which of the jukeboxes contains that disk , (3) creating a SCSI command for operating the jukebox which contains the disk identified in step (2) to reproduce the requested data , (4) encoding the SCSI command into a data packet in accordance with a protocol of the network , if the disk identified in step (2) is located in the slave jukebox , (5) sending the command to the jukebox identified in step (2) , (6) receiving data responsive to the request from the jukebox identified in step (2) , (7) if the data received in step (5) is received from the slave jukebox , decoding the data , and (8) transmitting the decoded data to the client .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data request) .	US5642337A CLAIM 1 . A data storage and retrieval system comprising ; a network having a network protocol communication scheme , a computer having a central processing section , a SCSI controller , and a network controller coupled to the network , the computer receiving requests for data stored in the data storage and retrieval system , a master jukebox having a first plurality of media for storing data , a data reproducing apparatus for reproducing data stored on any of the media , and a SCSI controller coupled to communicate with the SCSI controller of the computer , a slave jukebox having a second plurality of media for storing data , a data reproducing apparatus for reproducing data stored on any of the media , and a SCSI controller , a slave interface unit having a central processing section , a SCSI controller coupled to the SCSI controller of the slave jukebox , and a network controller coupled to the network , and processing means within the central processing section of the computer for determining whether data responsive to a data request (SCSI interface) is on a medium located in the master jukebox or the slave jukebox , for formulating SCSI commands for causing the master or slave jukebox within which the responsive data is located to reproduce the data , for encoding the SCSI commands in accordance with the network protocol if the data is on a medium located in the slave jukebox , and for sending the instructions to the jukebox within which the responsive data is located .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (receiving requests) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (data packet) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (hard disk) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5642337A CLAIM 1 . A data storage and retrieval system comprising ; a network having a network protocol communication scheme , a computer having a central processing section , a SCSI controller , and a network controller coupled to the network , the computer receiving requests (electronic communication, data management component, receiving requests) for data stored in the data storage and retrieval system , a master jukebox having a first plurality of media for storing data , a data reproducing apparatus for reproducing data stored on any of the media , and a SCSI controller coupled to communicate with the SCSI controller of the computer , a slave jukebox having a second plurality of media for storing data , a data reproducing apparatus for reproducing data stored on any of the media , and a SCSI controller , a slave interface unit having a central processing section , a SCSI controller coupled to the SCSI controller of the slave jukebox , and a network controller coupled to the network , and processing means within the central processing section of the computer for determining whether data responsive to a data request is on a medium located in the master jukebox or the slave jukebox , for formulating SCSI commands for causing the master or slave jukebox within which the responsive data is located to reproduce the data , for encoding the SCSI commands in accordance with the network protocol if the data is on a medium located in the slave jukebox , and for sending the instructions to the jukebox within which the responsive data is located . US5642337A CLAIM 2 . A data storage and retrieval system as set forth in claim 1 wherein the processing means further comprises means for encoding the SCSI commands into data packet (data packet) s in accordance with the protocol and sending the packets to the network controller for transmission over the network to the slave jukebox . US5642337A CLAIM 3 . A data storage and retrieval system as set forth in claim 2 further comprising a hard disk (filtering means) drive coupled to the computer , the hard disk drive comprising a file system for determining the location of data responsive to a request .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (data request) .	US5642337A CLAIM 1 . A data storage and retrieval system comprising ; a network having a network protocol communication scheme , a computer having a central processing section , a SCSI controller , and a network controller coupled to the network , the computer receiving requests for data stored in the data storage and retrieval system , a master jukebox having a first plurality of media for storing data , a data reproducing apparatus for reproducing data stored on any of the media , and a SCSI controller coupled to communicate with the SCSI controller of the computer , a slave jukebox having a second plurality of media for storing data , a data reproducing apparatus for reproducing data stored on any of the media , and a SCSI controller , a slave interface unit having a central processing section , a SCSI controller coupled to the SCSI controller of the slave jukebox , and a network controller coupled to the network , and processing means within the central processing section of the computer for determining whether data responsive to a data request (SCSI interface) is on a medium located in the master jukebox or the slave jukebox , for formulating SCSI commands for causing the master or slave jukebox within which the responsive data is located to reproduce the data , for encoding the SCSI commands in accordance with the network protocol if the data is on a medium located in the slave jukebox , and for sending the instructions to the jukebox within which the responsive data is located .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (hard disk) is further configured to carry out the filtering at an application layer of a network stack .	US5642337A CLAIM 3 . A data storage and retrieval system as set forth in claim 2 further comprising a hard disk (filtering means) drive coupled to the computer , the hard disk drive comprising a file system for determining the location of data responsive to a request .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5692124A Filed: 1996-08-30 Issued: 1997-11-25 Support of limited write downs through trustworthy predictions in multilevel security of computer network communications (Original Assignee) ITT Industries Inc (Current Assignee) Micron Technology Inc James M. Holden, Stephen E. Levin, Edwin H. Wrench, Jr.
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (feedback message, data packet) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5692124A CLAIM 12 . A method for securing data with a user at a higher security classification level against covert transference in acknowledgment messages during communications with a user at a lower security classification level not permitted access to the data , said method comprising the steps of : sending data by said user at a lower security classification level to said user at a higher security classification level ; predicting the content of permissible acknowledgment messages from said user at a higher security classification level to said user at a lower security classification level based only on information (network destination) residing with said user at a lower security classification level ; and , releasing said acknowledgment messages which have a predetermined match to said user content of permissible acknowledgment messages . US5692124A CLAIM 13 . The method in accordance with claim 12 , wherein said acknowledgment messages are Internet protocol (IP) feedback message (data packet) s supporting a legitimate transfer of said data with said user at a lower security classification level to said user at a higher security classification level . US5692124A CLAIM 15 . The method in accordance with claim 14 , wherein the sequence and exact content of each said acknowledgment message generated with said user at a higher security classification level is determined based on the TFTP data packet (data packet) s originating from said user at a lower security classification level .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (feedback message, data packet) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5692124A CLAIM 13 . The method in accordance with claim 12 , wherein said acknowledgment messages are Internet protocol (IP) feedback message (data packet) s supporting a legitimate transfer of said data with said user at a lower security classification level to said user at a higher security classification level . US5692124A CLAIM 15 . The method in accordance with claim 14 , wherein the sequence and exact content of each said acknowledgment message generated with said user at a higher security classification level is determined based on the TFTP data packet (data packet) s originating from said user at a lower security classification level .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (feedback message, data packet) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (source address, IP addresses) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5692124A CLAIM 7 . The method in accordance with claim 1 , wherein the data transfers from said user at a lower security classification level to said user at a higher security classification level are Internet Protocol (IP) datagrams that are unit packets of deterministic data and nondeterministic data including IP addresses (IP addresses) . US5692124A CLAIM 13 . The method in accordance with claim 12 , wherein said acknowledgment messages are Internet protocol (IP) feedback message (data packet) s supporting a legitimate transfer of said data with said user at a lower security classification level to said user at a higher security classification level . US5692124A CLAIM 15 . The method in accordance with claim 14 , wherein the sequence and exact content of each said acknowledgment message generated with said user at a higher security classification level is determined based on the TFTP data packet (data packet) s originating from said user at a lower security classification level . US5692124A CLAIM 23 . The method in accordance with claim 22 , wherein building trust in IP addresses includes source and destination pairs going from said user at a lower security classification level to said user at a higher security classification level , said source and destination pairs being saved and used to predict destination and source address (IP addresses) es that would be a part of the predicted acknowledgment messages .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (feedback message, data packet) arrived via an authorized network interface .	US5692124A CLAIM 13 . The method in accordance with claim 12 , wherein said acknowledgment messages are Internet protocol (IP) feedback message (data packet) s supporting a legitimate transfer of said data with said user at a lower security classification level to said user at a higher security classification level . US5692124A CLAIM 15 . The method in accordance with claim 14 , wherein the sequence and exact content of each said acknowledgment message generated with said user at a higher security classification level is determined based on the TFTP data packet (data packet) s originating from said user at a lower security classification level .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (feedback message, data packet) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5692124A CLAIM 13 . The method in accordance with claim 12 , wherein said acknowledgment messages are Internet protocol (IP) feedback message (data packet) s supporting a legitimate transfer of said data with said user at a lower security classification level to said user at a higher security classification level . US5692124A CLAIM 15 . The method in accordance with claim 14 , wherein the sequence and exact content of each said acknowledgment message generated with said user at a higher security classification level is determined based on the TFTP data packet (data packet) s originating from said user at a lower security classification level .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (feedback message, data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5692124A CLAIM 12 . A method for securing data with a user at a higher security classification level against covert transference in acknowledgment messages during communications with a user at a lower security classification level not permitted access to the data , said method comprising the steps of : sending data by said user at a lower security classification level to said user at a higher security classification level ; predicting the content of permissible acknowledgment messages from said user at a higher security classification level to said user at a lower security classification level based only on information (network destination) residing with said user at a lower security classification level ; and , releasing said acknowledgment messages which have a predetermined match to said user content of permissible acknowledgment messages . US5692124A CLAIM 13 . The method in accordance with claim 12 , wherein said acknowledgment messages are Internet protocol (IP) feedback message (data packet) s supporting a legitimate transfer of said data with said user at a lower security classification level to said user at a higher security classification level . US5692124A CLAIM 15 . The method in accordance with claim 14 , wherein the sequence and exact content of each said acknowledgment message generated with said user at a higher security classification level is determined based on the TFTP data packet (data packet) s originating from said user at a lower security classification level .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (feedback message, data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5692124A CLAIM 12 . A method for securing data with a user at a higher security classification level against covert transference in acknowledgment messages during communications with a user at a lower security classification level not permitted access to the data , said method comprising the steps of : sending data by said user at a lower security classification level to said user at a higher security classification level ; predicting the content of permissible acknowledgment messages from said user at a higher security classification level to said user at a lower security classification level based only on information (network destination) residing with said user at a lower security classification level ; and , releasing said acknowledgment messages which have a predetermined match to said user content of permissible acknowledgment messages . US5692124A CLAIM 13 . The method in accordance with claim 12 , wherein said acknowledgment messages are Internet protocol (IP) feedback message (data packet) s supporting a legitimate transfer of said data with said user at a lower security classification level to said user at a higher security classification level . US5692124A CLAIM 15 . The method in accordance with claim 14 , wherein the sequence and exact content of each said acknowledgment message generated with said user at a higher security classification level is determined based on the TFTP data packet (data packet) s originating from said user at a lower security classification level .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (data transfers) device , the selectively generated packet containing the request for access to the directly attached device .	US5692124A CLAIM 1 . A method for securing classified data residing with a user at a higher security classification level from covert transference with acknowledgment messages by said user at a higher security classification level for confirming data transfers (intermediary computing, receiving requests) across a computer network to a user at a lower security classification level , said method comprising the steps of : sending data from said user at a lower security classification level with delivery information to said user at a higher security classification level ; predicting the user content of permissible acknowledgment messages supporting a legitimate transfer of said data from said user at a lower security classification level to said user at a higher security classification level ; and , releasing the predicted acknowledgment messages from said user at a higher security classification level to said user at a lower security classification level when the predicted acknowledgment message is a predetermined match with the content of said permissible acknowledgment messages .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (data transfers) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet (feedback message, data packet) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5692124A CLAIM 1 . A method for securing classified data residing with a user at a higher security classification level from covert transference with acknowledgment messages by said user at a higher security classification level for confirming data transfers (intermediary computing, receiving requests) across a computer network to a user at a lower security classification level , said method comprising the steps of : sending data from said user at a lower security classification level with delivery information to said user at a higher security classification level ; predicting the user content of permissible acknowledgment messages supporting a legitimate transfer of said data from said user at a lower security classification level to said user at a higher security classification level ; and , releasing the predicted acknowledgment messages from said user at a higher security classification level to said user at a lower security classification level when the predicted acknowledgment message is a predetermined match with the content of said permissible acknowledgment messages . US5692124A CLAIM 12 . A method for securing data with a user at a higher security classification level against covert transference in acknowledgment messages during communications with a user at a lower security classification level not permitted access to the data , said method comprising the steps of : sending data by said user at a lower security classification level to said user at a higher security classification level ; predicting the content of permissible acknowledgment messages from said user at a higher security classification level to said user at a lower security classification level based only on information (network destination) residing with said user at a lower security classification level ; and , releasing said acknowledgment messages which have a predetermined match to said user content of permissible acknowledgment messages . US5692124A CLAIM 13 . The method in accordance with claim 12 , wherein said acknowledgment messages are Internet protocol (IP) feedback message (data packet) s supporting a legitimate transfer of said data with said user at a lower security classification level to said user at a higher security classification level . US5692124A CLAIM 15 . The method in accordance with claim 14 , wherein the sequence and exact content of each said acknowledgment message generated with said user at a higher security classification level is determined based on the TFTP data packet (data packet) s originating from said user at a lower security classification level .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5757924A Filed: 1995-09-18 Issued: 1998-05-26 Network security device which performs MAC address translation without affecting the IP address (Original Assignee) Digital Secured Networks Tech Inc (Current Assignee) Broadband Capital Corp Aharon Friedman, Ben Zion Levy
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (work layer, public key) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data) for network access (work layer, public key) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (database containing information, network interface) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information (network destination, network interface) indicating an IP address and a permanent public key (network client, network access, providing network access) for one or more nodes in said network . US5757924A CLAIM 8 . The network security device of claim 7 wherein said network security device maintains a second data (data packet) base indicating for one or more nodes in said network , an IP address , and a common session key with said at least one particular node . US5757924A CLAIM 10 . A network security device configured to protect at least one particular node , the node having an Internet address and which communicates via a network , comprising : a . a first interface connected to the at least one particular node and having a first MAC address , b . a second interface connected to the network and having a second MAC address , and c . a processing circuit connected to said first and second interfaces , said processing circuit : (1) for a packet received at said first interface from said one particular node and the packet having a header including a source address that is the Internet address of the at least one particular node and said first MAC address , the circuit configured to translate the first MAC address in the received packet header into the second MAC address before said packet is transmitted into said network by said second network interface (network destination, network interface) and leaving the Internet address of the received packet header unencrypted ; and (2) for a packet received at said second interface from said network and the packet having a header including a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface , the circuit configured to translate the second MAC address in the received packet header into the first MAC address before said packet is transmitted to said at least one particular node and leaving the Internet address of the received packet header unencrypted . US5757924A CLAIM 19 . A network security device connected between : (1) a node having an Internet address and (2) a communication network , the device comprising : (a) a first interface connected to at least one node , the first interface having a first media access control (MAC) address ; (b) a second interface connected to the communication network and having a second MAC address ; (c) a processor connected to the first and second interfaces , the processor configured to : (1) receive a packet from the first interface , the packet having a transport layer header , a network layer (network client, network access, providing network access) header , and the first MAC address ; the processor configured to replace the first MAC address with the second MAC address in the received packet , to encrypt the received transport layer header , and to not encrypt the received network layer header ; and to transmit the packet to the second interface ; and (2) receive a packet from the second interface , the packet having an encrypted transport layer header , an unencrypted network layer header , and the second MAC address ; the processor configured to replace the second MAC address with the first MAC address in the received packet , decrypt the packet including the transport layer header , and to transmit the packet to the first interface .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (work layer, public key) to the NAD from a plurality of network clients having different operating systems .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information indicating an IP address and a permanent public key (network client, network access, providing network access) for one or more nodes in said network . US5757924A CLAIM 19 . A network security device connected between : (1) a node having an Internet address and (2) a communication network , the device comprising : (a) a first interface connected to at least one node , the first interface having a first media access control (MAC) address ; (b) a second interface connected to the communication network and having a second MAC address ; (c) a processor connected to the first and second interfaces , the processor configured to : (1) receive a packet from the first interface , the packet having a transport layer header , a network layer (network client, network access, providing network access) header , and the first MAC address ; the processor configured to replace the first MAC address with the second MAC address in the received packet , to encrypt the received transport layer header , and to not encrypt the received network layer header ; and to transmit the packet to the second interface ; and (2) receive a packet from the second interface , the packet having an encrypted transport layer header , an unencrypted network layer header , and the second MAC address ; the processor configured to replace the second MAC address with the first MAC address in the received packet , decrypt the packet including the transport layer header , and to transmit the packet to the first interface .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (work layer, public key) to the NAD is authorized comprises determining whether information in the header of a received data packet (second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information indicating an IP address and a permanent public key (network client, network access, providing network access) for one or more nodes in said network . US5757924A CLAIM 8 . The network security device of claim 7 wherein said network security device maintains a second data (data packet) base indicating for one or more nodes in said network , an IP address , and a common session key with said at least one particular node . US5757924A CLAIM 19 . A network security device connected between : (1) a node having an Internet address and (2) a communication network , the device comprising : (a) a first interface connected to at least one node , the first interface having a first media access control (MAC) address ; (b) a second interface connected to the communication network and having a second MAC address ; (c) a processor connected to the first and second interfaces , the processor configured to : (1) receive a packet from the first interface , the packet having a transport layer header , a network layer (network client, network access, providing network access) header , and the first MAC address ; the processor configured to replace the first MAC address with the second MAC address in the received packet , to encrypt the received transport layer header , and to not encrypt the received network layer header ; and to transmit the packet to the second interface ; and (2) receive a packet from the second interface , the packet having an encrypted transport layer header , an unencrypted network layer header , and the second MAC address ; the processor configured to replace the second MAC address with the first MAC address in the received packet , decrypt the packet including the transport layer header , and to transmit the packet to the first interface .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (work layer, public key) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (work layer, public key) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address, second IP address, first IP address, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5757924A CLAIM 1 . A network security device which does no routing and is configured to protect at least one particular node , the node having a first media access control (MAC) address and an Internet address and which communicates via a network , comprising : a . a first interface connected to the at least one particular node and having said first MAC address of the node ; b . a second interface connected to the network and having a second MAC address , and c . a processing circuit connected to said first and second interfaces , said processing circuit : (1) for a packet received at said first interface from said one particular node and the packet having a header containing a source address (IP addresses) that is the Internet address of the at least one particular node and said first MAC address of said one particular node , the circuit configured to replace the first MAC address contained in the received packet header with the second MAC address before said packet is transmitted into said network and leaving the Internet address unencrypted and its position in the packet header unchanged , and (2) for a packet received at said second interface from said network and the packet having a header containing a destination address (IP addresses) that is the Internet address of the at least one particular node and said second MAC address of said second interface , the circuit configured to replace the second MAC address contained in the received packet header with said first MAC address of said at least one particular node before said packet is transmitted to the at least one particular node , and leaving the Internet address unencrypted and its position in the packet header unchanged . US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information indicating an IP address and a permanent public key (network client, network access, providing network access) for one or more nodes in said network . US5757924A CLAIM 8 . The network security device of claim 7 wherein said network security device maintains a second data (data packet) base indicating for one or more nodes in said network , an IP address , and a common session key with said at least one particular node . US5757924A CLAIM 11 . A method for transmitting a packet into a network comprising the steps of : (1) generating a packet containing a first source MAC address of a first node , a first source IP address of said first node and a second IP address (IP addresses) of a destination , and user data , (2) in a network security device which does no routing and is connected to said network and having said first IP address (IP addresses) , translating said first source MAC address into a second MAC address of said network security device , encrypting said user data , while leaving said IP address of said destination unencrypted and in the same respective position in a header of said packet , wherein the step of encrypting comprises negotiating a session key common to said first node and second node , said negotiating step comprising : a . at said network security device , using a static public key of said second node , encrypting a dynamic public key of said first node and transmitting said dynamic public key of said first node to said second node , b . receiving from said second node a dynamic public key of said second node encrypted with a static public key of said first node and decrypting said dynamic public key of said second node with a static secret key of said first node at said network security device , c . at said network security device , generating said common session key from a dynamic secret key of said first host and said dynamic public key of said first node and said dynamic public key of said second node ; and (3) transmitting said packet into said network . US5757924A CLAIM 19 . A network security device connected between : (1) a node having an Internet address and (2) a communication network , the device comprising : (a) a first interface connected to at least one node , the first interface having a first media access control (MAC) address ; (b) a second interface connected to the communication network and having a second MAC address ; (c) a processor connected to the first and second interfaces , the processor configured to : (1) receive a packet from the first interface , the packet having a transport layer header , a network layer (network client, network access, providing network access) header , and the first MAC address ; the processor configured to replace the first MAC address with the second MAC address in the received packet , to encrypt the received transport layer header , and to not encrypt the received network layer header ; and to transmit the packet to the second interface ; and (2) receive a packet from the second interface , the packet having an encrypted transport layer header , an unencrypted network layer header , and the second MAC address ; the processor configured to replace the second MAC address with the first MAC address in the received packet , decrypt the packet including the transport layer header , and to transmit the packet to the first interface .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data) arrived via an authorized network interface (database containing information, network interface) .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information (network destination, network interface) indicating an IP address and a permanent public key for one or more nodes in said network . US5757924A CLAIM 8 . The network security device of claim 7 wherein said network security device maintains a second data (data packet) base indicating for one or more nodes in said network , an IP address , and a common session key with said at least one particular node . US5757924A CLAIM 10 . A network security device configured to protect at least one particular node , the node having an Internet address and which communicates via a network , comprising : a . a first interface connected to the at least one particular node and having a first MAC address , b . a second interface connected to the network and having a second MAC address , and c . a processing circuit connected to said first and second interfaces , said processing circuit : (1) for a packet received at said first interface from said one particular node and the packet having a header including a source address that is the Internet address of the at least one particular node and said first MAC address , the circuit configured to translate the first MAC address in the received packet header into the second MAC address before said packet is transmitted into said network by said second network interface (network destination, network interface) and leaving the Internet address of the received packet header unencrypted ; and (2) for a packet received at said second interface from said network and the packet having a header including a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface , the circuit configured to translate the second MAC address in the received packet header into the first MAC address before said packet is transmitted to said at least one particular node and leaving the Internet address of the received packet header unencrypted .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data) to the proper port ; and at the proper port , provide the requested network access (work layer, public key) to the NAD .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information indicating an IP address and a permanent public key (network client, network access, providing network access) for one or more nodes in said network . US5757924A CLAIM 8 . The network security device of claim 7 wherein said network security device maintains a second data (data packet) base indicating for one or more nodes in said network , an IP address , and a common session key with said at least one particular node . US5757924A CLAIM 19 . A network security device connected between : (1) a node having an Internet address and (2) a communication network , the device comprising : (a) a first interface connected to at least one node , the first interface having a first media access control (MAC) address ; (b) a second interface connected to the communication network and having a second MAC address ; (c) a processor connected to the first and second interfaces , the processor configured to : (1) receive a packet from the first interface , the packet having a transport layer header , a network layer (network client, network access, providing network access) header , and the first MAC address ; the processor configured to replace the first MAC address with the second MAC address in the received packet , to encrypt the received transport layer header , and to not encrypt the received network layer header ; and to transmit the packet to the second interface ; and (2) receive a packet from the second interface , the packet having an encrypted transport layer header , an unencrypted network layer header , and the second MAC address ; the processor configured to replace the second MAC address with the first MAC address in the received packet , decrypt the packet including the transport layer header , and to transmit the packet to the first interface .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (work layer, public key) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (database containing information, network interface) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information (network destination, network interface) indicating an IP address and a permanent public key (network client, network access, providing network access) for one or more nodes in said network . US5757924A CLAIM 8 . The network security device of claim 7 wherein said network security device maintains a second data (data packet) base indicating for one or more nodes in said network , an IP address , and a common session key with said at least one particular node . US5757924A CLAIM 10 . A network security device configured to protect at least one particular node , the node having an Internet address and which communicates via a network , comprising : a . a first interface connected to the at least one particular node and having a first MAC address , b . a second interface connected to the network and having a second MAC address , and c . a processing circuit connected to said first and second interfaces , said processing circuit : (1) for a packet received at said first interface from said one particular node and the packet having a header including a source address that is the Internet address of the at least one particular node and said first MAC address , the circuit configured to translate the first MAC address in the received packet header into the second MAC address before said packet is transmitted into said network by said second network interface (network destination, network interface) and leaving the Internet address of the received packet header unencrypted ; and (2) for a packet received at said second interface from said network and the packet having a header including a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface , the circuit configured to translate the second MAC address in the received packet header into the first MAC address before said packet is transmitted to said at least one particular node and leaving the Internet address of the received packet header unencrypted . US5757924A CLAIM 19 . A network security device connected between : (1) a node having an Internet address and (2) a communication network , the device comprising : (a) a first interface connected to at least one node , the first interface having a first media access control (MAC) address ; (b) a second interface connected to the communication network and having a second MAC address ; (c) a processor connected to the first and second interfaces , the processor configured to : (1) receive a packet from the first interface , the packet having a transport layer header , a network layer (network client, network access, providing network access) header , and the first MAC address ; the processor configured to replace the first MAC address with the second MAC address in the received packet , to encrypt the received transport layer header , and to not encrypt the received network layer header ; and to transmit the packet to the second interface ; and (2) receive a packet from the second interface , the packet having an encrypted transport layer header , an unencrypted network layer header , and the second MAC address ; the processor configured to replace the second MAC address with the first MAC address in the received packet , decrypt the packet including the transport layer header , and to transmit the packet to the first interface .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (work layer, public key) to the NAD is only available through the server .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information indicating an IP address and a permanent public key (network client, network access, providing network access) for one or more nodes in said network . US5757924A CLAIM 19 . A network security device connected between : (1) a node having an Internet address and (2) a communication network , the device comprising : (a) a first interface connected to at least one node , the first interface having a first media access control (MAC) address ; (b) a second interface connected to the communication network and having a second MAC address ; (c) a processor connected to the first and second interfaces , the processor configured to : (1) receive a packet from the first interface , the packet having a transport layer header , a network layer (network client, network access, providing network access) header , and the first MAC address ; the processor configured to replace the first MAC address with the second MAC address in the received packet , to encrypt the received transport layer header , and to not encrypt the received network layer header ; and to transmit the packet to the second interface ; and (2) receive a packet from the second interface , the packet having an encrypted transport layer header , an unencrypted network layer header , and the second MAC address ; the processor configured to replace the second MAC address with the first MAC address in the received packet , decrypt the packet including the transport layer header , and to transmit the packet to the first interface .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (database containing information, network interface) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data) containing the request for network access (work layer, public key) includes at least one of an IP address of a network source , an IP address of a network destination (database containing information, network interface) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information (network destination, network interface) indicating an IP address and a permanent public key (network client, network access, providing network access) for one or more nodes in said network . US5757924A CLAIM 8 . The network security device of claim 7 wherein said network security device maintains a second data (data packet) base indicating for one or more nodes in said network , an IP address , and a common session key with said at least one particular node . US5757924A CLAIM 10 . A network security device configured to protect at least one particular node , the node having an Internet address and which communicates via a network , comprising : a . a first interface connected to the at least one particular node and having a first MAC address , b . a second interface connected to the network and having a second MAC address , and c . a processing circuit connected to said first and second interfaces , said processing circuit : (1) for a packet received at said first interface from said one particular node and the packet having a header including a source address that is the Internet address of the at least one particular node and said first MAC address , the circuit configured to translate the first MAC address in the received packet header into the second MAC address before said packet is transmitted into said network by said second network interface (network destination, network interface) and leaving the Internet address of the received packet header unencrypted ; and (2) for a packet received at said second interface from said network and the packet having a header including a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface , the circuit configured to translate the second MAC address in the received packet header into the first MAC address before said packet is transmitted to said at least one particular node and leaving the Internet address of the received packet header unencrypted . US5757924A CLAIM 19 . A network security device connected between : (1) a node having an Internet address and (2) a communication network , the device comprising : (a) a first interface connected to at least one node , the first interface having a first media access control (MAC) address ; (b) a second interface connected to the communication network and having a second MAC address ; (c) a processor connected to the first and second interfaces , the processor configured to : (1) receive a packet from the first interface , the packet having a transport layer header , a network layer (network client, network access, providing network access) header , and the first MAC address ; the processor configured to replace the first MAC address with the second MAC address in the received packet , to encrypt the received transport layer header , and to not encrypt the received network layer header ; and to transmit the packet to the second interface ; and (2) receive a packet from the second interface , the packet having an encrypted transport layer header , an unencrypted network layer header , and the second MAC address ; the processor configured to replace the second MAC address with the first MAC address in the received packet , decrypt the packet including the transport layer header , and to transmit the packet to the first interface .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (database containing information, network interface) .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information (network destination, network interface) indicating an IP address and a permanent public key for one or more nodes in said network . US5757924A CLAIM 10 . A network security device configured to protect at least one particular node , the node having an Internet address and which communicates via a network , comprising : a . a first interface connected to the at least one particular node and having a first MAC address , b . a second interface connected to the network and having a second MAC address , and c . a processing circuit connected to said first and second interfaces , said processing circuit : (1) for a packet received at said first interface from said one particular node and the packet having a header including a source address that is the Internet address of the at least one particular node and said first MAC address , the circuit configured to translate the first MAC address in the received packet header into the second MAC address before said packet is transmitted into said network by said second network interface (network destination, network interface) and leaving the Internet address of the received packet header unencrypted ; and (2) for a packet received at said second interface from said network and the packet having a header including a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface , the circuit configured to translate the second MAC address in the received packet header into the first MAC address before said packet is transmitted to said at least one particular node and leaving the Internet address of the received packet header unencrypted .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (other node) device , the selectively generated packet containing the request for access to the directly attached device .	US5757924A CLAIM 12 . The method of claim 11 wherein said first node maintains a static database containing information which identifies static public keys of other node (intermediary computing, intermediary computing device) s in said network and from which said network security device obtains said static public key of said second node .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (database containing information, network interface) , and a route of the data packet (second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5757924A CLAIM 7 . The network security device of claim 1 wherein said network security device maintains a first database containing information (network destination, network interface) indicating an IP address and a permanent public key for one or more nodes in said network . US5757924A CLAIM 8 . The network security device of claim 7 wherein said network security device maintains a second data (data packet) base indicating for one or more nodes in said network , an IP address , and a common session key with said at least one particular node . US5757924A CLAIM 10 . A network security device configured to protect at least one particular node , the node having an Internet address and which communicates via a network , comprising : a . a first interface connected to the at least one particular node and having a first MAC address , b . a second interface connected to the network and having a second MAC address , and c . a processing circuit connected to said first and second interfaces , said processing circuit : (1) for a packet received at said first interface from said one particular node and the packet having a header including a source address that is the Internet address of the at least one particular node and said first MAC address , the circuit configured to translate the first MAC address in the received packet header into the second MAC address before said packet is transmitted into said network by said second network interface (network destination, network interface) and leaving the Internet address of the received packet header unencrypted ; and (2) for a packet received at said second interface from said network and the packet having a header including a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface , the circuit configured to translate the second MAC address in the received packet header into the first MAC address before said packet is transmitted to said at least one particular node and leaving the Internet address of the received packet header unencrypted .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5655077A Filed: 1994-12-13 Issued: 1997-08-05 Method and system for authenticating access to heterogeneous computing services (Original Assignee) Microsoft Corp (Current Assignee) Microsoft Technology Licensing LLC Gregory A. Jones, Robert M. Price, William L. Veghte
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (network access) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5655077A CLAIM 20 . The method of claim 19 wherein the second network is a different type of network abiding by a different communications protocol than the network access (network access) ible through the provider services of the primary logon provider . US5655077A CLAIM 31 . The computer system of claim 28 wherein the primary logon driver is an electronic mail (network destination) server , and wherein the access to the local computer system is to services that are not electronic mail services .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests (additional user) for network access (network access) to the NAD from a plurality of network clients having different operating systems (determination means, enable access) .	US5655077A CLAIM 17 . A method in a computer system for authenticating access to a plurality of resources using a single user interface , the computer system having authentication code to access system services , the method comprising the computer-implemented steps of : determining a primary logon provider , the primary logon provider for providing access to provider services and having a user interface for identifying access information ; invoking the user interface of the primary logon provider when appropriate ; identifying access information , the access information being collected through the invoked user interface of the primary logon provider when appropriate ; authenticating the identified access information to allow access to the provider services ; authenticating the identified access information to allow access to the system services without invoking an additional user (accepting requests) interface ; determining a supplemental logon provider , the supplemental logon provider for providing access to supplemental provider services ; and authenticating the identified access information to allow access to the supplemental provider services without invoking an additional user interface . US5655077A CLAIM 20 . The method of claim 19 wherein the second network is a different type of network abiding by a different communications protocol than the network access (network access) ible through the provider services of the primary logon provider . US5655077A CLAIM 23 . A method in a computer system for accessing system authentication information stored on a network , the computer system having local system logon code to enable access (different operating systems, network clients having different operating systems) to local computer system services , the method comprising the computer-implemented steps of : invoking a primary logon provider , the primary logon provider providing a user interface for collecting identification information and having code for accessing a network ; under control of the primary logon provider , invoking the user interface of the primary logon provider when needed ; identifying identification information , the identified information either received through the displayed user interface or provided without invoking the user interface of the primary logon provider ; authenticating the identified identification information for access to the network ; and indicating the identified identification information to the local system logon code ; invoking the local system logon code ; and under control of the local system logon code , using the indicated identification information to access the network ; retrieving the system authentication information stored on the network using the primary logon provider code ; and authenticating the indicated identification information for access to the local computer system services using the system authentication information retrieved from the network . US5655077A CLAIM 24 . A computer system for authenticating access to local system services comprising : means for determining a primary logon driver , the primary logon driver for providing access to driver services and having a user interface for identifying access information ; driver means for invoking the user interface of the determined primary logon driver , identifying access information , authenticating the identified access information for access to the driver services , and sending the authenticated access information ; system means for authenticating the sent access information for access to the local system services , which operates in response to receiving the authenticated access information from the driver means and which operates without invoking another user interface ; and logon means for invoking the primary logon driver determination means (different operating systems, network clients having different operating systems) and for invoking the driver means .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (network access) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5655077A CLAIM 20 . The method of claim 19 wherein the second network is a different type of network abiding by a different communications protocol than the network access (network access) ible through the provider services of the primary logon provider .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (network access) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5655077A CLAIM 20 . The method of claim 19 wherein the second network is a different type of network abiding by a different communications protocol than the network access (network access) ible through the provider services of the primary logon provider .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (network access) to the NAD .	US5655077A CLAIM 20 . The method of claim 19 wherein the second network is a different type of network abiding by a different communications protocol than the network access (network access) ible through the provider services of the primary logon provider .
US7739302B2 CLAIM 10 . A system for managing access (system network) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (network access) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5655077A CLAIM 1 . A method in a computer system network (managing access) environment for authenticating access to computing services , the computer system network environment having a local computer system that can be connected to multiple heterogeneous networks , the local computer system having local authentication code to access local computer system services , the method comprising the computer-implemented steps of : determining a primary logon driver , the primary logon driver for providing access to a first network and having a user interface with components for collecting identification information for the primary logon driver ; invoking the primary logon driver ; under control of the primary logon driver , invoking the user interface of the primary logon driver when needed ; in response to receiving identification information through the user interface components , authenticating the received identification information to allow access to the first network ; and indicating the authenticated identification information to the local authentication code ; under control of the local authentication code , authenticating the indicated identification information to allow access to the local computer system services ; determining a supplemental logon driver for providing access to a second network ; invoking the determined supplemental logon driver ; and under control of the invoked supplemental logon driver , authenticating previously provided identification information to allow access to the second network . US5655077A CLAIM 20 . The method of claim 19 wherein the second network is a different type of network abiding by a different communications protocol than the network access (network access) ible through the provider services of the primary logon provider . US5655077A CLAIM 31 . The computer system of claim 28 wherein the primary logon driver is an electronic mail (network destination) server , and wherein the access to the local computer system is to services that are not electronic mail services .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (network access) to the NAD is only available through the server .	US5655077A CLAIM 20 . The method of claim 19 wherein the second network is a different type of network abiding by a different communications protocol than the network access (network access) ible through the provider services of the primary logon provider .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (computer processor) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (network access) includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5655077A CLAIM 20 . The method of claim 19 wherein the second network is a different type of network abiding by a different communications protocol than the network access (network access) ible through the provider services of the primary logon provider . US5655077A CLAIM 31 . The computer system of claim 28 wherein the primary logon driver is an electronic mail (network destination) server , and wherein the access to the local computer system is to services that are not electronic mail services . US5655077A CLAIM 36 . A distributed computer-readable memory medium containing instructions for controlling a computer processor (storing instructions) in a computer system network environment to authenticate access to computing services , the computer system network environment having a local computer system that can be connected to multiple heterogeneous networks , the local computer system having local authentication code to access local : . computer system services , by performing the steps of : determining a primary logon driver , the primary logon driver for providing access to a first network and having a user interface with components for collecting identification information for the primary logon driver ; invoking the primary logon driver ; under control of the primary logon driver , invoking the user interface of the primary logon driver when needed ; in response to receiving identification information through the user interface components , authenticating the received identification information to allow access to the first network ; and indicating the authenticated identification information to the local authentication code ; under control of the local authentication code , authenticating the indicated identification information to allow access to the local computer system services ; determining a supplemental logon driver for providing access to a second network ; invoking the determined supplemental logon driver ; and under control of the invoked supplemental logon driver , authenticating previously provided identification information to allow access to the second network .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (storage device) , and a video codec .	US5655077A CLAIM 30 . The computer system of claim 28 wherein the input-output device is a storage device (storage device) that stores a database and the primary logon driver is associated with a set of database services that provide access to the database , and wherein the access to the local computer system is to services that are not database services .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5655077A CLAIM 31 . The computer system of claim 28 wherein the primary logon driver is an electronic mail (network destination) server , and wherein the access to the local computer system is to services that are not electronic mail services .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (system network) to the NAD over a device interface if the request is allowed .	US5655077A CLAIM 1 . A method in a computer system network (managing access) environment for authenticating access to computing services , the computer system network environment having a local computer system that can be connected to multiple heterogeneous networks , the local computer system having local authentication code to access local computer system services , the method comprising the computer-implemented steps of : determining a primary logon driver , the primary logon driver for providing access to a first network and having a user interface with components for collecting identification information for the primary logon driver ; invoking the primary logon driver ; under control of the primary logon driver , invoking the user interface of the primary logon driver when needed ; in response to receiving identification information through the user interface components , authenticating the received identification information to allow access to the first network ; and indicating the authenticated identification information to the local authentication code ; under control of the local authentication code , authenticating the indicated identification information to allow access to the local computer system services ; determining a supplemental logon driver for providing access to a second network ; invoking the determined supplemental logon driver ; and under control of the invoked supplemental logon driver , authenticating previously provided identification information to allow access to the second network .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (face component) is further configured to manage access over a SCSI interface .	US5655077A CLAIM 1 . A method in a computer system network environment for authenticating access to computing services , the computer system network environment having a local computer system that can be connected to multiple heterogeneous networks , the local computer system having local authentication code to access local computer system services , the method comprising the computer-implemented steps of : determining a primary logon driver , the primary logon driver for providing access to a first network and having a user interface with components for collecting identification information for the primary logon driver ; invoking the primary logon driver ; under control of the primary logon driver , invoking the user interface of the primary logon driver when needed ; in response to receiving identification information through the user interface component (managing means) s , authenticating the received identification information to allow access to the first network ; and indicating the authenticated identification information to the local authentication code ; under control of the local authentication code , authenticating the indicated identification information to allow access to the local computer system services ; determining a supplemental logon driver for providing access to a second network ; invoking the determined supplemental logon driver ; and under control of the invoked supplemental logon driver , authenticating previously provided identification information to allow access to the second network .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (d log) of a plurality of protocols .	US5655077A CLAIM 15 . The method of claim 10 wherein the step of determining the primary logon provider comprises the substeps of : displaying a list of logon providers ; and designating one of the displayed log (requests comprise one) on providers as the primary logon provider .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (storage device) , and a video codec .	US5655077A CLAIM 30 . The computer system of claim 28 wherein the input-output device is a storage device (storage device) that stores a database and the primary logon driver is associated with a set of database services that provide access to the database , and wherein the access to the local computer system is to services that are not database services .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5623601A Filed: 1994-11-21 Issued: 1997-04-22 Apparatus and method for providing a secure gateway for communication and data exchanges between networks (Original Assignee) Milkway Networks Corp (Current Assignee) Milkway Networks Corp ; RPX Corp Hung T. Vu
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (data packet, IP packets) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5623601A CLAIM 10 . A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : (a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to host , but encapulating the packets with a hardware destination address that matches a device address of the gateway ; (b) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; (c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; (d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; (e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; (f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and (g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . US5623601A CLAIM 19 . Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having been modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet without intervention by the source , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (data packet, IP packets) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5623601A CLAIM 10 . A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : (a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to host , but encapulating the packets with a hardware destination address that matches a device address of the gateway ; (b) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; (c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; (d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; (e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; (f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and (g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . US5623601A CLAIM 19 . Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having been modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet without intervention by the source , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (potential security) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (data packet, IP packets) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5623601A CLAIM 10 . A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : (a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to host , but encapulating the packets with a hardware destination address that matches a device address of the gateway ; (b) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; (c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; (d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; (e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; (f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and (g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . US5623601A CLAIM 18 . A method for providing a secure gateway between a private network and potentially hostile network as claimed in claim 10 wherein the method further involves the steps of : a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving the data between the respective first and second communications sessions , whereby the TCP/IP packet is passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts the data from the packet and passes the data from a one of the first and second communications sessions to a proxy process which operates at an application layer of the gateway station and the proxy process executes data screening algorithms to screen the data for elements that could represent a potential security (data management component) breach before the data is passed to the other of the first and second communications sessions . US5623601A CLAIM 19 . Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having been modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet without intervention by the source , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (data packet, IP packets) arrived via an authorized network interface .	US5623601A CLAIM 10 . A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : (a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to host , but encapulating the packets with a hardware destination address that matches a device address of the gateway ; (b) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; (c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; (d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; (e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; (f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and (g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . US5623601A CLAIM 19 . Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having been modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet without intervention by the source , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (data packet, IP packets) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5623601A CLAIM 10 . A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : (a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to host , but encapulating the packets with a hardware destination address that matches a device address of the gateway ; (b) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; (c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; (d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; (e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; (f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and (g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . US5623601A CLAIM 19 . Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having been modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet without intervention by the source , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (data packet, IP packets) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access (new communication) to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5623601A CLAIM 5 . A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 3 , wherein the method further involves the steps of : a) creating a user authentication file which contains the source address of the authenticated user in a user authentication directory ; and b) referring to the authentication file to determine if a source address has been authenticated each time a new communication (providing network access) s session is initiated so that the gateway is completely transparent to an authenticated source . US5623601A CLAIM 10 . A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : (a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to host , but encapulating the packets with a hardware destination address that matches a device address of the gateway ; (b) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; (c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; (d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; (e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; (f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and (g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . US5623601A CLAIM 19 . Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having been modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet without intervention by the source , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (data packet, IP packets) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5623601A CLAIM 10 . A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : (a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to host , but encapulating the packets with a hardware destination address that matches a device address of the gateway ; (b) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; (c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; (d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; (e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; (f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and (g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . US5623601A CLAIM 19 . Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having been modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet without intervention by the source , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (requested service) device , the selectively generated packet containing the request for access to the directly attached device .	US5623601A CLAIM 13 . A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 12 wherein the method further involves the steps of : a) referencing a rule base as a first step after the first communications session is established to determine whether the user identification/password at the source address is permitted to communicate with the destination address for a requested service (intermediary computing) ; and b) cancelling the first communications session if the rule base does not include a rule to permit the user identification/password at the source address to communicate with the destination address for the requested type of service .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (application layer) .	US5623601A CLAIM 18 . A method for providing a secure gateway between a private network and potentially hostile network as claimed in claim 10 wherein the method further involves the steps of : a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving the data between the respective first and second communications sessions , whereby the TCP/IP packet is passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts the data from the packet and passes the data from a one of the first and second communications sessions to a proxy process which operates at an application layer (application layer) of the gateway station and the proxy process executes data screening algorithms to screen the data for elements that could represent a potential security breach before the data is passed to the other of the first and second communications sessions .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (data packet, IP packets) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (hard disk) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5623601A CLAIM 10 . A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : (a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to host , but encapulating the packets with a hardware destination address that matches a device address of the gateway ; (b) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; (c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; (d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; (e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; (f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and (g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . US5623601A CLAIM 19 . Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having been modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet without intervention by the source , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session . US5623601A CLAIM 41 . A computer readable memory as claimed in claim 38 wherein the computer readable memory comprises at least one hard disk (filtering means) drive .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (hard disk) is further configured to carry out the filtering at an application layer (application layer) of a network stack .	US5623601A CLAIM 18 . A method for providing a secure gateway between a private network and potentially hostile network as claimed in claim 10 wherein the method further involves the steps of : a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving the data between the respective first and second communications sessions , whereby the TCP/IP packet is passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts the data from the packet and passes the data from a one of the first and second communications sessions to a proxy process which operates at an application layer (application layer) of the gateway station and the proxy process executes data screening algorithms to screen the data for elements that could represent a potential security breach before the data is passed to the other of the first and second communications sessions . US5623601A CLAIM 41 . A computer readable memory as claimed in claim 38 wherein the computer readable memory comprises at least one hard disk (filtering means) drive .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5577209A Filed: 1994-07-05 Issued: 1996-11-19 Apparatus and method for providing multi-level security for communication among computers and terminals on a network (Original Assignee) ITT Corp (Current Assignee) Round Rock Research LLC John M. Boyle, Eric S. Maiwald, David W. Snow
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5577209A CLAIM 1 . A multi-level network security apparatus for a computer network having at least one user coupled thereto , the at least one user selected from a group consisting of a host computer and at least a second network , comprising : a secure network interface unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol , said SINU comprising : a user interface for providing an interface between the user and SNIU , said user interface being operative for translating data received from the user into a format used by said SNIU , a session manager for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network , managing functions of communications sessions permitted by said network (NAD server) security apparatus and maintaining a session audit , a dialogue manager for controlling a data path established in the SNIU , and an association manager which operates to establish and control a user session at a session layer of interconnection between the user and the network through said SNIU if said identified user is verified for access , whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter ; and a security management architecture , including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network , said SM capable of implementing a security policy selected from the group consisting of discretionary access control , mandatory access control , object reuse , labeling , denial of service detection , data type integrity , cascading control and covert channel use detection , said SM further providing inter-network administration .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5577209A CLAIM 1 . A multi-level network security apparatus for a computer network having at least one user coupled thereto , the at least one user selected from a group consisting of a host computer and at least a second network , comprising : a secure network interface unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol , said SINU comprising : a user interface for providing an interface between the user and SNIU , said user interface being operative for translating data received from the user into a format used by said SNIU , a session manager for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network , managing functions of communications sessions permitted by said network (NAD server) security apparatus and maintaining a session audit , a dialogue manager for controlling a data path established in the SNIU , and an association manager which operates to establish and control a user session at a session layer of interconnection between the user and the network through said SNIU if said identified user is verified for access , whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter ; and a security management architecture , including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network , said SM capable of implementing a security policy selected from the group consisting of discretionary access control , mandatory access control , object reuse , labeling , denial of service detection , data type integrity , cascading control and covert channel use detection , said SM further providing inter-network administration .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (network interface, session manager, exchanging data) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5577209A CLAIM 1 . A multi-level network security apparatus for a computer network having at least one user coupled thereto , the at least one user selected from a group consisting of a host computer and at least a second network , comprising : a secure network interface (network interface, electronic communication) unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol , said SINU comprising : a user interface for providing an interface between the user and SNIU , said user interface being operative for translating data received from the user into a format used by said SNIU , a session manager (network interface, electronic communication) for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network , managing functions of communications sessions permitted by said network security apparatus and maintaining a session audit , a dialogue manager for controlling a data path established in the SNIU , and an association manager which operates to establish and control a user session at a session layer of interconnection between the user and the network through said SNIU if said identified user is verified for access , whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter ; and a security management architecture , including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network , said SM capable of implementing a security policy selected from the group consisting of discretionary access control , mandatory access control , object reuse , labeling , denial of service detection , data type integrity , cascading control and covert channel use detection , said SM further providing inter-network administration . US5577209A CLAIM 9 . A network security apparatus according to claim 8 , wherein said means for performing said SM functions of said SSM include exchanging data (network interface, electronic communication) and commands with the SNIUs , and performing initialization , configuration control , access control , sealer key management , audit/alarms , and other services for the SNIUs .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interface, session manager, exchanging data) .	US5577209A CLAIM 1 . A multi-level network security apparatus for a computer network having at least one user coupled thereto , the at least one user selected from a group consisting of a host computer and at least a second network , comprising : a secure network interface (network interface, electronic communication) unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol , said SINU comprising : a user interface for providing an interface between the user and SNIU , said user interface being operative for translating data received from the user into a format used by said SNIU , a session manager (network interface, electronic communication) for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network , managing functions of communications sessions permitted by said network security apparatus and maintaining a session audit , a dialogue manager for controlling a data path established in the SNIU , and an association manager which operates to establish and control a user session at a session layer of interconnection between the user and the network through said SNIU if said identified user is verified for access , whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter ; and a security management architecture , including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network , said SM capable of implementing a security policy selected from the group consisting of discretionary access control , mandatory access control , object reuse , labeling , denial of service detection , data type integrity , cascading control and covert channel use detection , said SM further providing inter-network administration . US5577209A CLAIM 9 . A network security apparatus according to claim 8 , wherein said means for performing said SM functions of said SSM include exchanging data (network interface, electronic communication) and commands with the SNIUs , and performing initialization , configuration control , access control , sealer key management , audit/alarms , and other services for the SNIUs .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface, session manager, exchanging data) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5577209A CLAIM 1 . A multi-level network security apparatus for a computer network having at least one user coupled thereto , the at least one user selected from a group consisting of a host computer and at least a second network , comprising : a secure network interface (network interface, electronic communication) unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol , said SINU comprising : a user interface for providing an interface between the user and SNIU , said user interface being operative for translating data received from the user into a format used by said SNIU , a session manager (network interface, electronic communication) for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network , managing functions of communications sessions permitted by said network security apparatus and maintaining a session audit , a dialogue manager for controlling a data path established in the SNIU , and an association manager which operates to establish and control a user session at a session layer of interconnection between the user and the network through said SNIU if said identified user is verified for access , whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter ; and a security management architecture , including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network , said SM capable of implementing a security policy selected from the group consisting of discretionary access control , mandatory access control , object reuse , labeling , denial of service detection , data type integrity , cascading control and covert channel use detection , said SM further providing inter-network administration . US5577209A CLAIM 9 . A network security apparatus according to claim 8 , wherein said means for performing said SM functions of said SSM include exchanging data (network interface, electronic communication) and commands with the SNIUs , and performing initialization , configuration control , access control , sealer key management , audit/alarms , and other services for the SNIUs .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interface, session manager, exchanging data) .	US5577209A CLAIM 1 . A multi-level network security apparatus for a computer network having at least one user coupled thereto , the at least one user selected from a group consisting of a host computer and at least a second network , comprising : a secure network interface (network interface, electronic communication) unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol , said SINU comprising : a user interface for providing an interface between the user and SNIU , said user interface being operative for translating data received from the user into a format used by said SNIU , a session manager (network interface, electronic communication) for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network , managing functions of communications sessions permitted by said network security apparatus and maintaining a session audit , a dialogue manager for controlling a data path established in the SNIU , and an association manager which operates to establish and control a user session at a session layer of interconnection between the user and the network through said SNIU if said identified user is verified for access , whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter ; and a security management architecture , including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network , said SM capable of implementing a security policy selected from the group consisting of discretionary access control , mandatory access control , object reuse , labeling , denial of service detection , data type integrity , cascading control and covert channel use detection , said SM further providing inter-network administration . US5577209A CLAIM 9 . A network security apparatus according to claim 8 , wherein said means for performing said SM functions of said SSM include exchanging data (network interface, electronic communication) and commands with the SNIUs , and performing initialization , configuration control , access control , sealer key management , audit/alarms , and other services for the SNIUs .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (ion layer) .	US5577209A CLAIM 1 . A multi-level network security apparatus for a computer network having at least one user coupled thereto , the at least one user selected from a group consisting of a host computer and at least a second network , comprising : a secure network interface unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol , said SINU comprising : a user interface for providing an interface between the user and SNIU , said user interface being operative for translating data received from the user into a format used by said SNIU , a session manager for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network , managing functions of communications sessions permitted by said network security apparatus and maintaining a session audit , a dialogue manager for controlling a data path established in the SNIU , and an association manager which operates to establish and control a user session at a session layer (network protocols) of interconnection between the user and the network through said SNIU if said identified user is verified for access , whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter ; and a security management architecture , including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network , said SM capable of implementing a security policy selected from the group consisting of discretionary access control , mandatory access control , object reuse , labeling , denial of service detection , data type integrity , cascading control and covert channel use detection , said SM further providing inter-network administration .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (ion layer) is TCP/IP .	US5577209A CLAIM 1 . A multi-level network security apparatus for a computer network having at least one user coupled thereto , the at least one user selected from a group consisting of a host computer and at least a second network , comprising : a secure network interface unit (SINU) coupled between said at least one user and the computer network which operates at a user layer communications protocol , said SINU comprising : a user interface for providing an interface between the user and SNIU , said user interface being operative for translating data received from the user into a format used by said SNIU , a session manager for identifying a user requesting access to the network at the session level and verifying if the identified user is authorized for access to the network , managing functions of communications sessions permitted by said network security apparatus and maintaining a session audit , a dialogue manager for controlling a data path established in the SNIU , and an association manager which operates to establish and control a user session at a session layer (network protocols) of interconnection between the user and the network through said SNIU if said identified user is verified for access , whereby the SNIU is implemented to create a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within said global security perimeter ; and a security management architecture , including a security manager (SM) connected to said SNIU for causing said SNIU to be operated and configured for protecting the security communications transmitted through said SNIU between the at least one user and the network , said SM capable of implementing a security policy selected from the group consisting of discretionary access control , mandatory access control , object reuse , labeling , denial of service detection , data type integrity , cascading control and covert channel use detection , said SM further providing inter-network administration .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (other service) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5577209A CLAIM 9 . A network security apparatus according to claim 8 , wherein said means for performing said SM functions of said SSM include exchanging data and commands with the SNIUs , and performing initialization , configuration control , access control , sealer key management , audit/alarms , and other service (receiving requests) s for the SNIUs .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5416842A Filed: 1994-06-10 Issued: 1995-05-16 Method and apparatus for key-management scheme for use with internet protocols at site firewalls (Original Assignee) Sun Microsystems Inc (Current Assignee) Sun Microsystems Inc Ashar Aziz
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data) for network access (temporary address) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data (data packet) processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network (NAD server) , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address for node J , to said FWA ; providing an element for performing the step of providing a secret value a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB . US5416842A CLAIM 20 . In a network including a mobile data processing device M having a long term address M and a temporary address (network access) IP d , said device M coupled to a first firewall server FWX , and a second data processing device R coupled to a second firewall server FWY , said first and second firewall servers disposed between said respective devices M and R , an improved method for sending data from said device M to said device R , comprising the steps of : said device M sending a data packet , including data , a destination address for device R , and said long term address M to said firewall FWX ; providing a secret value x , and a public value ∝ x mod p to said FWX ; providing a secret value y , and a public value ∝ y mod p to said FWY ; said FWX performing the steps of : obtaining a Diffie-Hellman DH certificate for FWY and determining said public value ∝ y mod p from said DH certificate ; computing the value of ∝ xy mod p , said FWX further deriving a key K xy from said value ∝ xy mod p ; utilizing said key K xy to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWY using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWY and said temporary address IP d as a source address ; said FWX sending said transmission packet to said FWY .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access (temporary address) to the NAD from a plurality of network clients having different operating systems .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network (NAD server) , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address for node J , to said FWA ; providing an element for performing the step of providing a secret value a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB . US5416842A CLAIM 20 . In a network including a mobile data processing device M having a long term address M and a temporary address (network access) IP d , said device M coupled to a first firewall server FWX , and a second data processing device R coupled to a second firewall server FWY , said first and second firewall servers disposed between said respective devices M and R , an improved method for sending data from said device M to said device R , comprising the steps of : said device M sending a data packet , including data , a destination address for device R , and said long term address M to said firewall FWX ; providing a secret value x , and a public value ∝ x mod p to said FWX ; providing a secret value y , and a public value ∝ y mod p to said FWY ; said FWX performing the steps of : obtaining a Diffie-Hellman DH certificate for FWY and determining said public value ∝ y mod p from said DH certificate ; computing the value of ∝ xy mod p , said FWX further deriving a key K xy from said value ∝ xy mod p ; utilizing said key K xy to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWY using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWY and said temporary address IP d as a source address ; said FWX sending said transmission packet to said FWY .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (temporary address) to the NAD is authorized comprises determining whether information in the header of a received data packet (second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data (data packet) processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address for node J , to said FWA ; providing an element for performing the step of providing a secret value a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB . US5416842A CLAIM 20 . In a network including a mobile data processing device M having a long term address M and a temporary address (network access) IP d , said device M coupled to a first firewall server FWX , and a second data processing device R coupled to a second firewall server FWY , said first and second firewall servers disposed between said respective devices M and R , an improved method for sending data from said device M to said device R , comprising the steps of : said device M sending a data packet , including data , a destination address for device R , and said long term address M to said firewall FWX ; providing a secret value x , and a public value ∝ x mod p to said FWX ; providing a secret value y , and a public value ∝ y mod p to said FWY ; said FWX performing the steps of : obtaining a Diffie-Hellman DH certificate for FWY and determining said public value ∝ y mod p from said DH certificate ; computing the value of ∝ xy mod p , said FWX further deriving a key K xy from said value ∝ xy mod p ; utilizing said key K xy to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWY using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWY and said temporary address IP d as a source address ; said FWX sending said transmission packet to said FWY .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (temporary address) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data (data packet) processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address (IP addresses) for node J , to said FWA ; providing an element for performing the step of providing a secret value a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB . US5416842A CLAIM 9 . The method as defined by claim 8 , wherein said transmission packet further includes a source address (IP addresses) identifying the source of said transmission packet as FWA , and an SKCS identifier field . US5416842A CLAIM 20 . In a network including a mobile data processing device M having a long term address M and a temporary address (network access) IP d , said device M coupled to a first firewall server FWX , and a second data processing device R coupled to a second firewall server FWY , said first and second firewall servers disposed between said respective devices M and R , an improved method for sending data from said device M to said device R , comprising the steps of : said device M sending a data packet , including data , a destination address for device R , and said long term address M to said firewall FWX ; providing a secret value x , and a public value ∝ x mod p to said FWX ; providing a secret value y , and a public value ∝ y mod p to said FWY ; said FWX performing the steps of : obtaining a Diffie-Hellman DH certificate for FWY and determining said public value ∝ y mod p from said DH certificate ; computing the value of ∝ xy mod p , said FWX further deriving a key K xy from said value ∝ xy mod p ; utilizing said key K xy to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWY using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWY and said temporary address IP d as a source address ; said FWX sending said transmission packet to said FWY .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data) arrived via an authorized network interface .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data (data packet) processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address for node J , to said FWA ; providing an element for performing the step of providing a secret value a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data) to the proper port ; and at the proper port , provide the requested network access (temporary address) to the NAD .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data (data packet) processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address for node J , to said FWA ; providing an element for performing the step of providing a secret value a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB . US5416842A CLAIM 20 . In a network including a mobile data processing device M having a long term address M and a temporary address (network access) IP d , said device M coupled to a first firewall server FWX , and a second data processing device R coupled to a second firewall server FWY , said first and second firewall servers disposed between said respective devices M and R , an improved method for sending data from said device M to said device R , comprising the steps of : said device M sending a data packet , including data , a destination address for device R , and said long term address M to said firewall FWX ; providing a secret value x , and a public value ∝ x mod p to said FWX ; providing a secret value y , and a public value ∝ y mod p to said FWY ; said FWX performing the steps of : obtaining a Diffie-Hellman DH certificate for FWY and determining said public value ∝ y mod p from said DH certificate ; computing the value of ∝ xy mod p , said FWX further deriving a key K xy from said value ∝ xy mod p ; utilizing said key K xy to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWY using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWY and said temporary address IP d as a source address ; said FWX sending said transmission packet to said FWY .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (temporary address) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data (data packet) processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address for node J , to said FWA ; providing an element for performing the step of providing a secret value a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB . US5416842A CLAIM 20 . In a network including a mobile data processing device M having a long term address M and a temporary address (network access) IP d , said device M coupled to a first firewall server FWX , and a second data processing device R coupled to a second firewall server FWY , said first and second firewall servers disposed between said respective devices M and R , an improved method for sending data from said device M to said device R , comprising the steps of : said device M sending a data packet , including data , a destination address for device R , and said long term address M to said firewall FWX ; providing a secret value x , and a public value ∝ x mod p to said FWX ; providing a secret value y , and a public value ∝ y mod p to said FWY ; said FWX performing the steps of : obtaining a Diffie-Hellman DH certificate for FWY and determining said public value ∝ y mod p from said DH certificate ; computing the value of ∝ xy mod p , said FWX further deriving a key K xy from said value ∝ xy mod p ; utilizing said key K xy to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWY using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWY and said temporary address IP d as a source address ; said FWX sending said transmission packet to said FWY .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (temporary address) to the NAD is only available through the server .	US5416842A CLAIM 20 . In a network including a mobile data processing device M having a long term address M and a temporary address (network access) IP d , said device M coupled to a first firewall server FWX , and a second data processing device R coupled to a second firewall server FWY , said first and second firewall servers disposed between said respective devices M and R , an improved method for sending data from said device M to said device R , comprising the steps of : said device M sending a data packet , including data , a destination address for device R , and said long term address M to said firewall FWX ; providing a secret value x , and a public value ∝ x mod p to said FWX ; providing a secret value y , and a public value ∝ y mod p to said FWY ; said FWX performing the steps of : obtaining a Diffie-Hellman DH certificate for FWY and determining said public value ∝ y mod p from said DH certificate ; computing the value of ∝ xy mod p , said FWX further deriving a key K xy from said value ∝ xy mod p ; utilizing said key K xy to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWY using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWY and said temporary address IP d as a source address ; said FWX sending said transmission packet to said FWY .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data) containing the request for network access (temporary address) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data (data packet) processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address for node J , to said FWA ; providing an element for performing the step of providing a secret value a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB . US5416842A CLAIM 20 . In a network including a mobile data processing device M having a long term address M and a temporary address (network access) IP d , said device M coupled to a first firewall server FWX , and a second data processing device R coupled to a second firewall server FWY , said first and second firewall servers disposed between said respective devices M and R , an improved method for sending data from said device M to said device R , comprising the steps of : said device M sending a data packet , including data , a destination address for device R , and said long term address M to said firewall FWX ; providing a secret value x , and a public value ∝ x mod p to said FWX ; providing a secret value y , and a public value ∝ y mod p to said FWY ; said FWX performing the steps of : obtaining a Diffie-Hellman DH certificate for FWY and determining said public value ∝ y mod p from said DH certificate ; computing the value of ∝ xy mod p , said FWX further deriving a key K xy from said value ∝ xy mod p ; utilizing said key K xy to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWY using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWY and said temporary address IP d as a source address ; said FWX sending said transmission packet to said FWY .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing device (steps b) , the selectively generated packet containing the request for access to the directly attached device .	US5416842A CLAIM 2 . The method as defined by claim 1 , further comprising the steps b (intermediary computing device) y said FWB of : providing an element for performing the step of receiving said transmission packet from FWA and decapsulating said data packet from said transmission packet ; providing an element for performing the step of obtaining a DH certificate for said FWA and determining said public value ∝ a mod p from said DH certificate ; providing an element for performing the step of computing the value of ∝ ab mod p , said FWB further deriving said key K ab from said value ∝ ab mod p ; providing an element for performing the step of utilizing said key K ab to decrypt said transient key K p , and decrypting said received encrypted data packet using said transient key K p ; providing an element for performing the step of sending said decrypted data packet to said node J ; whereby FWB decrypts data received and previously encrypted by FWA , and sends said decrypted data to said node J .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (first storage device) .	US5416842A CLAIM 11 . A network including a first data processing device node I coupled to a first firewall server FWA and a second data processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , comprising : node I including a transmission device for sending a data packet , having data and a destination address for node J , to said FWA ; FWA including a first storage device (SCSI interface) for storing a secret value a , and a public value ∝ a mod p ; FWB including a second storage device for storing a secret value b , and a public value ∝ b mod p ; FWA including an encrypting device for encrypting said data packet to be transmitted to FWB , said dam packet being encrypted by using a first Diffie-Hellman DH certificate for FWB to determine said public value ∝ b mod p , and said encrypting device further computing the value of ∝ ab mod p and deriving a key K ab from said value ∝ ab mod p ; said encrypting device encrypting a randomly generated transient key K p from K ab , and encrypting said data packet using said transient key K p ; said encrypted data packet being encapsulated in a transmission packet , said transmission packet including an unencrypted destination address for FWB ; FWA further including an interface circuit for transmitting said transmission packet to said FWB over said network .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means (secret value) for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (secret value) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data (data packet) processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address for node J , to said FWA ; providing an element for performing the step of providing a secret value (filtering means, filtering comprises means) a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (first storage device) .	US5416842A CLAIM 11 . A network including a first data processing device node I coupled to a first firewall server FWA and a second data processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , comprising : node I including a transmission device for sending a data packet , having data and a destination address for node J , to said FWA ; FWA including a first storage device (SCSI interface) for storing a secret value a , and a public value ∝ a mod p ; FWB including a second storage device for storing a secret value b , and a public value ∝ b mod p ; FWA including an encrypting device for encrypting said data packet to be transmitted to FWB , said dam packet being encrypted by using a first Diffie-Hellman DH certificate for FWB to determine said public value ∝ b mod p , and said encrypting device further computing the value of ∝ ab mod p and deriving a key K ab from said value ∝ ab mod p ; said encrypting device encrypting a randomly generated transient key K p from K ab , and encrypting said data packet using said transient key K p ; said encrypted data packet being encapsulated in a transmission packet , said transmission packet including an unencrypted destination address for FWB ; FWA further including an interface circuit for transmitting said transmission packet to said FWB over said network .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (secret value) is further configured to carry out the filtering at an application layer of a network stack .	US5416842A CLAIM 1 . In a network including a first data processing device node I coupled to a first firewall server FWA and a second data processing device node J coupled to a second firewall server FWB , said first and second firewall servers disposed between said respective nodes I and J and said network , an improved method for sending data from said node I to said node J , comprising the steps of : providing an element for performing the step of said node I sending a data packet , including data and a destination address for node J , to said FWA ; providing an element for performing the step of providing a secret value (filtering means, filtering comprises means) a , and a public value ∝ a mod p to said FWA ; providing an element for performing the step of providing a secret value b , and a public value ∝ b mod p to said FWB ; said FWA performing the steps of : adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝ b mod p from said DH certificate ; said firewall FWA computing the value of ∝ ab mod p , said FWA further deriving a key K ab from said value ∝ ab mod p ; said firewall FWA utilizing said key K ab to encrypt a randomly generated transient key K p , and encrypting said data packet to be transmitted to FWB using said key K p , said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB ; said FWA sending said transmission packet to said FWB .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5719786A Filed: 1993-02-03 Issued: 1998-02-17 Digital media data stream network management system (Original Assignee) Micro Focus Software Inc (Current Assignee) Micro Focus Software Inc ; Fluent Inc David L. Nelson, Premkumar Uppaluru, Pasquale Romano, Jeffrey L. Kleiman
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (node request) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (node request) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5719786A CLAIM 82 . A method for controlling transmission of digitized media data in a packet switching network , the media data comprising a sequence of continuous time-based presentation units , each unit characterized by a prespecified presentation duration and presentation time during a computer presentation of the media data and further characterized as a distinct media data type , the network comprising a plurality of client computer processing nodes interconnected via packet-based data distribution channels , the method comprising : receiving from a client processing node a request for presentation of specified presentation unit sequences ; in response to the request , retrieving media data from a corresponding media access location ; determining the media data type of each presentation unit in the retrieved media data ; designating each retrieved presentation unit to a specified media data presentation unit sequence based on the media data type determination for that presentation unit ; assembling a sequence of presentation descriptors for each of the specified presentation unit sequences , each descriptor comprising media data for one designated presentation unit in that sequence , all presentation descriptors in an assembled sequence being of a common media data type ; associating each presentation descriptor with a corresponding presentation duration and presentation time , based on the retrieved media data ; linking the descriptors in each assembled sequence to establish a progression of presentation units in each of the specified presentation unit sequences ; assembling transmission presentation unit packets each composed of at least a portion of a presentation descriptor and its media data , all presentation descriptors and media data in an assembled packet being of a common media data type ; and releasing the assembled packets for transmission via the network to the client processing node request (network access, network destination) ing presentation of the specified presentation unit sequences .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (node request) to the NAD from a plurality of network clients having different operating systems .	US5719786A CLAIM 82 . A method for controlling transmission of digitized media data in a packet switching network , the media data comprising a sequence of continuous time-based presentation units , each unit characterized by a prespecified presentation duration and presentation time during a computer presentation of the media data and further characterized as a distinct media data type , the network comprising a plurality of client computer processing nodes interconnected via packet-based data distribution channels , the method comprising : receiving from a client processing node a request for presentation of specified presentation unit sequences ; in response to the request , retrieving media data from a corresponding media access location ; determining the media data type of each presentation unit in the retrieved media data ; designating each retrieved presentation unit to a specified media data presentation unit sequence based on the media data type determination for that presentation unit ; assembling a sequence of presentation descriptors for each of the specified presentation unit sequences , each descriptor comprising media data for one designated presentation unit in that sequence , all presentation descriptors in an assembled sequence being of a common media data type ; associating each presentation descriptor with a corresponding presentation duration and presentation time , based on the retrieved media data ; linking the descriptors in each assembled sequence to establish a progression of presentation units in each of the specified presentation unit sequences ; assembling transmission presentation unit packets each composed of at least a portion of a presentation descriptor and its media data , all presentation descriptors and media data in an assembled packet being of a common media data type ; and releasing the assembled packets for transmission via the network to the client processing node request (network access, network destination) ing presentation of the specified presentation unit sequences .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (node request) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5719786A CLAIM 82 . A method for controlling transmission of digitized media data in a packet switching network , the media data comprising a sequence of continuous time-based presentation units , each unit characterized by a prespecified presentation duration and presentation time during a computer presentation of the media data and further characterized as a distinct media data type , the network comprising a plurality of client computer processing nodes interconnected via packet-based data distribution channels , the method comprising : receiving from a client processing node a request for presentation of specified presentation unit sequences ; in response to the request , retrieving media data from a corresponding media access location ; determining the media data type of each presentation unit in the retrieved media data ; designating each retrieved presentation unit to a specified media data presentation unit sequence based on the media data type determination for that presentation unit ; assembling a sequence of presentation descriptors for each of the specified presentation unit sequences , each descriptor comprising media data for one designated presentation unit in that sequence , all presentation descriptors in an assembled sequence being of a common media data type ; associating each presentation descriptor with a corresponding presentation duration and presentation time , based on the retrieved media data ; linking the descriptors in each assembled sequence to establish a progression of presentation units in each of the specified presentation unit sequences ; assembling transmission presentation unit packets each composed of at least a portion of a presentation descriptor and its media data , all presentation descriptors and media data in an assembled packet being of a common media data type ; and releasing the assembled packets for transmission via the network to the client processing node request (network access, network destination) ing presentation of the specified presentation unit sequences .
US7739302B2 CLAIM 5 . A local area (local area) network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (node request) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5719786A CLAIM 60 . The media data processor of claim 50 wherein the network comprises a local area (local area) network . US5719786A CLAIM 82 . A method for controlling transmission of digitized media data in a packet switching network , the media data comprising a sequence of continuous time-based presentation units , each unit characterized by a prespecified presentation duration and presentation time during a computer presentation of the media data and further characterized as a distinct media data type , the network comprising a plurality of client computer processing nodes interconnected via packet-based data distribution channels , the method comprising : receiving from a client processing node a request for presentation of specified presentation unit sequences ; in response to the request , retrieving media data from a corresponding media access location ; determining the media data type of each presentation unit in the retrieved media data ; designating each retrieved presentation unit to a specified media data presentation unit sequence based on the media data type determination for that presentation unit ; assembling a sequence of presentation descriptors for each of the specified presentation unit sequences , each descriptor comprising media data for one designated presentation unit in that sequence , all presentation descriptors in an assembled sequence being of a common media data type ; associating each presentation descriptor with a corresponding presentation duration and presentation time , based on the retrieved media data ; linking the descriptors in each assembled sequence to establish a progression of presentation units in each of the specified presentation unit sequences ; assembling transmission presentation unit packets each composed of at least a portion of a presentation descriptor and its media data , all presentation descriptors and media data in an assembled packet being of a common media data type ; and releasing the assembled packets for transmission via the network to the client processing node request (network access, network destination) ing presentation of the specified presentation unit sequences .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (node request) to the NAD .	US5719786A CLAIM 82 . A method for controlling transmission of digitized media data in a packet switching network , the media data comprising a sequence of continuous time-based presentation units , each unit characterized by a prespecified presentation duration and presentation time during a computer presentation of the media data and further characterized as a distinct media data type , the network comprising a plurality of client computer processing nodes interconnected via packet-based data distribution channels , the method comprising : receiving from a client processing node a request for presentation of specified presentation unit sequences ; in response to the request , retrieving media data from a corresponding media access location ; determining the media data type of each presentation unit in the retrieved media data ; designating each retrieved presentation unit to a specified media data presentation unit sequence based on the media data type determination for that presentation unit ; assembling a sequence of presentation descriptors for each of the specified presentation unit sequences , each descriptor comprising media data for one designated presentation unit in that sequence , all presentation descriptors in an assembled sequence being of a common media data type ; associating each presentation descriptor with a corresponding presentation duration and presentation time , based on the retrieved media data ; linking the descriptors in each assembled sequence to establish a progression of presentation units in each of the specified presentation unit sequences ; assembling transmission presentation unit packets each composed of at least a portion of a presentation descriptor and its media data , all presentation descriptors and media data in an assembled packet being of a common media data type ; and releasing the assembled packets for transmission via the network to the client processing node request (network access, network destination) ing presentation of the specified presentation unit sequences .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (node request) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (node request) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5719786A CLAIM 82 . A method for controlling transmission of digitized media data in a packet switching network , the media data comprising a sequence of continuous time-based presentation units , each unit characterized by a prespecified presentation duration and presentation time during a computer presentation of the media data and further characterized as a distinct media data type , the network comprising a plurality of client computer processing nodes interconnected via packet-based data distribution channels , the method comprising : receiving from a client processing node a request for presentation of specified presentation unit sequences ; in response to the request , retrieving media data from a corresponding media access location ; determining the media data type of each presentation unit in the retrieved media data ; designating each retrieved presentation unit to a specified media data presentation unit sequence based on the media data type determination for that presentation unit ; assembling a sequence of presentation descriptors for each of the specified presentation unit sequences , each descriptor comprising media data for one designated presentation unit in that sequence , all presentation descriptors in an assembled sequence being of a common media data type ; associating each presentation descriptor with a corresponding presentation duration and presentation time , based on the retrieved media data ; linking the descriptors in each assembled sequence to establish a progression of presentation units in each of the specified presentation unit sequences ; assembling transmission presentation unit packets each composed of at least a portion of a presentation descriptor and its media data , all presentation descriptors and media data in an assembled packet being of a common media data type ; and releasing the assembled packets for transmission via the network to the client processing node request (network access, network destination) ing presentation of the specified presentation unit sequences .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (node request) to the NAD is only available through the server .	US5719786A CLAIM 82 . A method for controlling transmission of digitized media data in a packet switching network , the media data comprising a sequence of continuous time-based presentation units , each unit characterized by a prespecified presentation duration and presentation time during a computer presentation of the media data and further characterized as a distinct media data type , the network comprising a plurality of client computer processing nodes interconnected via packet-based data distribution channels , the method comprising : receiving from a client processing node a request for presentation of specified presentation unit sequences ; in response to the request , retrieving media data from a corresponding media access location ; determining the media data type of each presentation unit in the retrieved media data ; designating each retrieved presentation unit to a specified media data presentation unit sequence based on the media data type determination for that presentation unit ; assembling a sequence of presentation descriptors for each of the specified presentation unit sequences , each descriptor comprising media data for one designated presentation unit in that sequence , all presentation descriptors in an assembled sequence being of a common media data type ; associating each presentation descriptor with a corresponding presentation duration and presentation time , based on the retrieved media data ; linking the descriptors in each assembled sequence to establish a progression of presentation units in each of the specified presentation unit sequences ; assembling transmission presentation unit packets each composed of at least a portion of a presentation descriptor and its media data , all presentation descriptors and media data in an assembled packet being of a common media data type ; and releasing the assembled packets for transmission via the network to the client processing node request (network access, network destination) ing presentation of the specified presentation unit sequences .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (continuous time, data capture) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (node request) includes at least one of an IP address of a network source , an IP address of a network destination (node request) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5719786A CLAIM 1 . A computer-based media data processor for controlling the timing of computer processing of digitized continuous time (processing unit) -based media data composed of a sequence of presentation units , each unit characterized by a prespecified presentation duration during a computer presentation of the media data , the media processor comprising : a reference clock which indicates a start time of presentation processing of the media data presentation units and which maintains a current presentation time as the media data presentation unit sequence is processed for presentation ; a counter for counting each presentation unit in the presentation unit sequence after that presentation unit is processed for presentation , to maintain a current presentation unit count ; and a comparator connected to the reference clock and the counter , and programmed with the prespecified presentation duration , the comparator comparing a product of the presentation unit duration and the current presentation unit count , specified by the counter , with the current presentation time , specified by the reference clock , after each presentation unit is processed for presentation , and based on the comparison , releasing a next sequential presentation unit to be processed for presentation when the product matches the current presentation time count , and deleting a next sequential presentation descriptor in that sequence when the product exceeds the current presentation time count . US5719786A CLAIM 63 . The media data processor of claim 44 wherein the media access location comprises a digitized representation of analog media data capture (processing unit) d in real time . US5719786A CLAIM 82 . A method for controlling transmission of digitized media data in a packet switching network , the media data comprising a sequence of continuous time-based presentation units , each unit characterized by a prespecified presentation duration and presentation time during a computer presentation of the media data and further characterized as a distinct media data type , the network comprising a plurality of client computer processing nodes interconnected via packet-based data distribution channels , the method comprising : receiving from a client processing node a request for presentation of specified presentation unit sequences ; in response to the request , retrieving media data from a corresponding media access location ; determining the media data type of each presentation unit in the retrieved media data ; designating each retrieved presentation unit to a specified media data presentation unit sequence based on the media data type determination for that presentation unit ; assembling a sequence of presentation descriptors for each of the specified presentation unit sequences , each descriptor comprising media data for one designated presentation unit in that sequence , all presentation descriptors in an assembled sequence being of a common media data type ; associating each presentation descriptor with a corresponding presentation duration and presentation time , based on the retrieved media data ; linking the descriptors in each assembled sequence to establish a progression of presentation units in each of the specified presentation unit sequences ; assembling transmission presentation unit packets each composed of at least a portion of a presentation descriptor and its media data , all presentation descriptors and media data in an assembled packet being of a common media data type ; and releasing the assembled packets for transmission via the network to the client processing node request (network access, network destination) ing presentation of the specified presentation unit sequences .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (continuous time, data capture) to determine whether each packet arrived via an authorized network interface .	US5719786A CLAIM 1 . A computer-based media data processor for controlling the timing of computer processing of digitized continuous time (processing unit) -based media data composed of a sequence of presentation units , each unit characterized by a prespecified presentation duration during a computer presentation of the media data , the media processor comprising : a reference clock which indicates a start time of presentation processing of the media data presentation units and which maintains a current presentation time as the media data presentation unit sequence is processed for presentation ; a counter for counting each presentation unit in the presentation unit sequence after that presentation unit is processed for presentation , to maintain a current presentation unit count ; and a comparator connected to the reference clock and the counter , and programmed with the prespecified presentation duration , the comparator comparing a product of the presentation unit duration and the current presentation unit count , specified by the counter , with the current presentation time , specified by the reference clock , after each presentation unit is processed for presentation , and based on the comparison , releasing a next sequential presentation unit to be processed for presentation when the product matches the current presentation time count , and deleting a next sequential presentation descriptor in that sequence when the product exceeds the current presentation time count . US5719786A CLAIM 63 . The media data processor of claim 44 wherein the media access location comprises a digitized representation of analog media data capture (processing unit) d in real time .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (continuous time, data capture) to determine whether each packet contains an unauthorized IP address .	US5719786A CLAIM 1 . A computer-based media data processor for controlling the timing of computer processing of digitized continuous time (processing unit) -based media data composed of a sequence of presentation units , each unit characterized by a prespecified presentation duration during a computer presentation of the media data , the media processor comprising : a reference clock which indicates a start time of presentation processing of the media data presentation units and which maintains a current presentation time as the media data presentation unit sequence is processed for presentation ; a counter for counting each presentation unit in the presentation unit sequence after that presentation unit is processed for presentation , to maintain a current presentation unit count ; and a comparator connected to the reference clock and the counter , and programmed with the prespecified presentation duration , the comparator comparing a product of the presentation unit duration and the current presentation unit count , specified by the counter , with the current presentation time , specified by the reference clock , after each presentation unit is processed for presentation , and based on the comparison , releasing a next sequential presentation unit to be processed for presentation when the product matches the current presentation time count , and deleting a next sequential presentation descriptor in that sequence when the product exceeds the current presentation time count . US5719786A CLAIM 63 . The media data processor of claim 44 wherein the media access location comprises a digitized representation of analog media data capture (processing unit) d in real time .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (continuous time, data capture) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US5719786A CLAIM 1 . A computer-based media data processor for controlling the timing of computer processing of digitized continuous time (processing unit) -based media data composed of a sequence of presentation units , each unit characterized by a prespecified presentation duration during a computer presentation of the media data , the media processor comprising : a reference clock which indicates a start time of presentation processing of the media data presentation units and which maintains a current presentation time as the media data presentation unit sequence is processed for presentation ; a counter for counting each presentation unit in the presentation unit sequence after that presentation unit is processed for presentation , to maintain a current presentation unit count ; and a comparator connected to the reference clock and the counter , and programmed with the prespecified presentation duration , the comparator comparing a product of the presentation unit duration and the current presentation unit count , specified by the counter , with the current presentation time , specified by the reference clock , after each presentation unit is processed for presentation , and based on the comparison , releasing a next sequential presentation unit to be processed for presentation when the product matches the current presentation time count , and deleting a next sequential presentation descriptor in that sequence when the product exceeds the current presentation time count . US5719786A CLAIM 63 . The media data processor of claim 44 wherein the media access location comprises a digitized representation of analog media data capture (processing unit) d in real time .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (continuous time, data capture) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US5719786A CLAIM 1 . A computer-based media data processor for controlling the timing of computer processing of digitized continuous time (processing unit) -based media data composed of a sequence of presentation units , each unit characterized by a prespecified presentation duration during a computer presentation of the media data , the media processor comprising : a reference clock which indicates a start time of presentation processing of the media data presentation units and which maintains a current presentation time as the media data presentation unit sequence is processed for presentation ; a counter for counting each presentation unit in the presentation unit sequence after that presentation unit is processed for presentation , to maintain a current presentation unit count ; and a comparator connected to the reference clock and the counter , and programmed with the prespecified presentation duration , the comparator comparing a product of the presentation unit duration and the current presentation unit count , specified by the counter , with the current presentation time , specified by the reference clock , after each presentation unit is processed for presentation , and based on the comparison , releasing a next sequential presentation unit to be processed for presentation when the product matches the current presentation time count , and deleting a next sequential presentation descriptor in that sequence when the product exceeds the current presentation time count . US5719786A CLAIM 63 . The media data processor of claim 44 wherein the media access location comprises a digitized representation of analog media data capture (processing unit) d in real time .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (node request) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5719786A CLAIM 82 . A method for controlling transmission of digitized media data in a packet switching network , the media data comprising a sequence of continuous time-based presentation units , each unit characterized by a prespecified presentation duration and presentation time during a computer presentation of the media data and further characterized as a distinct media data type , the network comprising a plurality of client computer processing nodes interconnected via packet-based data distribution channels , the method comprising : receiving from a client processing node a request for presentation of specified presentation unit sequences ; in response to the request , retrieving media data from a corresponding media access location ; determining the media data type of each presentation unit in the retrieved media data ; designating each retrieved presentation unit to a specified media data presentation unit sequence based on the media data type determination for that presentation unit ; assembling a sequence of presentation descriptors for each of the specified presentation unit sequences , each descriptor comprising media data for one designated presentation unit in that sequence , all presentation descriptors in an assembled sequence being of a common media data type ; associating each presentation descriptor with a corresponding presentation duration and presentation time , based on the retrieved media data ; linking the descriptors in each assembled sequence to establish a progression of presentation units in each of the specified presentation unit sequences ; assembling transmission presentation unit packets each composed of at least a portion of a presentation descriptor and its media data , all presentation descriptors and media data in an assembled packet being of a common media data type ; and releasing the assembled packets for transmission via the network to the client processing node request (network access, network destination) ing presentation of the specified presentation unit sequences .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5440719A Filed: 1992-10-27 Issued: 1995-08-08 Method simulating data traffic on network in accordance with a client/sewer paradigm (Original Assignee) Cadence Design Systems Inc (Current Assignee) Cadence Design Systems Inc Charles F. Hanes, Colin K. Mick
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (remote data) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5440719A CLAIM 15 . The method of claim 11 wherein the one server node represents remote data (network client, network protocol programs) processing resources and wherein the Server Response Time is a function of the throughput of the remote data processing resources .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (remote data) for accepting requests for network access to the NAD from a plurality of network clients (client nodes, more client) having different operating systems .	US5440719A CLAIM 1 . A method of simulating data traffic being transmitted over a network among a plurality of nodes interconnected by the network , the data traffic comprising a plurality of conversations among the plurality of nodes , one or more of the plurality of nodes being a client node and one or more of the plurality of nodes being a server node , said method comprising the steps of : providing a model representative of the network ; characterizing one or more of the plurality of conversations as a series of one or more request/response interactions , each of the one or more interactions comprising transmission of a request message from one of the one or more client nodes (network clients) to one of the one or more server nodes , and wherein none , some or all of the one or more interactions further comprise transmission of a response message associated with the request message , the associated response message transmitted from the one server node back to the one client node in response to receiving the request message ; and generating data representative of the one or more interactions of each of the characterized conversations , said step of generating further comprising the steps of : inputting the generated data for each of the interactions into the network model to determine when the associated response message of each of the interactions having one are received by the one client ; and when the request message of one of the interactions is dependent on the one client node' ; s receipt of the response message associated with a previously generated request message , delaying the inputting of the data representative of the dependent interaction into the network model until the response message associated with the previously generated request message is received by the one client node as determined by the network model . US5440719A CLAIM 15 . The method of claim 11 wherein the one server node represents remote data (network client, network protocol programs) processing resources and wherein the Server Response Time is a function of the throughput of the remote data processing resources .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (remote data) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (local data) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5440719A CLAIM 15 . The method of claim 11 wherein the one server node represents remote data (network client, network protocol programs) processing resources and wherein the Server Response Time is a function of the throughput of the remote data processing resources . US5440719A CLAIM 17 . The method of claim 16 wherein the one client node represents local data (IP addresses) processing resources and the Client Waiting Time is a function of the throughput of the local data processing resources and thinking time attributable to a user .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access (work mode) to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5440719A CLAIM 1 . A method of simulating data traffic being transmitted over a network among a plurality of nodes interconnected by the network , the data traffic comprising a plurality of conversations among the plurality of nodes , one or more of the plurality of nodes being a client node and one or more of the plurality of nodes being a server node , said method comprising the steps of : providing a model representative of the network ; characterizing one or more of the plurality of conversations as a series of one or more request/response interactions , each of the one or more interactions comprising transmission of a request message from one of the one or more client nodes to one of the one or more server nodes , and wherein none , some or all of the one or more interactions further comprise transmission of a response message associated with the request message , the associated response message transmitted from the one server node back to the one client node in response to receiving the request message ; and generating data representative of the one or more interactions of each of the characterized conversations , said step of generating further comprising the steps of : inputting the generated data for each of the interactions into the network mode (providing network access) l to determine when the associated response message of each of the interactions having one are received by the one client ; and when the request message of one of the interactions is dependent on the one client node' ; s receipt of the response message associated with a previously generated request message , delaying the inputting of the data representative of the dependent interaction into the network model until the response message associated with the previously generated request message is received by the one client node as determined by the network model .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (client nodes, more client) and other devices in a manner that is in addition to any protection afforded by a firewall .	US5440719A CLAIM 1 . A method of simulating data traffic being transmitted over a network among a plurality of nodes interconnected by the network , the data traffic comprising a plurality of conversations among the plurality of nodes , one or more of the plurality of nodes being a client node and one or more of the plurality of nodes being a server node , said method comprising the steps of : providing a model representative of the network ; characterizing one or more of the plurality of conversations as a series of one or more request/response interactions , each of the one or more interactions comprising transmission of a request message from one of the one or more client nodes (network clients) to one of the one or more server nodes , and wherein none , some or all of the one or more interactions further comprise transmission of a response message associated with the request message , the associated response message transmitted from the one server node back to the one client node in response to receiving the request message ; and generating data representative of the one or more interactions of each of the characterized conversations , said step of generating further comprising the steps of : inputting the generated data for each of the interactions into the network model to determine when the associated response message of each of the interactions having one are received by the one client ; and when the request message of one of the interactions is dependent on the one client node' ; s receipt of the response message associated with a previously generated request message , delaying the inputting of the data representative of the dependent interaction into the network model until the response message associated with the previously generated request message is received by the one client node as determined by the network model .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5247670A Filed: 1989-03-09 Issued: 1993-09-21 Network server (Original Assignee) Fuji Xerox Co Ltd (Current Assignee) Fuji Xerox Co Ltd Yoshifumi Matsunaga
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (processing unit) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5247670A CLAIM 2 . The server of claim 1 , wherein said processing means comprises : a service processing unit (processing unit) for executing a selected one of said plurality of predetermined service programs ; and a result storage means for storing a result of the processing by said service processing unit .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (processing unit) to determine whether each packet arrived via an authorized network interface .	US5247670A CLAIM 2 . The server of claim 1 , wherein said processing means comprises : a service processing unit (processing unit) for executing a selected one of said plurality of predetermined service programs ; and a result storage means for storing a result of the processing by said service processing unit .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether each packet contains an unauthorized IP address .	US5247670A CLAIM 2 . The server of claim 1 , wherein said processing means comprises : a service processing unit (processing unit) for executing a selected one of said plurality of predetermined service programs ; and a result storage means for storing a result of the processing by said service processing unit .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (processing unit) to selectively generate a packet for communication to an intermediary computing (service processing, requested service) device , the selectively generated packet containing the request for access to the directly attached device .	US5247670A CLAIM 2 . The server of claim 1 , wherein said processing means comprises : a service processing (intermediary computing) unit for executing a selected one of said plurality of predetermined service programs ; and a result storage means for storing a result of the processing by said service processing unit . US5247670A CLAIM 6 . A server for a communication network , comprising : means for storing request files received from said communication network ; means for storing a plurality of predetermined service programs made available through the communication network ; means for processing said request files by reading a requested one of said plurality of predetermined service programs from said service program storing means and executing said requested service (intermediary computing) program ; and means for storing the results of each processed request file sent thereto by said processing means .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US5247670A CLAIM 2 . The server of claim 1 , wherein said processing means comprises : a service processing unit (processing unit) for executing a selected one of said plurality of predetermined service programs ; and a result storage means for storing a result of the processing by said service processing unit .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (said communication network) is further configured to manage access over a SCSI interface .	US5247670A CLAIM 6 . A server for a communication network , comprising : means for storing request files received from said communication network (managing means) ; means for storing a plurality of predetermined service programs made available through the communication network ; means for processing said request files by reading a requested one of said plurality of predetermined service programs from said service program storing means and executing said requested service program ; and means for storing the results of each processed request file sent thereto by said processing means .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9837680A2 Filed: 1998-02-24 Issued: 1998-08-27 E-mail server for message filtering and routing (Original Assignee) Intervoice Limited Partnership Robert H. Franz
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail, filter data) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9837680A2 CLAIM 1 . An electronic mail (network destination) server for receiving incoming mail from a sender and for routing the incoming mail to a recipient , the server comprising : a database having profile information about the recipient and trigger criteria ; means for signaling the recipient in accordance with the profile information ; and means for correlating incoming electronic mail with the trigger criteria for determining if a particular incoming mail message is to be treated special ; and means for activating the signaling means upon determination of a mail message that is to be treated special . WO9837680A2 CLAIM 19 . A method for receiving incoming electronic mail from a sender , routing the incoming mail to a recipient , and determining which of the incoming mail is critical mail , the method comprising the steps of : storing profile information about the recipient and trigger criteria in a filter data (network destination) base ; correlating , by a filter , the incoming mail with the trigger criteria for determining the critical mail ; and establishing communication with the recipient in accordance with the profile information by a call generator upon determination of critical mail .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (preselected time period) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (address data) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9837680A2 CLAIM 7 . The server of claim 6 , wherein the status information discloses that the special mail has been examined by the recipient before expiration of a preselected time period (electronic communication) . WO9837680A2 CLAIM 12 . The server of claim 1 , wherein the server routes the incoming mail to the recipient in accordance with address data (IP addresses) derived from the incoming mail .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail, filter data) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9837680A2 CLAIM 1 . An electronic mail (network destination) server for receiving incoming mail from a sender and for routing the incoming mail to a recipient , the server comprising : a database having profile information about the recipient and trigger criteria ; means for signaling the recipient in accordance with the profile information ; and means for correlating incoming electronic mail with the trigger criteria for determining if a particular incoming mail message is to be treated special ; and means for activating the signaling means upon determination of a mail message that is to be treated special . WO9837680A2 CLAIM 19 . A method for receiving incoming electronic mail from a sender , routing the incoming mail to a recipient , and determining which of the incoming mail is critical mail , the method comprising the steps of : storing profile information about the recipient and trigger criteria in a filter data (network destination) base ; correlating , by a filter , the incoming mail with the trigger criteria for determining the critical mail ; and establishing communication with the recipient in accordance with the profile information by a call generator upon determination of critical mail .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail, filter data) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9837680A2 CLAIM 1 . An electronic mail (network destination) server for receiving incoming mail from a sender and for routing the incoming mail to a recipient , the server comprising : a database having profile information about the recipient and trigger criteria ; means for signaling the recipient in accordance with the profile information ; and means for correlating incoming electronic mail with the trigger criteria for determining if a particular incoming mail message is to be treated special ; and means for activating the signaling means upon determination of a mail message that is to be treated special . WO9837680A2 CLAIM 19 . A method for receiving incoming electronic mail from a sender , routing the incoming mail to a recipient , and determining which of the incoming mail is critical mail , the method comprising the steps of : storing profile information about the recipient and trigger criteria in a filter data (network destination) base ; correlating , by a filter , the incoming mail with the trigger criteria for determining the critical mail ; and establishing communication with the recipient in accordance with the profile information by a call generator upon determination of critical mail .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto (notification means) , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail, filter data) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9837680A2 CLAIM 1 . An electronic mail (network destination) server for receiving incoming mail from a sender and for routing the incoming mail to a recipient , the server comprising : a database having profile information about the recipient and trigger criteria ; means for signaling the recipient in accordance with the profile information ; and means for correlating incoming electronic mail with the trigger criteria for determining if a particular incoming mail message is to be treated special ; and means for activating the signaling means upon determination of a mail message that is to be treated special . WO9837680A2 CLAIM 14 . The system of claim 13 , wherein the server further comprises : a database controller for altering both the profile information and the trigger criteria ; a text-to-speech converter that allows the recipient to receive the critical mail via telephone from the call generator ; feedback means for relaying status information describing status of the critical mail back to the sender ; and alternative notification means (external thereto) for notifying alternative personnel in accordance with the profile information upon expiration of a preselected time period . WO9837680A2 CLAIM 19 . A method for receiving incoming electronic mail from a sender , routing the incoming mail to a recipient , and determining which of the incoming mail is critical mail , the method comprising the steps of : storing profile information about the recipient and trigger criteria in a filter data (network destination) base ; correlating , by a filter , the incoming mail with the trigger criteria for determining the critical mail ; and establishing communication with the recipient in accordance with the profile information by a call generator upon determination of critical mail .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	EP0855659A1 Filed: 1998-01-13 Issued: 1998-07-29 System and method for providing anonymous personalized browsing in a network (Original Assignee) Nokia of America Corp (Current Assignee) Nokia of America Corp Eran Gabber, Phillip B. Gibbons, Yossi Matias, Alain Jules Mayer
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0855659A1 CLAIM 1 A central proxy system for coupling to a network and for allowing users to browse server sites on said network (NAD server) anonymously via said central proxy system , said central proxy system comprising : a computer-executable first routine that processes site-specific substitute identifiers constructed from data specific to said users ; a computer-executable second routine that transmits said substitute identifiers to said server sites and thereafter retransmits browsing commands received from said users to said server sites ; and a computer-executable third routine that removes portions of said browsing commands that would identify said users to said server sites . EP0855659A1 CLAIM 17 The central proxy system as recited in Claim 1 further comprising a data store capable of containing session information (network destination) specific to said users and accessible by said server sites .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	EP0855659A1 CLAIM 1 A central proxy system for coupling to a network and for allowing users to browse server sites on said network (NAD server) anonymously via said central proxy system , said central proxy system comprising : a computer-executable first routine that processes site-specific substitute identifiers constructed from data specific to said users ; a computer-executable second routine that transmits said substitute identifiers to said server sites and thereafter retransmits browsing commands received from said users to said server sites ; and a computer-executable third routine that removes portions of said browsing commands that would identify said users to said server sites .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (network address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	EP0855659A1 CLAIM 29 The peripheral proxy system as recited in Claim 28 wherein said first and second routines are executable on a computer system associated with said particular user and said central proxy system is a computer system having a network address (IP addresses) different from said computer system associated with said particular user .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	EP0855659A1 CLAIM 17 The central proxy system as recited in Claim 1 further comprising a data store capable of containing session information (network destination) specific to said users and accessible by said server sites .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	EP0855659A1 CLAIM 17 The central proxy system as recited in Claim 1 further comprising a data store capable of containing session information (network destination) specific to said users and accessible by said server sites .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said key) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0855659A1 CLAIM 14 The central proxy system as recited in Claim 13 wherein each of said electronic mailboxes has a key associated therewith , said key (filtering means) being a function of said data and an index number . EP0855659A1 CLAIM 17 The central proxy system as recited in Claim 1 further comprising a data store capable of containing session information (network destination) specific to said users and accessible by said server sites .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said key) is further configured to carry out the filtering at an application layer of a network stack .	EP0855659A1 CLAIM 14 The central proxy system as recited in Claim 13 wherein each of said electronic mailboxes has a key associated therewith , said key (filtering means) being a function of said data and an index number .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	EP0856974A2 Filed: 1998-01-07 Issued: 1998-08-05 Session cache and rule caching method for a dynamic filter (Original Assignee) AT&T Corp (Current Assignee) AT&T Corp Partha P. Dutta, Thomas B. London, Karl Andres Sül, Dalibor F. Vrsalovic, Daniel N. Zenchelsky
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (first port) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (network source) , an IP address of a network destination (network destination) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0856974A2 CLAIM 2 The cache of claim 1 , wherein said cache key is a network source (network source) address , a network destination (network destination) address , a source port , a destination port , and a protocol identifier . EP0856974A2 CLAIM 17 Computer readable medium having a computer program encoded thereon , comprising : a . a first port (data packet) ion of said medium having a first program segment for receiving a packet having identification data over a computer network ; b . a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet ; c . a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (computer program) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	EP0856974A2 CLAIM 17 Computer readable medium having a computer program (network protocol programs) encoded thereon , comprising : a . a first portion of said medium having a first program segment for receiving a packet having identification data over a computer network ; b . a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet ; c . a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (first port) containing the request for network access is complete , the information relating to at least one of the network source (network source) , destination , and route of the data packet .	EP0856974A2 CLAIM 2 The cache of claim 1 , wherein said cache key is a network source (network source) address , a network destination address , a source port , a destination port , and a protocol identifier . EP0856974A2 CLAIM 17 Computer readable medium having a computer program encoded thereon , comprising : a . a first port (data packet) ion of said medium having a first program segment for receiving a packet having identification data over a computer network ; b . a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet ; c . a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (first port) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (network source) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	EP0856974A2 CLAIM 2 The cache of claim 1 , wherein said cache key is a network source address (IP addresses) , a network destination address (IP addresses) , a source port , a destination port , and a protocol identifier . EP0856974A2 CLAIM 17 Computer readable medium having a computer program encoded thereon , comprising : a . a first port (data packet) ion of said medium having a first program segment for receiving a packet having identification data over a computer network ; b . a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet ; c . a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (first port) arrived via an authorized network interface .	EP0856974A2 CLAIM 17 Computer readable medium having a computer program encoded thereon , comprising : a . a first port (data packet) ion of said medium having a first program segment for receiving a packet having identification data over a computer network ; b . a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet ; c . a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (first port) to the proper port ; and at the proper port , provide the requested network access to the NAD .	EP0856974A2 CLAIM 17 Computer readable medium having a computer program encoded thereon , comprising : a . a first port (data packet) ion of said medium having a first program segment for receiving a packet having identification data over a computer network ; b . a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet ; c . a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (first port) containing the request for network access includes at least one of an IP address of a network source (network source) , an IP address of a network destination (network destination) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	EP0856974A2 CLAIM 2 The cache of claim 1 , wherein said cache key is a network source (network source) address , a network destination (network destination) address , a source port , a destination port , and a protocol identifier . EP0856974A2 CLAIM 17 Computer readable medium having a computer program encoded thereon , comprising : a . a first port (data packet) ion of said medium having a first program segment for receiving a packet having identification data over a computer network ; b . a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet ; c . a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (first port) containing the request for network access includes at least one of an IP address of a network source (network source) , an IP address of a network destination (network destination) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	EP0856974A2 CLAIM 2 The cache of claim 1 , wherein said cache key is a network source (network source) address , a network destination (network destination) address , a source port , a destination port , and a protocol identifier . EP0856974A2 CLAIM 17 Computer readable medium having a computer program encoded thereon , comprising : a . a first port (data packet) ion of said medium having a first program segment for receiving a packet having identification data over a computer network ; b . a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet ; c . a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source (network source) , an IP address of a network destination (network destination) , and a route of the data packet (first port) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0856974A2 CLAIM 2 The cache of claim 1 , wherein said cache key is a network source (network source) address , a network destination (network destination) address , a source port , a destination port , and a protocol identifier . EP0856974A2 CLAIM 17 Computer readable medium having a computer program encoded thereon , comprising : a . a first port (data packet) ion of said medium having a first program segment for receiving a packet having identification data over a computer network ; b . a second portion of said medium having a second program segment for searching a cache to identify a cache entry having a cache key that corresponds to the identification data of the received packet ; c . a third portion of said medium having a third program segment for determining if the cache entry version number of a corresponding cache entry identified by said second portion corresponds to the version number of the rule base from which the cache entry was derived .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	EP0849680A2 Filed: 1997-12-17 Issued: 1998-06-24 Multilevel security port methods, apparatuses, and computer program products (Original Assignee) Sun Microsystems Inc (Current Assignee) Sun Microsystems Inc Gary W. Winiger
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (computer code, work layer) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (computer code, work layer) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (first destination) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0849680A2 CLAIM 1 A computer program product comprising : a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports , said ports being associated with a common port number , each of said ports having a selected sensitivity label , said port number and said sensitivity label defining a selected port identifier for at least one of said ports , permitting multiple , simultaneous access to the port , said computer code (network client, network access, providing network access) mechanism comprising : first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification , source port number , and destination port identifier region , said destination port identifier region including a destination port number and sensitivity label subregion ; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports . EP0849680A2 CLAIM 2 A first program storage device readable by a machine , tangibly embodying a program of instructions executable by the machine to establish a multilevel port for enabling multiple , simultaneous access of a resource in a multilevel trusted system , said first program storage device comprising : first computer readable code devices configured to receive a communications packet from a source machine running an application instantiated in a first process , said packet comprising at least a first destination (network source) port number and a first sensitivity label ; second computer readable code devices configured to examine said packet for identifying said port number and said sensitivity label , said port number and said sensitivity label , together providing a port identifier ; third computer readable code devices configured to compare said port identifier to port identifiers associated with pre-existing open ports ; and fourth computer readable code devices configured to open a port having the same port number as pre-existing open ports when said sensitivity label of said port identifier is unique as compared to sensitivity labels of pre-existing open ports , said opening permitting contemporaneous processes associated with a plurality of ports having the same port number , and a unique sensitivity label . EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link and the network layer (network client, network access, providing network access) s of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (computer program) for accepting requests for network access (computer code, work layer) to the NAD from a plurality of network clients having different operating systems .	EP0849680A2 CLAIM 1 A computer program (network protocol programs) product comprising : a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports , said ports being associated with a common port number , each of said ports having a selected sensitivity label , said port number and said sensitivity label defining a selected port identifier for at least one of said ports , permitting multiple , simultaneous access to the port , said computer code (network client, network access, providing network access) mechanism comprising : first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification , source port number , and destination port identifier region , said destination port identifier region including a destination port number and sensitivity label subregion ; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports . EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link and the network layer (network client, network access, providing network access) s of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (computer code, work layer) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source (first destination) , destination , and route of the data packet .	EP0849680A2 CLAIM 1 A computer program product comprising : a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports , said ports being associated with a common port number , each of said ports having a selected sensitivity label , said port number and said sensitivity label defining a selected port identifier for at least one of said ports , permitting multiple , simultaneous access to the port , said computer code (network client, network access, providing network access) mechanism comprising : first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification , source port number , and destination port identifier region , said destination port identifier region including a destination port number and sensitivity label subregion ; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports . EP0849680A2 CLAIM 2 A first program storage device readable by a machine , tangibly embodying a program of instructions executable by the machine to establish a multilevel port for enabling multiple , simultaneous access of a resource in a multilevel trusted system , said first program storage device comprising : first computer readable code devices configured to receive a communications packet from a source machine running an application instantiated in a first process , said packet comprising at least a first destination (network source) port number and a first sensitivity label ; second computer readable code devices configured to examine said packet for identifying said port number and said sensitivity label , said port number and said sensitivity label , together providing a port identifier ; third computer readable code devices configured to compare said port identifier to port identifiers associated with pre-existing open ports ; and fourth computer readable code devices configured to open a port having the same port number as pre-existing open ports when said sensitivity label of said port identifier is unique as compared to sensitivity labels of pre-existing open ports , said opening permitting contemporaneous processes associated with a plurality of ports having the same port number , and a unique sensitivity label . EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link and the network layer (network client, network access, providing network access) s of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (computer code, work layer) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (different sensitivity) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (computer code, work layer) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (first destination) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	EP0849680A2 CLAIM 1 A computer program product comprising : a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports , said ports being associated with a common port number , each of said ports having a selected sensitivity label , said port number and said sensitivity label defining a selected port identifier for at least one of said ports , permitting multiple , simultaneous access to the port , said computer code (network client, network access, providing network access) mechanism comprising : first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification , source port number , and destination port identifier region , said destination port identifier region including a destination port number and sensitivity label subregion ; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports . EP0849680A2 CLAIM 2 A first program storage device readable by a machine , tangibly embodying a program of instructions executable by the machine to establish a multilevel port for enabling multiple , simultaneous access of a resource in a multilevel trusted system , said first program storage device comprising : first computer readable code devices configured to receive a communications packet from a source machine running an application instantiated in a first process , said packet comprising at least a first destination (network source) port number and a first sensitivity label ; second computer readable code devices configured to examine said packet for identifying said port number and said sensitivity label , said port number and said sensitivity label , together providing a port identifier ; third computer readable code devices configured to compare said port identifier to port identifiers associated with pre-existing open ports ; and fourth computer readable code devices configured to open a port having the same port number as pre-existing open ports when said sensitivity label of said port identifier is unique as compared to sensitivity labels of pre-existing open ports , said opening permitting contemporaneous processes associated with a plurality of ports having the same port number , and a unique sensitivity label . EP0849680A2 CLAIM 7 A multilevel port for permitting simultaneous access by a plurality of processes , each process having a different sensitivity (data management component, managing means) label , the multilevel port defined by a common port number and a plurality of selected , unique sensitivity labels to permit two-way communication between said port and a plurality of processes having the same sensitivity labels . EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link and the network layer (network client, network access, providing network access) s of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (computer code, work layer) to the NAD .	EP0849680A2 CLAIM 1 A computer program product comprising : a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports , said ports being associated with a common port number , each of said ports having a selected sensitivity label , said port number and said sensitivity label defining a selected port identifier for at least one of said ports , permitting multiple , simultaneous access to the port , said computer code (network client, network access, providing network access) mechanism comprising : first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification , source port number , and destination port identifier region , said destination port identifier region including a destination port number and sensitivity label subregion ; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports . EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link and the network layer (network client, network access, providing network access) s of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (computer code, work layer) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (first destination) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	EP0849680A2 CLAIM 1 A computer program product comprising : a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports , said ports being associated with a common port number , each of said ports having a selected sensitivity label , said port number and said sensitivity label defining a selected port identifier for at least one of said ports , permitting multiple , simultaneous access to the port , said computer code (network client, network access, providing network access) mechanism comprising : first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification , source port number , and destination port identifier region , said destination port identifier region including a destination port number and sensitivity label subregion ; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports . EP0849680A2 CLAIM 2 A first program storage device readable by a machine , tangibly embodying a program of instructions executable by the machine to establish a multilevel port for enabling multiple , simultaneous access of a resource in a multilevel trusted system , said first program storage device comprising : first computer readable code devices configured to receive a communications packet from a source machine running an application instantiated in a first process , said packet comprising at least a first destination (network source) port number and a first sensitivity label ; second computer readable code devices configured to examine said packet for identifying said port number and said sensitivity label , said port number and said sensitivity label , together providing a port identifier ; third computer readable code devices configured to compare said port identifier to port identifiers associated with pre-existing open ports ; and fourth computer readable code devices configured to open a port having the same port number as pre-existing open ports when said sensitivity label of said port identifier is unique as compared to sensitivity labels of pre-existing open ports , said opening permitting contemporaneous processes associated with a plurality of ports having the same port number , and a unique sensitivity label . EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link and the network layer (network client, network access, providing network access) s of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (computer code, work layer) to the NAD is only available through the server .	EP0849680A2 CLAIM 1 A computer program product comprising : a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports , said ports being associated with a common port number , each of said ports having a selected sensitivity label , said port number and said sensitivity label defining a selected port identifier for at least one of said ports , permitting multiple , simultaneous access to the port , said computer code (network client, network access, providing network access) mechanism comprising : first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification , source port number , and destination port identifier region , said destination port identifier region including a destination port number and sensitivity label subregion ; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports . EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link and the network layer (network client, network access, providing network access) s of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (readable program) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (computer code, work layer) includes at least one of an IP address of a network source (first destination) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	EP0849680A2 CLAIM 1 A computer program product comprising : a computer useable medium having a computer readable program (storing instructions) code mechanism embodied therein for generating a plurality of ports , said ports being associated with a common port number , each of said ports having a selected sensitivity label , said port number and said sensitivity label defining a selected port identifier for at least one of said ports , permitting multiple , simultaneous access to the port , said computer code (network client, network access, providing network access) mechanism comprising : first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification , source port number , and destination port identifier region , said destination port identifier region including a destination port number and sensitivity label subregion ; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports . EP0849680A2 CLAIM 2 A first program storage device readable by a machine , tangibly embodying a program of instructions executable by the machine to establish a multilevel port for enabling multiple , simultaneous access of a resource in a multilevel trusted system , said first program storage device comprising : first computer readable code devices configured to receive a communications packet from a source machine running an application instantiated in a first process , said packet comprising at least a first destination (network source) port number and a first sensitivity label ; second computer readable code devices configured to examine said packet for identifying said port number and said sensitivity label , said port number and said sensitivity label , together providing a port identifier ; third computer readable code devices configured to compare said port identifier to port identifiers associated with pre-existing open ports ; and fourth computer readable code devices configured to open a port having the same port number as pre-existing open ports when said sensitivity label of said port identifier is unique as compared to sensitivity labels of pre-existing open ports , said opening permitting contemporaneous processes associated with a plurality of ports having the same port number , and a unique sensitivity label . EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link and the network layer (network client, network access, providing network access) s of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (security protocol) device , the selectively generated packet containing the request for access to the directly attached device .	EP0849680A2 CLAIM 4 A first program storage device as in claim 3 , further comprising : fifth computer readable code devices configured to pass a data portion of the communications packet to the process instantiating the application associated with the port previously opened in said port opening step ; sixth computer readable code devices configured to prepare a reply communication packet for transmission to said first process , said reply communication packet comprising at least a destination port number , a second sensitivity label , and a reply ; seventh computer readable code devices configured to transmit said reply communication packet to said source machine ; and eighth computer readable code devices configured to process said reply communication packet by said source machine in accordance with the security protocol (intermediary computing, network protocols) of said source machine .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (data link) .	EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link (application layer) and the network layers of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (security protocol) .	EP0849680A2 CLAIM 4 A first program storage device as in claim 3 , further comprising : fifth computer readable code devices configured to pass a data portion of the communications packet to the process instantiating the application associated with the port previously opened in said port opening step ; sixth computer readable code devices configured to prepare a reply communication packet for transmission to said first process , said reply communication packet comprising at least a destination port number , a second sensitivity label , and a reply ; seventh computer readable code devices configured to transmit said reply communication packet to said source machine ; and eighth computer readable code devices configured to process said reply communication packet by said source machine in accordance with the security protocol (intermediary computing, network protocols) of said source machine .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (security protocol) is TCP/IP .	EP0849680A2 CLAIM 4 A first program storage device as in claim 3 , further comprising : fifth computer readable code devices configured to pass a data portion of the communications packet to the process instantiating the application associated with the port previously opened in said port opening step ; sixth computer readable code devices configured to prepare a reply communication packet for transmission to said first process , said reply communication packet comprising at least a destination port number , a second sensitivity label , and a reply ; seventh computer readable code devices configured to transmit said reply communication packet to said source machine ; and eighth computer readable code devices configured to process said reply communication packet by said source machine in accordance with the security protocol (intermediary computing, network protocols) of said source machine .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (storage device) , and a video codec .	EP0849680A2 CLAIM 2 A first program storage device (storage device) readable by a machine , tangibly embodying a program of instructions executable by the machine to establish a multilevel port for enabling multiple , simultaneous access of a resource in a multilevel trusted system , said first program storage device comprising : first computer readable code devices configured to receive a communications packet from a source machine running an application instantiated in a first process , said packet comprising at least a first destination port number and a first sensitivity label ; second computer readable code devices configured to examine said packet for identifying said port number and said sensitivity label , said port number and said sensitivity label , together providing a port identifier ; third computer readable code devices configured to compare said port identifier to port identifiers associated with pre-existing open ports ; and fourth computer readable code devices configured to open a port having the same port number as pre-existing open ports when said sensitivity label of said port identifier is unique as compared to sensitivity labels of pre-existing open ports , said opening permitting contemporaneous processes associated with a plurality of ports having the same port number , and a unique sensitivity label .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source (first destination) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0849680A2 CLAIM 2 A first program storage device readable by a machine , tangibly embodying a program of instructions executable by the machine to establish a multilevel port for enabling multiple , simultaneous access of a resource in a multilevel trusted system , said first program storage device comprising : first computer readable code devices configured to receive a communications packet from a source machine running an application instantiated in a first process , said packet comprising at least a first destination (network source) port number and a first sensitivity label ; second computer readable code devices configured to examine said packet for identifying said port number and said sensitivity label , said port number and said sensitivity label , together providing a port identifier ; third computer readable code devices configured to compare said port identifier to port identifiers associated with pre-existing open ports ; and fourth computer readable code devices configured to open a port having the same port number as pre-existing open ports when said sensitivity label of said port identifier is unique as compared to sensitivity labels of pre-existing open ports , said opening permitting contemporaneous processes associated with a plurality of ports having the same port number , and a unique sensitivity label .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (different sensitivity) is further configured to manage access over a SCSI interface .	EP0849680A2 CLAIM 7 A multilevel port for permitting simultaneous access by a plurality of processes , each process having a different sensitivity (data management component, managing means) label , the multilevel port defined by a common port number and a plurality of selected , unique sensitivity labels to permit two-way communication between said port and a plurality of processes having the same sensitivity labels .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (data link) of a network stack (protocol header) .	EP0849680A2 CLAIM 1 A computer program product comprising : a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports , said ports being associated with a common port number , each of said ports having a selected sensitivity label , said port number and said sensitivity label defining a selected port identifier for at least one of said ports , permitting multiple , simultaneous access to the port , said computer code mechanism comprising : first computer readable code mechanism for constructing a communications packet comprising a protocol header (network stack) in turn comprising at least source machine identification , source port number , and destination port identifier region , said destination port identifier region including a destination port number and sensitivity label subregion ; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports . EP0849680A2 CLAIM 10 A method for enabling simultaneous access of a port as in claim 8 wherein said intercepting step is performed by a daemon operating between the data link (application layer) and the network layers of a second computer system operating under an OSI protocol .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (storage device) , and a video codec .	EP0849680A2 CLAIM 2 A first program storage device (storage device) readable by a machine , tangibly embodying a program of instructions executable by the machine to establish a multilevel port for enabling multiple , simultaneous access of a resource in a multilevel trusted system , said first program storage device comprising : first computer readable code devices configured to receive a communications packet from a source machine running an application instantiated in a first process , said packet comprising at least a first destination port number and a first sensitivity label ; second computer readable code devices configured to examine said packet for identifying said port number and said sensitivity label , said port number and said sensitivity label , together providing a port identifier ; third computer readable code devices configured to compare said port identifier to port identifiers associated with pre-existing open ports ; and fourth computer readable code devices configured to open a port having the same port number as pre-existing open ports when said sensitivity label of said port identifier is unique as compared to sensitivity labels of pre-existing open ports , said opening permitting contemporaneous processes associated with a plurality of ports having the same port number , and a unique sensitivity label .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9822886A1 Filed: 1997-11-20 Issued: 1998-05-28 Performance optimizations for computer networks using http (Original Assignee) Intel Corporation Chandrashekhar W. Bhide, Jagdeep Singh, Don Oestreicher
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (HTTP requests) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (network access) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9822886A1 CLAIM 12 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access (network access) equipment , networked between the client computer and the Web and proxy servers , including an agent that receives an HTTP request from the Web browser to open a single network connection to the server and sends a plurality of requests to the server to open a plurality of network connections to the server ; wherein the plurality of network connections to the server are opened in response to the HTTP request from the Web browser to open a single network connection . WO9822886A1 CLAIM 24 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access equipment , networked between the client computer and the Web and proxy servers , including an agent that receives HTTP requests (network client) and sends the HTTP requests to either the Web server or the proxy server depending on each HTTP request ; wherein software on the client computer does not need to be modified to utilize the proxy server .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (network access) to the NAD from a plurality of network clients having different operating systems .	WO9822886A1 CLAIM 12 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access (network access) equipment , networked between the client computer and the Web and proxy servers , including an agent that receives an HTTP request from the Web browser to open a single network connection to the server and sends a plurality of requests to the server to open a plurality of network connections to the server ; wherein the plurality of network connections to the server are opened in response to the HTTP request from the Web browser to open a single network connection .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (network access) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	WO9822886A1 CLAIM 12 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access (network access) equipment , networked between the client computer and the Web and proxy servers , including an agent that receives an HTTP request from the Web browser to open a single network connection to the server and sends a plurality of requests to the server to open a plurality of network connections to the server ; wherein the plurality of network connections to the server are opened in response to the HTTP request from the Web browser to open a single network connection .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (HTTP requests) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (network access) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9822886A1 CLAIM 12 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access (network access) equipment , networked between the client computer and the Web and proxy servers , including an agent that receives an HTTP request from the Web browser to open a single network connection to the server and sends a plurality of requests to the server to open a plurality of network connections to the server ; wherein the plurality of network connections to the server are opened in response to the HTTP request from the Web browser to open a single network connection . WO9822886A1 CLAIM 24 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access equipment , networked between the client computer and the Web and proxy servers , including an agent that receives HTTP requests (network client) and sends the HTTP requests to either the Web server or the proxy server depending on each HTTP request ; wherein software on the client computer does not need to be modified to utilize the proxy server .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (network access) to the NAD .	WO9822886A1 CLAIM 12 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access (network access) equipment , networked between the client computer and the Web and proxy servers , including an agent that receives an HTTP request from the Web browser to open a single network connection to the server and sends a plurality of requests to the server to open a plurality of network connections to the server ; wherein the plurality of network connections to the server are opened in response to the HTTP request from the Web browser to open a single network connection .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (network access) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9822886A1 CLAIM 12 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access (network access) equipment , networked between the client computer and the Web and proxy servers , including an agent that receives an HTTP request from the Web browser to open a single network connection to the server and sends a plurality of requests to the server to open a plurality of network connections to the server ; wherein the plurality of network connections to the server are opened in response to the HTTP request from the Web browser to open a single network connection .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (network access) to the NAD is only available through the server .	WO9822886A1 CLAIM 12 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access (network access) equipment , networked between the client computer and the Web and proxy servers , including an agent that receives an HTTP request from the Web browser to open a single network connection to the server and sends a plurality of requests to the server to open a plurality of network connections to the server ; wherein the plurality of network connections to the server are opened in response to the HTTP request from the Web browser to open a single network connection .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (network access) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9822886A1 CLAIM 12 . A computer network , comprising : a client computer running a Web browser ; a Web server networked to the client computer ; a proxy server computer networked to the client computer for storing information available on the Web server ; and network access (network access) equipment , networked between the client computer and the Web and proxy servers , including an agent that receives an HTTP request from the Web browser to open a single network connection to the server and sends a plurality of requests to the server to open a plurality of network connections to the server ; wherein the plurality of network connections to the server are opened in response to the HTTP request from the Web browser to open a single network connection .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (third request) device , the selectively generated packet containing the request for access to the directly attached device .	WO9822886A1 CLAIM 2 . The method of claim 1 , further comprising the steps of : receiving a third request (intermediary computing) from a client to open a single network connection to the server ; sending a response to the client that a network connection is open ; receiving a fourth request from the client ; and sending the fourth request to the server using one of the plurality of network connections previously obtained in response to the first request .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5781632A Filed: 1997-10-30 Issued: 1998-07-14 Method and apparatus for secured transmission of confidential data over an unsecured network (Original Assignee) Odom; Gregory Glen Gregory Glen Odom
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (request data) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (transmission channel) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5781632A CLAIM 1 . Over a network where unique encryption keys are forwarded to users on an off-network basis , said encryption keys being randomly generated and assigned to said users by an automated processing system , said encryption keys having corresponding unique customer numbers assigned thereto , a method of securely transmitting a customer request for goods or services to a merchant via an intermediary switch , the method comprising the steps of : (a) encrypting the customer request , customer number and encryption key and electronic address of at least one merchant to create an unintelligible electronic message ; (b) attaching the customer' ; s unique number in clear format to the unintelligible message to create a message request ; (c) accessing the network ; (d) transmitting the message request to the switch via the network ; (e) verifying the integrity of the message request by performing a bit stream check on the message request data (receiving requests) stream ; (f) logging any errors found in the message request data stream ; (g) de-encrypting the message request if it is error free to reveal the customer request , the encryption key , the customer number and the electronic address of the merchant ; (h) comparing the de-encrypted customer number to the customer' ; s unique number in clear format to verify that they match ; (i) logging an error if the de-encrypted customer number does not match the customer' ; s unique number in clear format ; (j) retrieving the customer' ; s velocity file if the de-encrypted encryption key matches the encryption key in clear format ; (k) verifying that the customer request does not violate any customer specified transaction limits contained in the velocity file ; (l) logging an error if the customer request violates any customer specified transaction limits ; (m) retrieving the merchant' ; s encryption key and unique number if no violation of the velocity file is encountered ; (n) using the merchant' ; s unique encryption key to re-encrypt the customer request ; and (o) transmitting the re-encrypted message to the merchant . US5781632A CLAIM 5 . A system for securely transmitting a customer request for goods and/or services over the Internet using unique customer specific encryption keys and associated customer numbers , said encryption keys delivered to a customer over a non-Internet transmission channel (filtering means) , the system comprising : a computing means running at least one application program for creating encrypted electronic messages using a customer' ; s unique encryption key , said encrypted electronic messages containing the customer' ; s encryption key , the customer' ; s unique customer number and a customer request ; an Internet access means coupled to said computing means ; a switch configured to intercept said encrypted electronic messages , said switch communicably accessible to said computing means using said Internet access means , said switch comprising the following : a customer database containing a plurality of key generation and distribution data ; a de-encryption means for receiving encrypted messages from said computing means and producing de-encrypted customer requests ; a validity checking means coupled to said de-encryption means for receiving the de-encrypted customer requests and further configured to compare data contained in such requests against the key generation and distribution data contained in the customer database ; and an encryption processor communicably attached to the validity checking means for encrypting messages prior to transmission on the Internet ; and a plurality of merchant terminals coupled to said switch via the Internet .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (transmission channel) is further configured to carry out the filtering at an application layer of a network stack .	US5781632A CLAIM 5 . A system for securely transmitting a customer request for goods and/or services over the Internet using unique customer specific encryption keys and associated customer numbers , said encryption keys delivered to a customer over a non-Internet transmission channel (filtering means) , the system comprising : a computing means running at least one application program for creating encrypted electronic messages using a customer' ; s unique encryption key , said encrypted electronic messages containing the customer' ; s encryption key , the customer' ; s unique customer number and a customer request ; an Internet access means coupled to said computing means ; a switch configured to intercept said encrypted electronic messages , said switch communicably accessible to said computing means using said Internet access means , said switch comprising the following : a customer database containing a plurality of key generation and distribution data ; a de-encryption means for receiving encrypted messages from said computing means and producing de-encrypted customer requests ; a validity checking means coupled to said de-encryption means for receiving the de-encrypted customer requests and further configured to compare data contained in such requests against the key generation and distribution data contained in the customer database ; and an encryption processor communicably attached to the validity checking means for encrypting messages prior to transmission on the Internet ; and a plurality of merchant terminals coupled to said switch via the Internet .

US5781632A

Filed: 1997-10-30 Issued: 1998-07-14

Method and apparatus for secured transmission of confidential data over an unsecured network

(Original Assignee) Odom; Gregory Glen

Gregory Glen Odom

US7739302B2
CLAIM 22 . An apparatus , comprising : means for receiving requests (request data) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ;

means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ;

and means for allowing access to the NAD for each request that the filtering means (transmission channel) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .

US5781632A
CLAIM 1 . Over a network where unique encryption keys are forwarded to users on an off-network basis , said encryption keys being randomly generated and assigned to said users by an automated processing system , said encryption keys having corresponding unique customer numbers assigned thereto , a method of securely transmitting a customer request for goods or services to a merchant via an intermediary switch , the method comprising the steps of : (a) encrypting the customer request , customer number and encryption key and electronic address of at least one merchant to create an unintelligible electronic message ;
(b) attaching the customer' ;
s unique number in clear format to the unintelligible message to create a message request ;
(c) accessing the network ;
(d) transmitting the message request to the switch via the network ;
(e) verifying the integrity of the message request by performing a bit stream check on the message request data (receiving requests) stream ;
(f) logging any errors found in the message request data stream ;
(g) de-encrypting the message request if it is error free to reveal the customer request , the encryption key , the customer number and the electronic address of the merchant ;
(h) comparing the de-encrypted customer number to the customer' ;
s unique number in clear format to verify that they match ;
(i) logging an error if the de-encrypted customer number does not match the customer' ;
s unique number in clear format ;
(j) retrieving the customer' ;
s velocity file if the de-encrypted encryption key matches the encryption key in clear format ;
(k) verifying that the customer request does not violate any customer specified transaction limits contained in the velocity file ;
(l) logging an error if the customer request violates any customer specified transaction limits ;
(m) retrieving the merchant' ;
s encryption key and unique number if no violation of the velocity file is encountered ;
(n) using the merchant' ;
s unique encryption key to re-encrypt the customer request ;
and (o) transmitting the re-encrypted message to the merchant .

US5781632A
CLAIM 5 . A system for securely transmitting a customer request for goods and/or services over the Internet using unique customer specific encryption keys and associated customer numbers , said encryption keys delivered to a customer over a non-Internet transmission channel (filtering means) , the system comprising : a computing means running at least one application program for creating encrypted electronic messages using a customer' ;
s unique encryption key , said encrypted electronic messages containing the customer' ;
s encryption key , the customer' ;
s unique customer number and a customer request ;
an Internet access means coupled to said computing means ;
a switch configured to intercept said encrypted electronic messages , said switch communicably accessible to said computing means using said Internet access means , said switch comprising the following : a customer database containing a plurality of key generation and distribution data ;
a de-encryption means for receiving encrypted messages from said computing means and producing de-encrypted customer requests ;
a validity checking means coupled to said de-encryption means for receiving the de-encrypted customer requests and further configured to compare data contained in such requests against the key generation and distribution data contained in the customer database ;
and an encryption processor communicably attached to the validity checking means for encrypting messages prior to transmission on the Internet ;
and a plurality of merchant terminals coupled to said switch via the Internet .

US7739302B2
CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (transmission channel) is further configured to carry out the filtering at an application layer of a network stack .

US5781632A
CLAIM 5 . A system for securely transmitting a customer request for goods and/or services over the Internet using unique customer specific encryption keys and associated customer numbers , said encryption keys delivered to a customer over a non-Internet transmission channel (filtering means) , the system comprising : a computing means running at least one application program for creating encrypted electronic messages using a customer' ;
s unique encryption key , said encrypted electronic messages containing the customer' ;
s encryption key , the customer' ;
s unique customer number and a customer request ;
an Internet access means coupled to said computing means ;
a switch configured to intercept said encrypted electronic messages , said switch communicably accessible to said computing means using said Internet access means , said switch comprising the following : a customer database containing a plurality of key generation and distribution data ;
a de-encryption means for receiving encrypted messages from said computing means and producing de-encrypted customer requests ;
a validity checking means coupled to said de-encryption means for receiving the de-encrypted customer requests and further configured to compare data contained in such requests against the key generation and distribution data contained in the customer database ;
and an encryption processor communicably attached to the validity checking means for encrypting messages prior to transmission on the Internet ;
and a plurality of merchant terminals coupled to said switch via the Internet .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9816044A1 Filed: 1997-10-06 Issued: 1998-04-16 Remote on-demand applications server (Original Assignee) Mitel Corporation Rakesh Prasad
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9816044A1 CLAIM 1 . A remote on-demand applications server comprising a central multitasking computer , means for connecting said central computer to a public switched network so that remote client machines can gain access thereto by making a call over said network (NAD server) , storage means for storing applications programs available to users , means for monitoring incoming calls so as to grant access only to authorized users , means for monitoring the usage of individual users , and means for maintaining billing records pertaining to the usage of said individual users .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	WO9816044A1 CLAIM 1 . A remote on-demand applications server comprising a central multitasking computer , means for connecting said central computer to a public switched network so that remote client machines can gain access thereto by making a call over said network (NAD server) , storage means for storing applications programs available to users , means for monitoring incoming calls so as to grant access only to authorized users , means for monitoring the usage of individual users , and means for maintaining billing records pertaining to the usage of said individual users .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (public switched telephone network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9816044A1 CLAIM 4 . A remote on-demand applications server as claimed in claim 2 , wherein said central multitasking computer is connected to a public switch to provide switched access thereto over the public switched telephone network (IP addresses) .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9818248A1 Filed: 1997-10-02 Issued: 1998-04-30 Outside access to computer resources through a firewall (Original Assignee) International Business Machines Corporation; Ibm United Kingdom Limited Prashanth Jade, Victor Stuart Moore, Arun Mohan Rao, Glen Robert Walters
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (readable storage medium) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9818248A1 CLAIM 7 . Tunnelling software stored on a computer-readable storage medium (storing instructions) for enabling data handling objects outside a firewall to establish data communication connections with data handling objects inside said firewall , said software comprising : inside and outside program segments intended to run on computers located respectively inside and outside said firewall , said computers interfacing between said firewall and said objects respectively inside and outside said firewall ; said inside segment comprising : means for operating a said inside computer to create and maintain a table of trusted inside objects ; and means for operating said inside computer in conjunction with said firewall to provide a copy of said table to said outside segment .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (communication protocol) .	WO9818248A1 CLAIM 4 . Tunnelling apparatus in accordance with claim 2 wherein : each entry (30) in said table of trusted objects consists of a first item of information identifying an object in said inside region , a second item of information identifying a data communication port assigned to the respective object , and a third item of information identifying a data communication protocol (network protocols) to be used for transmitting data through said port .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (communication protocol) is TCP/IP .	WO9818248A1 CLAIM 4 . Tunnelling apparatus in accordance with claim 2 wherein : each entry (30) in said table of trusted objects consists of a first item of information identifying an object in said inside region , a second item of information identifying a data communication port assigned to the respective object , and a third item of information identifying a data communication protocol (network protocols) to be used for transmitting data through said port .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	GB2317539A Filed: 1997-09-17 Issued: 1998-03-25 Firewall for interent access (Original Assignee) Secure Computing LLC (Current Assignee) Secure Computing LLC Edward B Stockwell, Alan E Klietz
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (computer program) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	GB2317539A CLAIM 18 . A computer program (network protocol programs) product , comprising : a computer usable medium having computer readable program code embodied thereon , the computer readable program code , when executed , implementing on the computer a method of regulating the flow of internetwork connections through a firewall having a network protocol stack , wherein the network protocol stack includes an Internet Protocol (IP) layer , the method comprising the steps of . determining parameters characteristic of a connection request , wherein the parameters include a netelement parameter characteristic of where the connection request came from ; generating a query , wherein the step of generating a query includes the step of adding the parameters to a query list ; determining if there is a rule corresponding to the query ; if there is a rule , determining if authentication is required by the rule ; if authentication is required by the rule , executing an authentication protocol ; and activating the connection if the authentication protocol is completed successfully .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (predefined time) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (IP addresses) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	GB2317539A CLAIM 5 . The method according to claim 1 wherein the netelement parameter identifies a group of IP addresses (IP addresses) . GB2317539A CLAIM 10 . The method according to claim 9 , wherein the method further comprises the steps of monitoring time of day ; and closing connections at predefined time (electronic communication) s of the day .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (readable program) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	GB2317539A CLAIM 18 . A computer program product , comprising : a computer usable medium having computer readable program (storing instructions) code embodied thereon , the computer readable program code , when executed , implementing on the computer a method of regulating the flow of internetwork connections through a firewall having a network protocol stack , wherein the network protocol stack includes an Internet Protocol (IP) layer , the method comprising the steps of . determining parameters characteristic of a connection request , wherein the parameters include a netelement parameter characteristic of where the connection request came from ; generating a query , wherein the step of generating a query includes the step of adding the parameters to a query list ; determining if there is a rule corresponding to the query ; if there is a rule , determining if authentication is required by the rule ; if authentication is required by the rule , executing an authentication protocol ; and activating the connection if the authentication protocol is completed successfully .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9814014A2 Filed: 1997-09-12 Issued: 1998-04-02 Reconfigurable network interface apparatus and method (Original Assignee) Predacomm, Inc. Mark Andrew Collins
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9814014A2 CLAIM 14 . The method of Claim 12 including the steps of : (a) loading controller configuration instructions and transceiver configuration instructions from an external source (network destination) when the signal pattern monitored at the transceiver port does not match any of the network signal patterns in memory ; and (b) loading bus configuration instructions from the external source when the signal pattern monitored at the bus port does not match any of the bus signal patterns in memory .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems (determination means) .	WO9814014A2 CLAIM 3 . The apparatus of Claim 2 wherein the configuration control means includes : (a) bus type determination means (different operating systems, network clients having different operating systems) connected to the bus port for identifying the type of computer bus to which the bus adapter is connected ; (b) wherein the memory means includes a non-volatile memory device for storing bus configuration instructions for a plurality of different bus architectures ; and (c) a configuration controller connected to the device bus for directing bus configuration instructions from the non-volatile memory device to the bus configuration input in response to a bus type signal produced by the bus type determination means .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interface) .	WO9814014A2 CLAIM 1 . A reconfigurable computer network interface (network interface) apparatus comprising : (a) a reconfigurable transceiver having a transceiver port associated therewith for operatively connecting with a transceiver connector of a media adapter , and further including a transceiver configuration input for receiving hardware and software transceiver configuration instructions , and a circuit array that is reconfigurable by the transceiver configuration instructions to communicate across the transceiver port in any one of a plurality of network hardware protocols ; (b) a media adapter having a media connector for operatively connecting to a desired computer network communications medium , and further having the transceiver connector for operatively connecting to the transceiver port , the transceiver connector being in communication with the media connector for enabling data to be passed back and forth between the transceiver port and the communications medium to which the media connector is connected ; (c) a reconfigurable bus interface having a bus port associated therewith , and further including a bus configuration input for receiving hardware and software bus configuration instructions , and a circuit array that is reconfigurable by the bus configuration instructions to communicate across the bus port in any one of a plurality of bus architecture protocols ; (d) a bus adapter having a bus port connector for operatively connecting with the bus port associated with the reconfigurable bus interface , and also having a bus socket connector for operatively connecting to a socket of a particular computer bus type , the bus port connector and the bus socket connector being in communication for passing data back and forth between a computer bus to which the bus socket connector is connected and the bus port associated with the reconfigurable bus interface ; (e) a device bus connected to the reconfigurable transceiver and the reconfigurable bus interface ; (f) a reconfigurable controller connected to the device bus , the reconfigurable controller including a controller configuration input for receiving hardware and software controller configuration instructions , and further including a circuit array that is reconfigurable by the controller configuration instructions to communicate with the reconfigurable transceiver across the device bus in any one of a plurality of different network software protocols and to communicate with the reconfigurable bus interface across the device bus ; (g) configuration control means connected to the reconfigurable transceiver , the reconfigurable controller , and reconfigurable bus interface for directing the transceiver configuration instructions to the transceiver configuration input , for directing the controller configuration instructions to the controller configuration input , and for directing the bus configuration instructions to the bus configuration input ; and (h) memory means connected to the device bus for storing digital data .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9814014A2 CLAIM 14 . The method of Claim 12 including the steps of : (a) loading controller configuration instructions and transceiver configuration instructions from an external source (network destination) when the signal pattern monitored at the transceiver port does not match any of the network signal patterns in memory ; and (b) loading bus configuration instructions from the external source when the signal pattern monitored at the bus port does not match any of the bus signal patterns in memory .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9814014A2 CLAIM 14 . The method of Claim 12 including the steps of : (a) loading controller configuration instructions and transceiver configuration instructions from an external source (network destination) when the signal pattern monitored at the transceiver port does not match any of the network signal patterns in memory ; and (b) loading bus configuration instructions from the external source when the signal pattern monitored at the bus port does not match any of the bus signal patterns in memory .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9814014A2 CLAIM 14 . The method of Claim 12 including the steps of : (a) loading controller configuration instructions and transceiver configuration instructions from an external source (network destination) when the signal pattern monitored at the transceiver port does not match any of the network signal patterns in memory ; and (b) loading bus configuration instructions from the external source when the signal pattern monitored at the bus port does not match any of the bus signal patterns in memory .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9826548A1 Filed: 1997-06-18 Issued: 1998-06-18 Automatic configuration for internet access device (Original Assignee) Whistle Communications Corporation Jim Y. Li, Archie L. Cobbs, Paul D. Ozzello
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (Internet service provider) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (Internet service provider) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9826548A1 CLAIM 2 . A method as recited in claim 1 wherein said configuration server is located within a point of presence of an Internet service provider (network client, network access) .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (computer program) for accepting requests for network access (Internet service provider) to the NAD from a plurality of network clients having different operating systems .	WO9826548A1 CLAIM 2 . A method as recited in claim 1 wherein said configuration server is located within a point of presence of an Internet service provider (network client, network access) . WO9826548A1 CLAIM 25 25 . A computer program (network protocol programs) product comprising a computer-usable medium having computer-readable program code embodied thereon for automatically configuring an access device for communication with a communications network , said access device being associated with a customer account identifier , said computer program product comprising computer-readable program code for effecting the following steps within a computer 30 system : connecting said access device with a configuration server over a communications line ; requesting that said configuration server return a configuration record identified by said customer account identifier , said configuration record containing configuration information for said access device ; downloading said configuration record from said configuration server to said access device ; and configuring said access device for communication with said communications network using said configuration information of said configuration record .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (Internet service provider) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	WO9826548A1 CLAIM 2 . A method as recited in claim 1 wherein said configuration server is located within a point of presence of an Internet service provider (network client, network access) .
US7739302B2 CLAIM 5 . A local area (local area) network arrangement comprising a network client (Internet service provider) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (Internet service provider) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (server address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9826548A1 CLAIM 2 . A method as recited in claim 1 wherein said configuration server is located within a point of presence of an Internet service provider (network client, network access) . WO9826548A1 CLAIM 4 . A method as recited in any of claims 1 , 2 or 3 wherein said access device is connected to a local area (local area) network (LAN) and said step of configuring said access device includes the sub-step of configuring said LAN for communication with said communications network . WO9826548A1 CLAIM 29 . An access device for use in communicating with an internet , said access device comprising : a central processing unit ; a memory device coupled to said central processing unit ; input means coupled to said central processing unit for inputting information from a user ; output means coupled to said central processing unit for presenting information to a user ; S Z a communication means for communicating with said internet using a dynamic address of said access device , said communication means able to access and communicate with said internet without receiving configuration information from said internet ; and automatic configuration means for providing a configuration server address (IP addresses) and a customer account identifier and for automatically retrieving configuration information associated with said customer account identifier from a configuration server located on said internet at said configuration server address , said automatic configuration means being arranged to configure said access device using said configuration information such that said access device is configured using a static address included in said configuration information and said communication means is then arranged to access and communicate with said internet using said static address as an address of said access device .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (Internet service provider) to the NAD .	WO9826548A1 CLAIM 2 . A method as recited in claim 1 wherein said configuration server is located within a point of presence of an Internet service provider (network client, network access) .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (Internet service provider) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9826548A1 CLAIM 2 . A method as recited in claim 1 wherein said configuration server is located within a point of presence of an Internet service provider (network client, network access) .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (Internet service provider) to the NAD is only available through the server .	WO9826548A1 CLAIM 2 . A method as recited in claim 1 wherein said configuration server is located within a point of presence of an Internet service provider (network client, network access) .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (processing unit) ; a network interface coupled to the processing unit and to a network ; an attached device interface (following steps) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (readable program) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (Internet service provider) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9826548A1 CLAIM 2 . A method as recited in claim 1 wherein said configuration server is located within a point of presence of an Internet service provider (network client, network access) . WO9826548A1 CLAIM 25 25 . A computer program product comprising a computer-usable medium having computer-readable program (storing instructions) code embodied thereon for automatically configuring an access device for communication with a communications network , said access device being associated with a customer account identifier , said computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within a computer 30 system : connecting said access device with a configuration server over a communications line ; requesting that said configuration server return a configuration record identified by said customer account identifier , said configuration record containing configuration information for said access device ; downloading said configuration record from said configuration server to said access device ; and configuring said access device for communication with said communications network using said configuration information of said configuration record . WO9826548A1 CLAIM 29 . An access device for use in communicating with an internet , said access device comprising : a central processing unit (processing unit) ; a memory device coupled to said central processing unit ; input means coupled to said central processing unit for inputting information from a user ; output means coupled to said central processing unit for presenting information to a user ; S Z a communication means for communicating with said internet using a dynamic address of said access device , said communication means able to access and communicate with said internet without receiving configuration information from said internet ; and automatic configuration means for providing a configuration server address and a customer account identifier and for automatically retrieving configuration information associated with said customer account identifier from a configuration server located on said internet at said configuration server address , said automatic configuration means being arranged to configure said access device using said configuration information such that said access device is configured using a static address included in said configuration information and said communication means is then arranged to access and communicate with said internet using said static address as an address of said access device .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (processing unit) to determine whether each packet arrived via an authorized network interface .	WO9826548A1 CLAIM 29 . An access device for use in communicating with an internet , said access device comprising : a central processing unit (processing unit) ; a memory device coupled to said central processing unit ; input means coupled to said central processing unit for inputting information from a user ; output means coupled to said central processing unit for presenting information to a user ; S Z a communication means for communicating with said internet using a dynamic address of said access device , said communication means able to access and communicate with said internet without receiving configuration information from said internet ; and automatic configuration means for providing a configuration server address and a customer account identifier and for automatically retrieving configuration information associated with said customer account identifier from a configuration server located on said internet at said configuration server address , said automatic configuration means being arranged to configure said access device using said configuration information such that said access device is configured using a static address included in said configuration information and said communication means is then arranged to access and communicate with said internet using said static address as an address of said access device .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether each packet contains an unauthorized IP address .	WO9826548A1 CLAIM 29 . An access device for use in communicating with an internet , said access device comprising : a central processing unit (processing unit) ; a memory device coupled to said central processing unit ; input means coupled to said central processing unit for inputting information from a user ; output means coupled to said central processing unit for presenting information to a user ; S Z a communication means for communicating with said internet using a dynamic address of said access device , said communication means able to access and communicate with said internet without receiving configuration information from said internet ; and automatic configuration means for providing a configuration server address and a customer account identifier and for automatically retrieving configuration information associated with said customer account identifier from a configuration server located on said internet at said configuration server address , said automatic configuration means being arranged to configure said access device using said configuration information such that said access device is configured using a static address included in said configuration information and said communication means is then arranged to access and communicate with said internet using said static address as an address of said access device .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (processing unit) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	WO9826548A1 CLAIM 29 . An access device for use in communicating with an internet , said access device comprising : a central processing unit (processing unit) ; a memory device coupled to said central processing unit ; input means coupled to said central processing unit for inputting information from a user ; output means coupled to said central processing unit for presenting information to a user ; S Z a communication means for communicating with said internet using a dynamic address of said access device , said communication means able to access and communicate with said internet without receiving configuration information from said internet ; and automatic configuration means for providing a configuration server address and a customer account identifier and for automatically retrieving configuration information associated with said customer account identifier from a configuration server located on said internet at said configuration server address , said automatic configuration means being arranged to configure said access device using said configuration information such that said access device is configured using a static address included in said configuration information and said communication means is then arranged to access and communicate with said internet using said static address as an address of said access device .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (following steps) .	WO9826548A1 CLAIM 25 25 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for automatically configuring an access device for communication with a communications network , said access device being associated with a customer account identifier , said computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within a computer 30 system : connecting said access device with a configuration server over a communications line ; requesting that said configuration server return a configuration record identified by said customer account identifier , said configuration record containing configuration information for said access device ; downloading said configuration record from said configuration server to said access device ; and configuring said access device for communication with said communications network using said configuration information of said configuration record . WO9826548A1 CLAIM 29 . An access device for use in communicating with an internet , said access device comprising : a central processing unit (processing unit) ; a memory device coupled to said central processing unit ; input means coupled to said central processing unit for inputting information from a user ; output means coupled to said central processing unit for presenting information to a user ; S Z a communication means for communicating with said internet using a dynamic address of said access device , said communication means able to access and communicate with said internet without receiving configuration information from said internet ; and automatic configuration means for providing a configuration server address and a customer account identifier and for automatically retrieving configuration information associated with said customer account identifier from a configuration server located on said internet at said configuration server address , said automatic configuration means being arranged to configure said access device using said configuration information such that said access device is configured using a static address included in said configuration information and said communication means is then arranged to access and communicate with said internet using said static address as an address of said access device .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (following steps) comprises a SCSI interface .	WO9826548A1 CLAIM 25 25 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for automatically configuring an access device for communication with a communications network , said access device being associated with a customer account identifier , said computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within a computer 30 system : connecting said access device with a configuration server over a communications line ; requesting that said configuration server return a configuration record identified by said customer account identifier , said configuration record containing configuration information for said access device ; downloading said configuration record from said configuration server to said access device ; and configuring said access device for communication with said communications network using said configuration information of said configuration record .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (following steps) , and a video codec .	WO9826548A1 CLAIM 25 25 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for automatically configuring an access device for communication with a communications network , said access device being associated with a customer account identifier , said computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within a computer 30 system : connecting said access device with a configuration server over a communications line ; requesting that said configuration server return a configuration record identified by said customer account identifier , said configuration record containing configuration information for said access device ; downloading said configuration record from said configuration server to said access device ; and configuring said access device for communication with said communications network using said configuration information of said configuration record .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (following steps) if the request is allowed .	WO9826548A1 CLAIM 25 25 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for automatically configuring an access device for communication with a communications network , said access device being associated with a customer account identifier , said computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within a computer 30 system : connecting said access device with a configuration server over a communications line ; requesting that said configuration server return a configuration record identified by said customer account identifier , said configuration record containing configuration information for said access device ; downloading said configuration record from said configuration server to said access device ; and configuring said access device for communication with said communications network using said configuration information of said configuration record .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (following steps) , and a video codec .	WO9826548A1 CLAIM 25 25 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for automatically configuring an access device for communication with a communications network , said access device being associated with a customer account identifier , said computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within a computer 30 system : connecting said access device with a configuration server over a communications line ; requesting that said configuration server return a configuration record identified by said customer account identifier , said configuration record containing configuration information for said access device ; downloading said configuration record from said configuration server to said access device ; and configuring said access device for communication with said communications network using said configuration information of said configuration record .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9749038A1 Filed: 1997-06-18 Issued: 1997-12-24 Policy caching method and apparatus for use in a communication device (Original Assignee) Storage Technology Corporation James P. Hughes, Steve A. Olson
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (transport protocol) and at least one network attached device (NAD) residing on a same network ; a NAD server (first receiving unit) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9749038A1 CLAIM 1 . A policy caching method for use in a communication device , comprising steps of : determining an instance of protocol data unit (PDU) network policy from a plurality of policies to be applied to related-received PDUs based on contents of one of the related-received PDUs ; and caching policy identification information (network destination) identifying the instance of PDU policy which is to be applied to other PDUs of the related-received PDUs . WO9749038A1 CLAIM 7 . The policy caching method of claim 4 further comprising a step of grouping together a subset of PDUs from the stream of PDUs as the related-received PDUs based on selection criteria selected from a group consisting of : (a) the stream of PDUs comprising a stream of cells and the related-received PDUs comprising cells of a particular packet ; (b) the stream of PDUs comprising PDUs from the stream of PDUs having identical circuit numbers , - (c) the stream of PDUs comprising packets in a series of frames and the related-received PDUs comprising a number of the packets ; (d) the related-received PDUs comprising PDUs from the stream of PDUs having identical source addresses , - (e) the related-received PDUs comprising PDUs from the stream of PDUs having identical destination addresses ; (f) the related-received PDUs comprising PDUs from the stream of PDUs having identical source ports on a communication interface ; (g) the related-received PDUs comprising PDUs from the stream of PDUs having identical destination ports on a communication interface ; (h) the related-received PDUs comprising PDUs from the stream of PDUs having identical network protocols ; (i) the related-received PDUs comprising PDUs from the stream of PDUs having identical transport protocol (network client) s ; (j) the related-received PDUs comprising PDUs from the stream of PDUs having identical security options ; and (k) the related-received PDUs comprising PDUs from the stream of PDUs having identical contents in any PDU field . WO9749038A1 CLAIM 30 . The communication device of claim 27 wherein the data stream processing means comprises a first receiving unit (NAD server) which receives a first stream of PDUs from an upstream communication link and a second receiving unit which receives a second stream of PDUs from a downstream communication link , only one of the first and the second streams of PDUs includes the related- received PDUs upon which network policy is to be determined , the data stream processing means further comprises enforcement means for performing the instance of network policy by filtering or auditing one of the first and the second stream of PDUs into a policy- enforced stream of PDUs such that instances of network policy are enforced in the upstream and downstream communication links .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (first receiving unit) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	WO9749038A1 CLAIM 30 . The communication device of claim 27 wherein the data stream processing means comprises a first receiving unit (NAD server) which receives a first stream of PDUs from an upstream communication link and a second receiving unit which receives a second stream of PDUs from a downstream communication link , only one of the first and the second streams of PDUs includes the related- received PDUs upon which network policy is to be determined , the data stream processing means further comprises enforcement means for performing the instance of network policy by filtering or auditing one of the first and the second stream of PDUs into a policy- enforced stream of PDUs such that instances of network policy are enforced in the upstream and downstream communication links .
US7739302B2 CLAIM 3 . The network arrangement of claim 1 , wherein the computer-executable instructions comprise distributed program modules (sending means) .	WO9749038A1 CLAIM 29 . The communication device of claim 28 wherein the data stream processing means further comprises sending means (program modules) , operatively coupled to the enforcement means , for sending the policy-enforced stream of PDUs out of the communication device as the output data stream of PDUs .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (transport protocol) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (public switched telephone network, transmission control protocol, destination address, private network, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9749038A1 CLAIM 5 . The policy caching method of claim 4 wherein the communication link is selected from a group consisting of : an asynchronous transfer mode (ATM) network , a synchronous optical network (SONET) , fiber distributed data interchange (FDDI) network , a frame relay network , Ethernet , 100-Mbps . Ethernet , gigabit Ethernet , high performance parallel interface (HIPPI) , Fibre Channel , switched multimegabit data Service (SMDS) , X . 25 network , integrated services digital network (ISDN) , token ring , public switched telephone network (IP addresses) (PSTN) , a cable modem network , a serial interface , a parallel interface , and a computer bus . WO9749038A1 CLAIM 6 . The policy caching method of claim 4 wherein the communication link utilizes a network signaling protocol selected from a group consisting of : transmission control protocol (IP addresses) /internet protocol (TCP/IP) , AppleTalk , DECNet , system network architecture (SNA) , private network (IP addresses) node interface (PNNI) , user-network interface (UNI) , simple protocol for asynchronous transfer mode network signaling (SPANS) , interim local management interface (ILMI) , and operations administration and maintenance (OAM) interface . WO9749038A1 CLAIM 7 . The policy caching method of claim 4 further comprising a step of grouping together a subset of PDUs from the stream of PDUs as the related-received PDUs based on selection criteria selected from a group consisting of : (a) the stream of PDUs comprising a stream of cells and the related-received PDUs comprising cells of a particular packet ; (b) the stream of PDUs comprising PDUs from the stream of PDUs having identical circuit numbers , - (c) the stream of PDUs comprising packets in a series of frames and the related-received PDUs comprising a number of the packets ; (d) the related-received PDUs comprising PDUs from the stream of PDUs having identical source address (IP addresses) es , - (e) the related-received PDUs comprising PDUs from the stream of PDUs having identical destination address (IP addresses) es ; (f) the related-received PDUs comprising PDUs from the stream of PDUs having identical source ports on a communication interface ; (g) the related-received PDUs comprising PDUs from the stream of PDUs having identical destination ports on a communication interface ; (h) the related-received PDUs comprising PDUs from the stream of PDUs having identical network protocols ; (i) the related-received PDUs comprising PDUs from the stream of PDUs having identical transport protocol (network client) s ; (j) the related-received PDUs comprising PDUs from the stream of PDUs having identical security options ; and (k) the related-received PDUs comprising PDUs from the stream of PDUs having identical contents in any PDU field .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interface) .	WO9749038A1 CLAIM 6 . The policy caching method of claim 4 wherein the communication link utilizes a network signaling protocol selected from a group consisting of : transmission control protocol/internet protocol (TCP/IP) , AppleTalk , DECNet , system network architecture (SNA) , private network node interface (PNNI) , user-network interface (network interface) (UNI) , simple protocol for asynchronous transfer mode network signaling (SPANS) , interim local management interface (ILMI) , and operations administration and maintenance (OAM) interface .
US7739302B2 CLAIM 10 . A system for managing access (system network) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9749038A1 CLAIM 1 . A policy caching method for use in a communication device , comprising steps of : determining an instance of protocol data unit (PDU) network policy from a plurality of policies to be applied to related-received PDUs based on contents of one of the related-received PDUs ; and caching policy identification information (network destination) identifying the instance of PDU policy which is to be applied to other PDUs of the related-received PDUs . WO9749038A1 CLAIM 6 . The policy caching method of claim 4 wherein the communication link utilizes a network signaling protocol selected from a group consisting of : transmission control protocol/internet protocol (TCP/IP) , AppleTalk , DECNet , system network (managing access) architecture (SNA) , private network node interface (PNNI) , user-network interface (UNI) , simple protocol for asynchronous transfer mode network signaling (SPANS) , interim local management interface (ILMI) , and operations administration and maintenance (OAM) interface .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9749038A1 CLAIM 1 . A policy caching method for use in a communication device , comprising steps of : determining an instance of protocol data unit (PDU) network policy from a plurality of policies to be applied to related-received PDUs based on contents of one of the related-received PDUs ; and caching policy identification information (network destination) identifying the instance of PDU policy which is to be applied to other PDUs of the related-received PDUs . WO9749038A1 CLAIM 6 . The policy caching method of claim 4 wherein the communication link utilizes a network signaling protocol selected from a group consisting of : transmission control protocol/internet protocol (TCP/IP) , AppleTalk , DECNet , system network architecture (SNA) , private network node interface (PNNI) , user-network interface (network interface) (UNI) , simple protocol for asynchronous transfer mode network signaling (SPANS) , interim local management interface (ILMI) , and operations administration and maintenance (OAM) interface .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interface) .	WO9749038A1 CLAIM 6 . The policy caching method of claim 4 wherein the communication link utilizes a network signaling protocol selected from a group consisting of : transmission control protocol/internet protocol (TCP/IP) , AppleTalk , DECNet , system network architecture (SNA) , private network node interface (PNNI) , user-network interface (network interface) (UNI) , simple protocol for asynchronous transfer mode network signaling (SPANS) , interim local management interface (ILMI) , and operations administration and maintenance (OAM) interface .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (network device) device , the selectively generated packet containing the request for access to the directly attached device .	WO9749038A1 CLAIM 9 . The policy caching method of claim 1 wherein the communication device is selected from a group consisting of : a data network device (intermediary computing) , a computer , a monitoring device , a switch , a router , a bridge , and
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (network protocols) .	WO9749038A1 CLAIM 7 . The policy caching method of claim 4 further comprising a step of grouping together a subset of PDUs from the stream of PDUs as the related-received PDUs based on selection criteria selected from a group consisting of : (a) the stream of PDUs comprising a stream of cells and the related-received PDUs comprising cells of a particular packet ; (b) the stream of PDUs comprising PDUs from the stream of PDUs having identical circuit numbers , - (c) the stream of PDUs comprising packets in a series of frames and the related-received PDUs comprising a number of the packets ; (d) the related-received PDUs comprising PDUs from the stream of PDUs having identical source addresses , - (e) the related-received PDUs comprising PDUs from the stream of PDUs having identical destination addresses ; (f) the related-received PDUs comprising PDUs from the stream of PDUs having identical source ports on a communication interface ; (g) the related-received PDUs comprising PDUs from the stream of PDUs having identical destination ports on a communication interface ; (h) the related-received PDUs comprising PDUs from the stream of PDUs having identical network protocols (network protocols) ; (i) the related-received PDUs comprising PDUs from the stream of PDUs having identical transport protocols ; (j) the related-received PDUs comprising PDUs from the stream of PDUs having identical security options ; and (k) the related-received PDUs comprising PDUs from the stream of PDUs having identical contents in any PDU field .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (network protocols) is TCP/IP .	WO9749038A1 CLAIM 7 . The policy caching method of claim 4 further comprising a step of grouping together a subset of PDUs from the stream of PDUs as the related-received PDUs based on selection criteria selected from a group consisting of : (a) the stream of PDUs comprising a stream of cells and the related-received PDUs comprising cells of a particular packet ; (b) the stream of PDUs comprising PDUs from the stream of PDUs having identical circuit numbers , - (c) the stream of PDUs comprising packets in a series of frames and the related-received PDUs comprising a number of the packets ; (d) the related-received PDUs comprising PDUs from the stream of PDUs having identical source addresses , - (e) the related-received PDUs comprising PDUs from the stream of PDUs having identical destination addresses ; (f) the related-received PDUs comprising PDUs from the stream of PDUs having identical source ports on a communication interface ; (g) the related-received PDUs comprising PDUs from the stream of PDUs having identical destination ports on a communication interface ; (h) the related-received PDUs comprising PDUs from the stream of PDUs having identical network protocols (network protocols) ; (i) the related-received PDUs comprising PDUs from the stream of PDUs having identical transport protocols ; (j) the related-received PDUs comprising PDUs from the stream of PDUs having identical security options ; and (k) the related-received PDUs comprising PDUs from the stream of PDUs having identical contents in any PDU field .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9749038A1 CLAIM 1 . A policy caching method for use in a communication device , comprising steps of : determining an instance of protocol data unit (PDU) network policy from a plurality of policies to be applied to related-received PDUs based on contents of one of the related-received PDUs ; and caching policy identification information (network destination) identifying the instance of PDU policy which is to be applied to other PDUs of the related-received PDUs .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (system network) to the NAD over a device interface if the request is allowed .	WO9749038A1 CLAIM 6 . The policy caching method of claim 4 wherein the communication link utilizes a network signaling protocol selected from a group consisting of : transmission control protocol/internet protocol (TCP/IP) , AppleTalk , DECNet , system network (managing access) architecture (SNA) , private network node interface (PNNI) , user-network interface (UNI) , simple protocol for asynchronous transfer mode network signaling (SPANS) , interim local management interface (ILMI) , and operations administration and maintenance (OAM) interface .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9727546A1 Filed: 1997-01-24 Issued: 1997-07-31 System and method for transmission of data (Original Assignee) Ex Machina, Inc. John M. Payne, Tim Von Kaenel, Jeffrey Wang, Jeffrey Odell, Jason Katz, David Starr
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said transmission, data packet) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9727546A1 CLAIM 1 . A method for transmitting data to selected remote computing devices , comprising the steps of : transmitting data from an information (network destination) source to a central broadcast server ; preprocessing said data at said central broadcast server ; transmitting preprocessed data to remote receivers communicating with said computing devices ; and instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off . WO9727546A1 CLAIM 20 . The method claimed in claim 1 , wherein said step of preprocessing said data at said central broadcast server further comprises the step of : deriving redundant data packet (data packet) s for transmission to said user . WO9727546A1 CLAIM 37 . The method claimed in claim 1 , wherein said step of instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off , further comprises the steps of : monitoring said transmission (data packet) s utilizing multiple viewers ; filtering said transmitted preprocessed data ; post processing said preprocessed data ; and notifying said user instantaneously of receipt of filtered postprocessed data .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said transmission, data packet) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	WO9727546A1 CLAIM 20 . The method claimed in claim 1 , wherein said step of preprocessing said data at said central broadcast server further comprises the step of : deriving redundant data packet (data packet) s for transmission to said user . WO9727546A1 CLAIM 37 . The method claimed in claim 1 , wherein said step of instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off , further comprises the steps of : monitoring said transmission (data packet) s utilizing multiple viewers ; filtering said transmitted preprocessed data ; post processing said preprocessed data ; and notifying said user instantaneously of receipt of filtered postprocessed data .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said transmission, data packet) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9727546A1 CLAIM 20 . The method claimed in claim 1 , wherein said step of preprocessing said data at said central broadcast server further comprises the step of : deriving redundant data packet (data packet) s for transmission to said user . WO9727546A1 CLAIM 37 . The method claimed in claim 1 , wherein said step of instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off , further comprises the steps of : monitoring said transmission (data packet) s utilizing multiple viewers ; filtering said transmitted preprocessed data ; post processing said preprocessed data ; and notifying said user instantaneously of receipt of filtered postprocessed data .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said transmission, data packet) arrived via an authorized network interface .	WO9727546A1 CLAIM 20 . The method claimed in claim 1 , wherein said step of preprocessing said data at said central broadcast server further comprises the step of : deriving redundant data packet (data packet) s for transmission to said user . WO9727546A1 CLAIM 37 . The method claimed in claim 1 , wherein said step of instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off , further comprises the steps of : monitoring said transmission (data packet) s utilizing multiple viewers ; filtering said transmitted preprocessed data ; post processing said preprocessed data ; and notifying said user instantaneously of receipt of filtered postprocessed data .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said transmission, data packet) to the proper port ; and at the proper port , provide the requested network access to the NAD .	WO9727546A1 CLAIM 20 . The method claimed in claim 1 , wherein said step of preprocessing said data at said central broadcast server further comprises the step of : deriving redundant data packet (data packet) s for transmission to said user . WO9727546A1 CLAIM 37 . The method claimed in claim 1 , wherein said step of instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off , further comprises the steps of : monitoring said transmission (data packet) s utilizing multiple viewers ; filtering said transmitted preprocessed data ; post processing said preprocessed data ; and notifying said user instantaneously of receipt of filtered postprocessed data .
US7739302B2 CLAIM 10 . A system for managing access (virtual address) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said transmission, data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9727546A1 CLAIM 1 . A method for transmitting data to selected remote computing devices , comprising the steps of : transmitting data from an information (network destination) source to a central broadcast server ; preprocessing said data at said central broadcast server ; transmitting preprocessed data to remote receivers communicating with said computing devices ; and instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off . WO9727546A1 CLAIM 20 . The method claimed in claim 1 , wherein said step of preprocessing said data at said central broadcast server further comprises the step of : deriving redundant data packet (data packet) s for transmission to said user . WO9727546A1 CLAIM 37 . The method claimed in claim 1 , wherein said step of instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off , further comprises the steps of : monitoring said transmission (data packet) s utilizing multiple viewers ; filtering said transmitted preprocessed data ; post processing said preprocessed data ; and notifying said user instantaneously of receipt of filtered postprocessed data . WO9727546A1 CLAIM 40 . The method claimed in claim 37 , wherein said step of filtering said transmitted preprocessed data further comprises the step of : filtering said preprocessed data in accordance with virtual address (managing access) es .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said transmission, data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9727546A1 CLAIM 1 . A method for transmitting data to selected remote computing devices , comprising the steps of : transmitting data from an information (network destination) source to a central broadcast server ; preprocessing said data at said central broadcast server ; transmitting preprocessed data to remote receivers communicating with said computing devices ; and instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off . WO9727546A1 CLAIM 20 . The method claimed in claim 1 , wherein said step of preprocessing said data at said central broadcast server further comprises the step of : deriving redundant data packet (data packet) s for transmission to said user . WO9727546A1 CLAIM 37 . The method claimed in claim 1 , wherein said step of instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off , further comprises the steps of : monitoring said transmission (data packet) s utilizing multiple viewers ; filtering said transmitted preprocessed data ; post processing said preprocessed data ; and notifying said user instantaneously of receipt of filtered postprocessed data .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (new data) .	WO9727546A1 CLAIM 18 . The method claimed in claim 17 , wherein said step of providing a dockable user interface alert panel on a display communicating with computing device for providing alerts to said user , further comprises the step of : displaying fly-in graphics and icon buttons to alert said user that new data (SCSI interface) has been received by said computing device .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet (said transmission, data packet) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (filtering means) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9727546A1 CLAIM 1 . A method for transmitting data to selected remote computing devices , comprising the steps of : transmitting data from an information (network destination) source to a central broadcast server ; preprocessing said data at said central broadcast server ; transmitting preprocessed data to remote receivers communicating with said computing devices ; and instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off . WO9727546A1 CLAIM 20 . The method claimed in claim 1 , wherein said step of preprocessing said data at said central broadcast server further comprises the step of : deriving redundant data packet (data packet) s for transmission to said user . WO9727546A1 CLAIM 37 . The method claimed in claim 1 , wherein said step of instantaneously notifying said computing devices of receipt of said preprocessed data whether said computing devices are on or off , further comprises the steps of : monitoring said transmission (data packet) s utilizing multiple viewers ; filtering said transmitted preprocessed data ; post processing said preprocessed data ; and notifying said user instantaneously of receipt of filtered postprocessed data . WO9727546A1 CLAIM 55 . The method claimed in claim 54 , further comprising the step of : storing entries in a viewer server connected to said viewer ; and providing filtering means (filtering means) for filtering particular types of messages a viewer can look at .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (virtual address) to the NAD over a device interface if the request is allowed .	WO9727546A1 CLAIM 40 . The method claimed in claim 37 , wherein said step of filtering said transmitted preprocessed data further comprises the step of : filtering said preprocessed data in accordance with virtual address (managing access) es .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (new data) .	WO9727546A1 CLAIM 18 . The method claimed in claim 17 , wherein said step of providing a dockable user interface alert panel on a display communicating with computing device for providing alerts to said user , further comprises the step of : displaying fly-in graphics and icon buttons to alert said user that new data (SCSI interface) has been received by said computing device .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (filtering means) is further configured to carry out the filtering at an application layer of a network stack (required number) .	WO9727546A1 CLAIM 25 . The method claimed in claim 24 , wherein said step of assembling a data block from said code words further comprises the step of : counting the number of code words which have errors ; determining whether each packet has any errors ; saving packets without error ; discarding packets with at least one error ; and assembling a message when the required number (network stack) of packets has been received . WO9727546A1 CLAIM 55 . The method claimed in claim 54 , further comprising the step of : storing entries in a viewer server connected to said viewer ; and providing filtering means (filtering means) for filtering particular types of messages a viewer can look at .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9726734A1 Filed: 1997-01-16 Issued: 1997-07-24 Transferring encrypted packets over a public network (Original Assignee) Raptor Systems, Inc. Alan J. Kirby, Jeffrey A. Kraemer, Ashok P. Nadkarni
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (virtual network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9726734A1 CLAIM 5 . The method of claim 4 , wherein the field corresponds to a virtual network (IP addresses) tunnel .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interface) .	WO9726734A1 CLAIM 1 . A method of handling network packets , comprising : receiving encrypted network packets from the network at a network interface (network interface) computer ; and passing the encrypted network packets to a computer on an internal network .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9726734A1 CLAIM 1 . A method of handling network packets , comprising : receiving encrypted network packets from the network at a network interface (network interface) computer ; and passing the encrypted network packets to a computer on an internal network .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interface) .	WO9726734A1 CLAIM 1 . A method of handling network packets , comprising : receiving encrypted network packets from the network at a network interface (network interface) computer ; and passing the encrypted network packets to a computer on an internal network .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9726735A1 Filed: 1997-01-16 Issued: 1997-07-24 Key management for network communication (Original Assignee) Raptor Systems, Inc. Roger H. Levesque, Jeffrey A. Kraemer, Ashok P. Nadkarni
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (network packets) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9726735A1 CLAIM 1 . A method for enabling computers to communicate using encrypted network packets (data packet) , comprising : sending a configuration request over a network from a first computer to a second computer ; and sending tunnel record information over the network from the second computer to the first computer , the tunnel record information being encrypted in accordance with a temporary configuration password .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (network packets) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	WO9726735A1 CLAIM 1 . A method for enabling computers to communicate using encrypted network packets (data packet) , comprising : sending a configuration request over a network from a first computer to a second computer ; and sending tunnel record information over the network from the second computer to the first computer , the tunnel record information being encrypted in accordance with a temporary configuration password .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (network packets) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (network address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9726735A1 CLAIM 1 . A method for enabling computers to communicate using encrypted network packets (data packet) , comprising : sending a configuration request over a network from a first computer to a second computer ; and sending tunnel record information over the network from the second computer to the first computer , the tunnel record information being encrypted in accordance with a temporary configuration password . WO9726735A1 CLAIM 6 . A method for updating a tunnel record , comprising : sending a connection request from a first computer to a second computer ; authorizing the first computer ; and updating a tunnel record corresponding to the connection request with the first computer' ; s network address (IP addresses) .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (network packets) arrived via an authorized network interface .	WO9726735A1 CLAIM 1 . A method for enabling computers to communicate using encrypted network packets (data packet) , comprising : sending a configuration request over a network from a first computer to a second computer ; and sending tunnel record information over the network from the second computer to the first computer , the tunnel record information being encrypted in accordance with a temporary configuration password .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (network packets) to the proper port ; and at the proper port , provide the requested network access to the NAD .	WO9726735A1 CLAIM 1 . A method for enabling computers to communicate using encrypted network packets (data packet) , comprising : sending a configuration request over a network from a first computer to a second computer ; and sending tunnel record information over the network from the second computer to the first computer , the tunnel record information being encrypted in accordance with a temporary configuration password .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (network packets) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9726735A1 CLAIM 1 . A method for enabling computers to communicate using encrypted network packets (data packet) , comprising : sending a configuration request over a network from a first computer to a second computer ; and sending tunnel record information over the network from the second computer to the first computer , the tunnel record information being encrypted in accordance with a temporary configuration password .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (network packets) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9726735A1 CLAIM 1 . A method for enabling computers to communicate using encrypted network packets (data packet) , comprising : sending a configuration request over a network from a first computer to a second computer ; and sending tunnel record information over the network from the second computer to the first computer , the tunnel record information being encrypted in accordance with a temporary configuration password .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (network packets) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9726735A1 CLAIM 1 . A method for enabling computers to communicate using encrypted network packets (data packet) , comprising : sending a configuration request over a network from a first computer to a second computer ; and sending tunnel record information over the network from the second computer to the first computer , the tunnel record information being encrypted in accordance with a temporary configuration password .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9724841A2 Filed: 1996-12-18 Issued: 1997-07-10 Datagram transmission over virtual circuits (Original Assignee) Cisco Systems, Inc. David R. Cheriton, Andreas V. Bechtolsheim
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (output ports, flow rate) for network access (processing step) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (forwarding data) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9724841A2 CLAIM 5 . In a network device that processes datagram packets . ' ; a method for selecting the processing step (network access, providing network access) s to be applied to a datagram packet , said method comprising the steps of : determining from the source-destination address pair contained in the datagram packet a virtual path record comprising specifications for processing the datagram packet ; and processing the datagram packet according to the processing steps associated with said virtual path record . WO9724841A2 CLAIM 13 . The method of Claim 1 wherein the step of processing the datagram packets comprises an action chosen from the group consisting of : dropping the packet buffering the packet , forwarding the packet to an output port , forwarding the packet to a multiplicity of output ports (data packet) , forwarding a copy of the packet to another network device , and generating a response back to the sender of the packet . WO9724841A2 CLAIM 44 . The method of Claim 38 wherein specifying the processing includes monitoring the rate of flows of datagram packets and taking one of several actions as a function of the flow rate (data packet) . WO9724841A2 CLAIM 49 . In a network device that processes datagram packets , a method for forwarding data (network destination) gram packets , said method comprising the steps of : determining from the source-destination address pair contained in each datagram packet a virtual path record comprising specifications for forwarding the datagram packet ; and forwarding each datagram packet according to the specifications in said virtual path record .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (processing step) to the NAD from a plurality of network clients having different operating systems .	WO9724841A2 CLAIM 5 . In a network device that processes datagram packets . ' ; a method for selecting the processing step (network access, providing network access) s to be applied to a datagram packet , said method comprising the steps of : determining from the source-destination address pair contained in the datagram packet a virtual path record comprising specifications for processing the datagram packet ; and processing the datagram packet according to the processing steps associated with said virtual path record .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (processing step) to the NAD is authorized comprises determining whether information in the header of a received data packet (output ports, flow rate) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	WO9724841A2 CLAIM 5 . In a network device that processes datagram packets . ' ; a method for selecting the processing step (network access, providing network access) s to be applied to a datagram packet , said method comprising the steps of : determining from the source-destination address pair contained in the datagram packet a virtual path record comprising specifications for processing the datagram packet ; and processing the datagram packet according to the processing steps associated with said virtual path record . WO9724841A2 CLAIM 13 . The method of Claim 1 wherein the step of processing the datagram packets comprises an action chosen from the group consisting of : dropping the packet buffering the packet , forwarding the packet to an output port , forwarding the packet to a multiplicity of output ports (data packet) , forwarding a copy of the packet to another network device , and generating a response back to the sender of the packet . WO9724841A2 CLAIM 44 . The method of Claim 38 wherein specifying the processing includes monitoring the rate of flows of datagram packets and taking one of several actions as a function of the flow rate (data packet) .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (processing step) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (output ports, flow rate) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9724841A2 CLAIM 5 . In a network device that processes datagram packets . ' ; a method for selecting the processing step (network access, providing network access) s to be applied to a datagram packet , said method comprising the steps of : determining from the source-destination address pair contained in the datagram packet a virtual path record comprising specifications for processing the datagram packet ; and processing the datagram packet according to the processing steps associated with said virtual path record . WO9724841A2 CLAIM 12 . The method of Claim 1 wherein the datagram packet is of the type commonly known as an Ethernet datagram packet and wherein the source address (IP addresses) is the Ethernet packet source address field and the destination address is the Ethernet packet destination address field . WO9724841A2 CLAIM 13 . The method of Claim 1 wherein the step of processing the datagram packets comprises an action chosen from the group consisting of : dropping the packet buffering the packet , forwarding the packet to an output port , forwarding the packet to a multiplicity of output ports (data packet) , forwarding a copy of the packet to another network device , and generating a response back to the sender of the packet . WO9724841A2 CLAIM 44 . The method of Claim 38 wherein specifying the processing includes monitoring the rate of flows of datagram packets and taking one of several actions as a function of the flow rate (data packet) .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (output ports, flow rate) arrived via an authorized network interface .	WO9724841A2 CLAIM 13 . The method of Claim 1 wherein the step of processing the datagram packets comprises an action chosen from the group consisting of : dropping the packet buffering the packet , forwarding the packet to an output port , forwarding the packet to a multiplicity of output ports (data packet) , forwarding a copy of the packet to another network device , and generating a response back to the sender of the packet . WO9724841A2 CLAIM 44 . The method of Claim 38 wherein specifying the processing includes monitoring the rate of flows of datagram packets and taking one of several actions as a function of the flow rate (data packet) .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (output ports, flow rate) to the proper port ; and at the proper port , provide the requested network access (processing step) to the NAD .	WO9724841A2 CLAIM 5 . In a network device that processes datagram packets . ' ; a method for selecting the processing step (network access, providing network access) s to be applied to a datagram packet , said method comprising the steps of : determining from the source-destination address pair contained in the datagram packet a virtual path record comprising specifications for processing the datagram packet ; and processing the datagram packet according to the processing steps associated with said virtual path record . WO9724841A2 CLAIM 13 . The method of Claim 1 wherein the step of processing the datagram packets comprises an action chosen from the group consisting of : dropping the packet buffering the packet , forwarding the packet to an output port , forwarding the packet to a multiplicity of output ports (data packet) , forwarding a copy of the packet to another network device , and generating a response back to the sender of the packet . WO9724841A2 CLAIM 44 . The method of Claim 38 wherein specifying the processing includes monitoring the rate of flows of datagram packets and taking one of several actions as a function of the flow rate (data packet) .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (processing step) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (output ports, flow rate) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (forwarding data) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9724841A2 CLAIM 5 . In a network device that processes datagram packets . ' ; a method for selecting the processing step (network access, providing network access) s to be applied to a datagram packet , said method comprising the steps of : determining from the source-destination address pair contained in the datagram packet a virtual path record comprising specifications for processing the datagram packet ; and processing the datagram packet according to the processing steps associated with said virtual path record . WO9724841A2 CLAIM 13 . The method of Claim 1 wherein the step of processing the datagram packets comprises an action chosen from the group consisting of : dropping the packet buffering the packet , forwarding the packet to an output port , forwarding the packet to a multiplicity of output ports (data packet) , forwarding a copy of the packet to another network device , and generating a response back to the sender of the packet . WO9724841A2 CLAIM 44 . The method of Claim 38 wherein specifying the processing includes monitoring the rate of flows of datagram packets and taking one of several actions as a function of the flow rate (data packet) . WO9724841A2 CLAIM 49 . In a network device that processes datagram packets , a method for forwarding data (network destination) gram packets , said method comprising the steps of : determining from the source-destination address pair contained in each datagram packet a virtual path record comprising specifications for forwarding the datagram packet ; and forwarding each datagram packet according to the specifications in said virtual path record .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (processing step) to the NAD is only available through the server .	WO9724841A2 CLAIM 5 . In a network device that processes datagram packets . ' ; a method for selecting the processing step (network access, providing network access) s to be applied to a datagram packet , said method comprising the steps of : determining from the source-destination address pair contained in the datagram packet a virtual path record comprising specifications for processing the datagram packet ; and processing the datagram packet according to the processing steps associated with said virtual path record .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (output ports, flow rate) containing the request for network access (processing step) includes at least one of an IP address of a network source , an IP address of a network destination (forwarding data) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9724841A2 CLAIM 5 . In a network device that processes datagram packets . ' ; a method for selecting the processing step (network access, providing network access) s to be applied to a datagram packet , said method comprising the steps of : determining from the source-destination address pair contained in the datagram packet a virtual path record comprising specifications for processing the datagram packet ; and processing the datagram packet according to the processing steps associated with said virtual path record . WO9724841A2 CLAIM 13 . The method of Claim 1 wherein the step of processing the datagram packets comprises an action chosen from the group consisting of : dropping the packet buffering the packet , forwarding the packet to an output port , forwarding the packet to a multiplicity of output ports (data packet) , forwarding a copy of the packet to another network device , and generating a response back to the sender of the packet . WO9724841A2 CLAIM 44 . The method of Claim 38 wherein specifying the processing includes monitoring the rate of flows of datagram packets and taking one of several actions as a function of the flow rate (data packet) . WO9724841A2 CLAIM 49 . In a network device that processes datagram packets , a method for forwarding data (network destination) gram packets , said method comprising the steps of : determining from the source-destination address pair contained in each datagram packet a virtual path record comprising specifications for forwarding the datagram packet ; and forwarding each datagram packet according to the specifications in said virtual path record .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access (overall network) to a proper port over the directly attached device interface .	WO9724841A2 CLAIM 47 . The method of Claim 45 wherein processing includes specifying the forwarding function of the flow of datagram packets at each network device , which is based on the connectivity of the overall network (requests contain information to gain access) .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (forwarding data) , and a route of the data packet (output ports, flow rate) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9724841A2 CLAIM 13 . The method of Claim 1 wherein the step of processing the datagram packets comprises an action chosen from the group consisting of : dropping the packet buffering the packet , forwarding the packet to an output port , forwarding the packet to a multiplicity of output ports (data packet) , forwarding a copy of the packet to another network device , and generating a response back to the sender of the packet . WO9724841A2 CLAIM 44 . The method of Claim 38 wherein specifying the processing includes monitoring the rate of flows of datagram packets and taking one of several actions as a function of the flow rate (data packet) . WO9724841A2 CLAIM 49 . In a network device that processes datagram packets , a method for forwarding data (network destination) gram packets , said method comprising the steps of : determining from the source-destination address pair contained in each datagram packet a virtual path record comprising specifications for forwarding the datagram packet ; and forwarding each datagram packet according to the specifications in said virtual path record .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	EP0848338A1 Filed: 1996-12-12 Issued: 1998-06-17 Server providing documents according to user profiles (Original Assignee) Sony Deutschland GmbH (Current Assignee) Sony Deutschland GmbH William Bunney, Kozo Tetsuya
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	EP0848338A1 CLAIM 10 A server computer according to claim 9 wherein said automatic document assembly means is further adapted to include in said menu an autoload icon ; and further comprising : autoload means responsive to selection of said autoload icon by said user for assembling an autoload document adapted to cause said user' ; s client computer to access concurrently each resource address (IP addresses) ed by a hypertext link in said menu and to transmit said autoload document to said user' ; s client computer .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (d log) of a plurality of protocols .	EP0848338A1 CLAIM 3 A server computer according to claim 2 wherein said personal edition memory means (19) is further adapted to store a log of requests made by each user and said automatic document assembly means (17) is further adapted to select an advertisement from said advertisement memory means (21) on the basis of said log (requests comprise one) in addition to said personal information .

EP0848338A1

Filed: 1996-12-12 Issued: 1998-06-17

Server providing documents according to user profiles

(Original Assignee) Sony Deutschland GmbH (Current Assignee) Sony Deutschland GmbH

William Bunney, Kozo Tetsuya

US7739302B2
CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ;

a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .

EP0848338A1
CLAIM 10 A server computer according to claim 9 wherein said automatic document assembly means is further adapted to include in said menu an autoload icon ;
and further comprising : autoload means responsive to selection of said autoload icon by said user for assembling an autoload document adapted to cause said user' ;
s client computer to access concurrently each resource address (IP addresses) ed by a hypertext link in said menu and to transmit said autoload document to said user' ;
s client computer .

US7739302B2
CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (d log) of a plurality of protocols .

EP0848338A1
CLAIM 3 A server computer according to claim 2 wherein said personal edition memory means (19) is further adapted to store a log of requests made by each user and said automatic document assembly means (17) is further adapted to select an advertisement from said advertisement memory means (21) on the basis of said log (requests comprise one) in addition to said personal information .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5796393A Filed: 1996-11-08 Issued: 1998-08-18 System for intergrating an on-line service community with a foreign service (Original Assignee) CompuServe Inc (Current Assignee) Facebook Inc Bruce A. MacNaughton, Leigh R. Turner
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (process request) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5796393A CLAIM 28 . The system of claim 26 wherein at least one button on said toolbar may be used to process request (network access) s to an on-line service server for retrieval of selected content associated with said plurality of on-line service users and display by said community viewer . US5796393A CLAIM 47 . The system of claim 44 wherein information (network destination) about said plurality of on-line service users is maintained in a database accessed using ODBC .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (process request) to the NAD from a plurality of network clients having different operating systems .	US5796393A CLAIM 28 . The system of claim 26 wherein at least one button on said toolbar may be used to process request (network access) s to an on-line service server for retrieval of selected content associated with said plurality of on-line service users and display by said community viewer .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (process request) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5796393A CLAIM 28 . The system of claim 26 wherein at least one button on said toolbar may be used to process request (network access) s to an on-line service server for retrieval of selected content associated with said plurality of on-line service users and display by said community viewer .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (process request) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5796393A CLAIM 28 . The system of claim 26 wherein at least one button on said toolbar may be used to process request (network access) s to an on-line service server for retrieval of selected content associated with said plurality of on-line service users and display by said community viewer .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (process request) to the NAD .	US5796393A CLAIM 28 . The system of claim 26 wherein at least one button on said toolbar may be used to process request (network access) s to an on-line service server for retrieval of selected content associated with said plurality of on-line service users and display by said community viewer .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (process request) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5796393A CLAIM 28 . The system of claim 26 wherein at least one button on said toolbar may be used to process request (network access) s to an on-line service server for retrieval of selected content associated with said plurality of on-line service users and display by said community viewer . US5796393A CLAIM 47 . The system of claim 44 wherein information (network destination) about said plurality of on-line service users is maintained in a database accessed using ODBC .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (process request) to the NAD is only available through the server .	US5796393A CLAIM 28 . The system of claim 26 wherein at least one button on said toolbar may be used to process request (network access) s to an on-line service server for retrieval of selected content associated with said plurality of on-line service users and display by said community viewer .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (process request) includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5796393A CLAIM 28 . The system of claim 26 wherein at least one button on said toolbar may be used to process request (network access) s to an on-line service server for retrieval of selected content associated with said plurality of on-line service users and display by said community viewer . US5796393A CLAIM 47 . The system of claim 44 wherein information (network destination) about said plurality of on-line service users is maintained in a database accessed using ODBC .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5796393A CLAIM 47 . The system of claim 44 wherein information (network destination) about said plurality of on-line service users is maintained in a database accessed using ODBC .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9716023A1 Filed: 1996-10-28 Issued: 1997-05-01 Staggered stream support for video on demand (Original Assignee) Emc Corporation Uresh K. Vahalia, John Forecast, Percy Tzelnic
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients (multiple client, client request) having different operating systems .	WO9716023A1 CLAIM 5 . The method as claimed in claim 1 , wherein video data for the entire data set are transferred from the random access memory of each stream server computer to multiple client (network clients) s simultaneously . WO9716023A1 CLAIM 6 . The method as claimed in claim 1 , which includes balancing loading on each of the stream server computers by dynamically allocating the random access memory in the stream server computers to the client request (network clients) s based on available resources of the stream server computers .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (requested data) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9716023A1 CLAIM 8 . A method of operating a video file server to provide video-on-demand service to clients in a data network , said video file server having a storage subsystem for storing a video data set , and a plurality of stream server computers linking the data storage subsystem to the data network , each stream server computer having a random access memory for storing a portion of the data set so that the data set is replicated in the random access memory of the stream server computers , wherein the method comprises the steps of : (a) receiving a request from a client for streaming data from the data set ; (b) checking whether said client is requesting data existing in the random access memory of one of said stream server computers having sufficient resources for streaming the requested data (storing instructions) from the random access memory of said one of said stream server computers to said client , and (i) when said client is requesting data existing in the random access memory of one of said stream server computers having sufficient resources for streaming the requested data from the random access memory of said one of said stream server computers to said client , assigning said one of said stream server computers to handle said request from said client by streaming the requested data from the random access memory of said one of said stream server computers to said client ; and (ii) when said client is requesting data that does not exist in the random access memory of any of the stream server computers having sufficient resources to handle the request , checking whether any of said stream server computers has sufficient random access memory to handle said request from said client by streaming the requested data from said sufficient random access memory to said client , and when any of said stream server computers has sufficient random access memory to handle said request from said client by streaming the requested data from said sufficient random access memory to said client , loading the requested data into said sufficient random access memory , and servicing the request by streaming the requested data from said sufficient random access memory to said client .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (data link) .	WO9716023A1 CLAIM 1 . A method of operating a video file server to provide video-on-demand service to clients in a data network , said video file server having a storage subsystem for storing a video data set , and a plurality of stream server computers linking the data storage subsystem to the data network , each stream server computer having a random access memory for storing a portion of the data set so that the data set is replicated in the random access memory of the stream server computers , wherein the method comprises the steps of : (a) maintaining each portion of the data set in the random access memory as a sliding window into the data set by loading new data into each portion of the data set in the random access memory at approximately a rate at which data are delivered to the clients for viewing ; and (b) servicing a request of a client for viewing of the data set beginning at a specified location in the data set by establishing a data link (application layer) to the client from a selected one of the stream server computers currently having in its random access memory a portion of the data set including the specified location in the data set , and transferring video data over the data link from the random access memory of the selected one of the stream server computers to the client .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data storage) .	WO9716023A1 CLAIM 1 . A method of operating a video file server to provide video-on-demand service to clients in a data network , said video file server having a storage subsystem for storing a video data set , and a plurality of stream server computers linking the data storage (SCSI interface) subsystem to the data network , each stream server computer having a random access memory for storing a portion of the data set so that the data set is replicated in the random access memory of the stream server computers , wherein the method comprises the steps of : (a) maintaining each portion of the data set in the random access memory as a sliding window into the data set by loading new data into each portion of the data set in the random access memory at approximately a rate at which data are delivered to the clients for viewing ; and (b) servicing a request of a client for viewing of the data set beginning at a specified location in the data set by establishing a data link to the client from a selected one of the stream server computers currently having in its random access memory a portion of the data set including the specified location in the data set , and transferring video data over the data link from the random access memory of the selected one of the stream server computers to the client .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (multiple client, client request) and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9716023A1 CLAIM 5 . The method as claimed in claim 1 , wherein video data for the entire data set are transferred from the random access memory of each stream server computer to multiple client (network clients) s simultaneously . WO9716023A1 CLAIM 6 . The method as claimed in claim 1 , which includes balancing loading on each of the stream server computers by dynamically allocating the random access memory in the stream server computers to the client request (network clients) s based on available resources of the stream server computers .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (data storage) .	WO9716023A1 CLAIM 1 . A method of operating a video file server to provide video-on-demand service to clients in a data network , said video file server having a storage subsystem for storing a video data set , and a plurality of stream server computers linking the data storage (SCSI interface) subsystem to the data network , each stream server computer having a random access memory for storing a portion of the data set so that the data set is replicated in the random access memory of the stream server computers , wherein the method comprises the steps of : (a) maintaining each portion of the data set in the random access memory as a sliding window into the data set by loading new data into each portion of the data set in the random access memory at approximately a rate at which data are delivered to the clients for viewing ; and (b) servicing a request of a client for viewing of the data set beginning at a specified location in the data set by establishing a data link to the client from a selected one of the stream server computers currently having in its random access memory a portion of the data set including the specified location in the data set , and transferring video data over the data link from the random access memory of the selected one of the stream server computers to the client .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (data link) of a network stack .	WO9716023A1 CLAIM 1 . A method of operating a video file server to provide video-on-demand service to clients in a data network , said video file server having a storage subsystem for storing a video data set , and a plurality of stream server computers linking the data storage subsystem to the data network , each stream server computer having a random access memory for storing a portion of the data set so that the data set is replicated in the random access memory of the stream server computers , wherein the method comprises the steps of : (a) maintaining each portion of the data set in the random access memory as a sliding window into the data set by loading new data into each portion of the data set in the random access memory at approximately a rate at which data are delivered to the clients for viewing ; and (b) servicing a request of a client for viewing of the data set beginning at a specified location in the data set by establishing a data link (application layer) to the client from a selected one of the stream server computers currently having in its random access memory a portion of the data set including the specified location in the data set , and transferring video data over the data link from the random access memory of the selected one of the stream server computers to the client .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9712321A1 Filed: 1996-09-25 Issued: 1997-04-03 Virus detection and removal apparatus for computer networks (Original Assignee) Trend Micro, Incorporated Eva Chen, Shuang Ji
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (transfer data) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (control signals) for accepting requests for network access (transfer data) to the NAD from a plurality of network clients having different operating systems .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals (network protocol programs) , the communications unit having an input and an output ; and a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (transfer data) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (processor control) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (transfer data) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor control (electronic communication) ling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (transfer data) to the NAD .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (transfer data) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (transfer data) to the NAD is only available through the server .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (processing unit) ; a network interface coupled to the processing unit and to a network ; an attached device interface (control output) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (transfer data) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted . WO9712321A1 CLAIM 2 . The system of claim 1 , wherein the server includes : a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input , a data output and a control output (device interface) , the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output , the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (processing unit) to determine whether each packet arrived via an authorized network interface .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether each packet contains an unauthorized IP address .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (processing unit) to selectively generate a packet for communication to an intermediary computing (data transfers) device , the selectively generated packet containing the request for access to the directly attached device .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers (intermediary computing, receiving requests) , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (control output) .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted . WO9712321A1 CLAIM 2 . The system of claim 1 , wherein the server includes : a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input , a data output and a control output (device interface) , the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output , the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (control output) comprises a SCSI interface .	WO9712321A1 CLAIM 2 . The system of claim 1 , wherein the server includes : a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input , a data output and a control output (device interface) , the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output , the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (data transfers) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9712321A1 CLAIM 1 . A system for detecting and selectively removing viruses in data transfers (intermediary computing, receiving requests) , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; and a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (control output) if the request is allowed .	WO9712321A1 CLAIM 2 . The system of claim 1 , wherein the server includes : a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input , a data output and a control output (device interface) , the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output , the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9711443A1 Filed: 1996-09-18 Issued: 1997-03-27 Method and apparatus for user authentication (Original Assignee) Telefonaktiebolaget Lm Ericsson (Publ) Robert Khello
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (variable number) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9711443A1 CLAIM 10 . The method in claim 1 , wherein step (c) includes generating a pattem of characters randomly or pseudo-randomly and the pattem includes a variable number (network source, network clients) of characters that may vary each time step (a) is performed .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients (variable number) having different operating (authentication program) systems .	WO9711443A1 CLAIM 10 . The method in claim 1 , wherein step (c) includes generating a pattem of characters randomly or pseudo-randomly and the pattem includes a variable number (network source, network clients) of characters that may vary each time step (a) is performed . WO9711443A1 CLAIM 20 . A user service requesting device for permitting a user to request user services electronically over a communications network , comprising : a keypad for entering a request for a particular user service and a user' ; s personal identification string ; a memory for storing a user authentication program (different operating, processing unit) and plural encoding algorithms ; data processing circuitry for performing the steps of : (a) determining a character position ofthe user' ; s personal identification string ; (b) generating a code ; (c) encoding the user' ; s personal identification string using one of the encoding algorithms to provide an encoded identification string ; and (d) combining the code with the encoded identification string at the determined character position to generate a user identification code ; and communications circuitry for providing the user identification code along with the user' ; s service request to the communications network .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source (variable number) , destination , and route of the data packet .	WO9711443A1 CLAIM 10 . The method in claim 1 , wherein step (c) includes generating a pattem of characters randomly or pseudo-randomly and the pattem includes a variable number (network source, network clients) of characters that may vary each time step (a) is performed .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (variable number) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9711443A1 CLAIM 10 . The method in claim 1 , wherein step (c) includes generating a pattem of characters randomly or pseudo-randomly and the pattem includes a variable number (network source, network clients) of characters that may vary each time step (a) is performed .
US7739302B2 CLAIM 10 . A system for managing access (data processing circuitry) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (variable number) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9711443A1 CLAIM 10 . The method in claim 1 , wherein step (c) includes generating a pattem of characters randomly or pseudo-randomly and the pattem includes a variable number (network source, network clients) of characters that may vary each time step (a) is performed . WO9711443A1 CLAIM 20 . A user service requesting device for permitting a user to request user services electronically over a communications network , comprising : a keypad for entering a request for a particular user service and a user' ; s personal identification string ; a memory for storing a user authentication program and plural encoding algorithms ; data processing circuitry (managing access) for performing the steps of : (a) determining a character position ofthe user' ; s personal identification string ; (b) generating a code ; (c) encoding the user' ; s personal identification string using one of the encoding algorithms to provide an encoded identification string ; and (d) combining the code with the encoded identification string at the determined character position to generate a user identification code ; and communications circuitry for providing the user identification code along with the user' ; s service request to the communications network .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (authentication program) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (variable number) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9711443A1 CLAIM 10 . The method in claim 1 , wherein step (c) includes generating a pattem of characters randomly or pseudo-randomly and the pattem includes a variable number (network source, network clients) of characters that may vary each time step (a) is performed . WO9711443A1 CLAIM 20 . A user service requesting device for permitting a user to request user services electronically over a communications network , comprising : a keypad for entering a request for a particular user service and a user' ; s personal identification string ; a memory for storing a user authentication program (different operating, processing unit) and plural encoding algorithms ; data processing circuitry for performing the steps of : (a) determining a character position ofthe user' ; s personal identification string ; (b) generating a code ; (c) encoding the user' ; s personal identification string using one of the encoding algorithms to provide an encoded identification string ; and (d) combining the code with the encoded identification string at the determined character position to generate a user identification code ; and communications circuitry for providing the user identification code along with the user' ; s service request to the communications network .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (authentication program) to determine whether each packet arrived via an authorized network interface .	WO9711443A1 CLAIM 20 . A user service requesting device for permitting a user to request user services electronically over a communications network , comprising : a keypad for entering a request for a particular user service and a user' ; s personal identification string ; a memory for storing a user authentication program (different operating, processing unit) and plural encoding algorithms ; data processing circuitry for performing the steps of : (a) determining a character position ofthe user' ; s personal identification string ; (b) generating a code ; (c) encoding the user' ; s personal identification string using one of the encoding algorithms to provide an encoded identification string ; and (d) combining the code with the encoded identification string at the determined character position to generate a user identification code ; and communications circuitry for providing the user identification code along with the user' ; s service request to the communications network .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (authentication program) to determine whether each packet contains an unauthorized IP address .	WO9711443A1 CLAIM 20 . A user service requesting device for permitting a user to request user services electronically over a communications network , comprising : a keypad for entering a request for a particular user service and a user' ; s personal identification string ; a memory for storing a user authentication program (different operating, processing unit) and plural encoding algorithms ; data processing circuitry for performing the steps of : (a) determining a character position ofthe user' ; s personal identification string ; (b) generating a code ; (c) encoding the user' ; s personal identification string using one of the encoding algorithms to provide an encoded identification string ; and (d) combining the code with the encoded identification string at the determined character position to generate a user identification code ; and communications circuitry for providing the user identification code along with the user' ; s service request to the communications network .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (authentication program) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	WO9711443A1 CLAIM 20 . A user service requesting device for permitting a user to request user services electronically over a communications network , comprising : a keypad for entering a request for a particular user service and a user' ; s personal identification string ; a memory for storing a user authentication program (different operating, processing unit) and plural encoding algorithms ; data processing circuitry for performing the steps of : (a) determining a character position ofthe user' ; s personal identification string ; (b) generating a code ; (c) encoding the user' ; s personal identification string using one of the encoding algorithms to provide an encoded identification string ; and (d) combining the code with the encoded identification string at the determined character position to generate a user identification code ; and communications circuitry for providing the user identification code along with the user' ; s service request to the communications network .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (authentication program) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	WO9711443A1 CLAIM 20 . A user service requesting device for permitting a user to request user services electronically over a communications network , comprising : a keypad for entering a request for a particular user service and a user' ; s personal identification string ; a memory for storing a user authentication program (different operating, processing unit) and plural encoding algorithms ; data processing circuitry for performing the steps of : (a) determining a character position ofthe user' ; s personal identification string ; (b) generating a code ; (c) encoding the user' ; s personal identification string using one of the encoding algorithms to provide an encoded identification string ; and (d) combining the code with the encoded identification string at the determined character position to generate a user identification code ; and communications circuitry for providing the user identification code along with the user' ; s service request to the communications network .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source (variable number) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access (second person) to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (variable number) and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9711443A1 CLAIM 10 . The method in claim 1 , wherein step (c) includes generating a pattem of characters randomly or pseudo-randomly and the pattem includes a variable number (network source, network clients) of characters that may vary each time step (a) is performed . WO9711443A1 CLAIM 34 . The user authentication service according to claim 29 , further comprising : (1) when the character strings compared in step (h) are the same , detecting a user request to change the user' ; s current personal identification character string ; (2) prompting the user to enter a second person (allowing access) al identification character string and receiving a second encoded character string ; (3) removing the code length of characters beginning at the determined character position leaving a second reduced character string ; (4) decoding the second reduced character string using a second one of plural decoding algorithms to provide a second user entered personal identification character string ; (5) prompting the user to reenter the second personal identification character string and receiving a third encoded character string , (6) removing the code length of characters beginning at the determined character position leaving a third reduced character string ; (7) decoding the third reduced character string using a third one of plural decoding algorithms to provide a third user entered personal identification character string ; (8) registering the second personal identification character string as the user' ; s new personal identification character string if the second and third user entered personal identification character strings decoded in steps (4) and (7) are the same .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (data processing circuitry) to the NAD over a device interface if the request is allowed .	WO9711443A1 CLAIM 20 . A user service requesting device for permitting a user to request user services electronically over a communications network , comprising : a keypad for entering a request for a particular user service and a user' ; s personal identification string ; a memory for storing a user authentication program and plural encoding algorithms ; data processing circuitry (managing access) for performing the steps of : (a) determining a character position ofthe user' ; s personal identification string ; (b) generating a code ; (c) encoding the user' ; s personal identification string using one of the encoding algorithms to provide an encoded identification string ; and (d) combining the code with the encoded identification string at the determined character position to generate a user identification code ; and communications circuitry for providing the user identification code along with the user' ; s service request to the communications network .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (different security) of a plurality of protocols .	WO9711443A1 CLAIM 46 . A user authentication service providing a user with a plurality of different security (requests comprise one) levels in conducting electronic service requests including for each security level one or more memories storing a plurality of encryption algorithms wherein the user selects a security level and a number of encryption algorithms from the plurality of encryption algorithms corresponding to the selected level .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5774660A Filed: 1996-08-05 Issued: 1998-06-30 World-wide-web server with delayed resource-binding for resource-based load balancing on a distributed resource multi-node network (Original Assignee) Resonate Inc (Current Assignee) Resonate Inc Juergen Brendel, Charles J. Kring, Zaide Liu, Christopher C. Marino
US7739302B2 CLAIM 1 . A network arrangement (ink layer) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (load balancing) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (IP packets) for network access (load balancing) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (load balancing) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5774660A CLAIM 1 . A web site for sending resources to a browser on a client connected to a computer network , the web site comprising : a network connection point for receiving incoming data packets from the computer network and for transmitting outgoing data packets to the computer network ; local network , coupled to the network connection point , for transferring data packets ; a plurality of network nodes containing web servers with resources , the plurality of network nodes connected to the local network , the plurality of network nodes including means for transmitting the resources as outgoing data packets to the client , the plurality of network nodes including means for sending the outgoing data packets over the local network to the network connection point ; wherein the plurality of network nodes containing web servers together contain all resources at the web site , but each network node in the plurality of network nodes contains only a portion of all the resources at the web site ; a balancer network node containing a load balancer , receiving the incoming data packets transmitted over the local network from the network connection point , the load balancer for determining an assigned server in the plurality of network nodes for responding to a request from the client in an incoming data packet , the load balancer including means for transferring a connection to the client to the assigned server ; wherein the balancer network node containing the load balancer is connected to the network connection point by the local network which is also connected to the plurality of network nodes , wherein network nodes are segregated to contain different resources , and wherein all resources at the web site are not mirrored to all network nodes at the web site , wherein the load balancer further comprises : content means for storing an indication of which network nodes in the plurality of network nodes contain each resource ; URL means , receiving incoming data packets from the client containing a request for a resource , for determining a requested resource from the incoming data packets ; compare means , coupled to the content means and coupled to the URL means , for comparing the requested resource to the indication of which network nodes in the plurality of network nodes contain each resource , and for outputting a list of network nodes containing the requested resource ; balancing means , receiving the list of network nodes containing the requested resource , for choosing as an assigned node one of the network nodes in the list of network nodes , whereby the incoming data packets are routed to the balancer network node but outgoing data packets bypass the balancer network node and whereby the load balancer chooses an assigned node based on the resources contained by each network node , the load balancer performing resource-based load balancing (NAD server, network access, network destination, network clients, network interface, network stack) . US5774660A CLAIM 7 . The computer-implemented method of claim 6 wherein the packets received from the client are TCP/IP packets (data packet) having a destination IP address being a virtual IP address of the load balancer , and wherein the step of transmitting the packets to the assigned node comprises : changing the virtual IP address of the load balancer in the packets to a real IP address of the assigned node and passing the packets to a modified IP layer ; determining from the real IP address a physical route from the load balancer to the assigned node over a network and generating a physical network address for the assigned node and attaching the physical network address to the packets ; changing the real IP address in the packets back to the virtual IP address before transmission of the packets with the physical network address , whereby the physical network address is generated from the real IP address of the assigned node , but the packets transmitted to the assigned node contain the virtual IP address of the load balancer . US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer above a TCP layer which is above the modified IP layer which is above a link layer (network arrangement) , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 2 . The network arrangement (ink layer) of claim 1 , wherein the NAD server (load balancing) comprises a plurality of network protocol programs for accepting requests for network access (load balancing) to the NAD from a plurality of network clients (load balancing) having different operating systems .	US5774660A CLAIM 1 . A web site for sending resources to a browser on a client connected to a computer network , the web site comprising : a network connection point for receiving incoming data packets from the computer network and for transmitting outgoing data packets to the computer network ; local network , coupled to the network connection point , for transferring data packets ; a plurality of network nodes containing web servers with resources , the plurality of network nodes connected to the local network , the plurality of network nodes including means for transmitting the resources as outgoing data packets to the client , the plurality of network nodes including means for sending the outgoing data packets over the local network to the network connection point ; wherein the plurality of network nodes containing web servers together contain all resources at the web site , but each network node in the plurality of network nodes contains only a portion of all the resources at the web site ; a balancer network node containing a load balancer , receiving the incoming data packets transmitted over the local network from the network connection point , the load balancer for determining an assigned server in the plurality of network nodes for responding to a request from the client in an incoming data packet , the load balancer including means for transferring a connection to the client to the assigned server ; wherein the balancer network node containing the load balancer is connected to the network connection point by the local network which is also connected to the plurality of network nodes , wherein network nodes are segregated to contain different resources , and wherein all resources at the web site are not mirrored to all network nodes at the web site , wherein the load balancer further comprises : content means for storing an indication of which network nodes in the plurality of network nodes contain each resource ; URL means , receiving incoming data packets from the client containing a request for a resource , for determining a requested resource from the incoming data packets ; compare means , coupled to the content means and coupled to the URL means , for comparing the requested resource to the indication of which network nodes in the plurality of network nodes contain each resource , and for outputting a list of network nodes containing the requested resource ; balancing means , receiving the list of network nodes containing the requested resource , for choosing as an assigned node one of the network nodes in the list of network nodes , whereby the incoming data packets are routed to the balancer network node but outgoing data packets bypass the balancer network node and whereby the load balancer chooses an assigned node based on the resources contained by each network node , the load balancer performing resource-based load balancing (NAD server, network access, network destination, network clients, network interface, network stack) . US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer above a TCP layer which is above the modified IP layer which is above a link layer (network arrangement) , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 3 . The network arrangement (ink layer) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer above a TCP layer which is above the modified IP layer which is above a link layer (network arrangement) , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 4 . The network arrangement (ink layer) of claim 1 , wherein the step of determining whether the request for network access (load balancing) to the NAD is authorized comprises determining whether information in the header of a received data packet (IP packets) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5774660A CLAIM 1 . A web site for sending resources to a browser on a client connected to a computer network , the web site comprising : a network connection point for receiving incoming data packets from the computer network and for transmitting outgoing data packets to the computer network ; local network , coupled to the network connection point , for transferring data packets ; a plurality of network nodes containing web servers with resources , the plurality of network nodes connected to the local network , the plurality of network nodes including means for transmitting the resources as outgoing data packets to the client , the plurality of network nodes including means for sending the outgoing data packets over the local network to the network connection point ; wherein the plurality of network nodes containing web servers together contain all resources at the web site , but each network node in the plurality of network nodes contains only a portion of all the resources at the web site ; a balancer network node containing a load balancer , receiving the incoming data packets transmitted over the local network from the network connection point , the load balancer for determining an assigned server in the plurality of network nodes for responding to a request from the client in an incoming data packet , the load balancer including means for transferring a connection to the client to the assigned server ; wherein the balancer network node containing the load balancer is connected to the network connection point by the local network which is also connected to the plurality of network nodes , wherein network nodes are segregated to contain different resources , and wherein all resources at the web site are not mirrored to all network nodes at the web site , wherein the load balancer further comprises : content means for storing an indication of which network nodes in the plurality of network nodes contain each resource ; URL means , receiving incoming data packets from the client containing a request for a resource , for determining a requested resource from the incoming data packets ; compare means , coupled to the content means and coupled to the URL means , for comparing the requested resource to the indication of which network nodes in the plurality of network nodes contain each resource , and for outputting a list of network nodes containing the requested resource ; balancing means , receiving the list of network nodes containing the requested resource , for choosing as an assigned node one of the network nodes in the list of network nodes , whereby the incoming data packets are routed to the balancer network node but outgoing data packets bypass the balancer network node and whereby the load balancer chooses an assigned node based on the resources contained by each network node , the load balancer performing resource-based load balancing (NAD server, network access, network destination, network clients, network interface, network stack) . US5774660A CLAIM 7 . The computer-implemented method of claim 6 wherein the packets received from the client are TCP/IP packets (data packet) having a destination IP address being a virtual IP address of the load balancer , and wherein the step of transmitting the packets to the assigned node comprises : changing the virtual IP address of the load balancer in the packets to a real IP address of the assigned node and passing the packets to a modified IP layer ; determining from the real IP address a physical route from the load balancer to the assigned node over a network and generating a physical network address for the assigned node and attaching the physical network address to the packets ; changing the real IP address in the packets back to the virtual IP address before transmission of the packets with the physical network address , whereby the physical network address is generated from the real IP address of the assigned node , but the packets transmitted to the assigned node contain the virtual IP address of the load balancer . US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer above a TCP layer which is above the modified IP layer which is above a link layer (network arrangement) , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 5 . A local area network arrangement (ink layer) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (load balancing) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (IP packets) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (network address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5774660A CLAIM 1 . A web site for sending resources to a browser on a client connected to a computer network , the web site comprising : a network connection point for receiving incoming data packets from the computer network and for transmitting outgoing data packets to the computer network ; local network , coupled to the network connection point , for transferring data packets ; a plurality of network nodes containing web servers with resources , the plurality of network nodes connected to the local network , the plurality of network nodes including means for transmitting the resources as outgoing data packets to the client , the plurality of network nodes including means for sending the outgoing data packets over the local network to the network connection point ; wherein the plurality of network nodes containing web servers together contain all resources at the web site , but each network node in the plurality of network nodes contains only a portion of all the resources at the web site ; a balancer network node containing a load balancer , receiving the incoming data packets transmitted over the local network from the network connection point , the load balancer for determining an assigned server in the plurality of network nodes for responding to a request from the client in an incoming data packet , the load balancer including means for transferring a connection to the client to the assigned server ; wherein the balancer network node containing the load balancer is connected to the network connection point by the local network which is also connected to the plurality of network nodes , wherein network nodes are segregated to contain different resources , and wherein all resources at the web site are not mirrored to all network nodes at the web site , wherein the load balancer further comprises : content means for storing an indication of which network nodes in the plurality of network nodes contain each resource ; URL means , receiving incoming data packets from the client containing a request for a resource , for determining a requested resource from the incoming data packets ; compare means , coupled to the content means and coupled to the URL means , for comparing the requested resource to the indication of which network nodes in the plurality of network nodes contain each resource , and for outputting a list of network nodes containing the requested resource ; balancing means , receiving the list of network nodes containing the requested resource , for choosing as an assigned node one of the network nodes in the list of network nodes , whereby the incoming data packets are routed to the balancer network node but outgoing data packets bypass the balancer network node and whereby the load balancer chooses an assigned node based on the resources contained by each network node , the load balancer performing resource-based load balancing (NAD server, network access, network destination, network clients, network interface, network stack) . US5774660A CLAIM 3 . The web site of claim 1 wherein the web site is addressable by one network address (IP addresses) for all web servers in the plurality of network nodes containing web servers . US5774660A CLAIM 7 . The computer-implemented method of claim 6 wherein the packets received from the client are TCP/IP packets (data packet) having a destination IP address being a virtual IP address of the load balancer , and wherein the step of transmitting the packets to the assigned node comprises : changing the virtual IP address of the load balancer in the packets to a real IP address of the assigned node and passing the packets to a modified IP layer ; determining from the real IP address a physical route from the load balancer to the assigned node over a network and generating a physical network address for the assigned node and attaching the physical network address to the packets ; changing the real IP address in the packets back to the virtual IP address before transmission of the packets with the physical network address , whereby the physical network address is generated from the real IP address of the assigned node , but the packets transmitted to the assigned node contain the virtual IP address of the load balancer . US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer above a TCP layer which is above the modified IP layer which is above a link layer (network arrangement) , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 6 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (IP packets) arrived via an authorized network interface (load balancing) .	US5774660A CLAIM 4 . The web site of claim 1 further comprising : delay means , in the load balancer , for delaying assignment of the assigned node until an incoming data packet containing the request for the resource is received , whereby load balancing (NAD server, network access, network destination, network clients, network interface, network stack) is delayed . US5774660A CLAIM 7 . The computer-implemented method of claim 6 wherein the packets received from the client are TCP/IP packets (data packet) having a destination IP address being a virtual IP address of the load balancer , and wherein the step of transmitting the packets to the assigned node comprises : changing the virtual IP address of the load balancer in the packets to a real IP address of the assigned node and passing the packets to a modified IP layer ; determining from the real IP address a physical route from the load balancer to the assigned node over a network and generating a physical network address for the assigned node and attaching the physical network address to the packets ; changing the real IP address in the packets back to the virtual IP address before transmission of the packets with the physical network address , whereby the physical network address is generated from the real IP address of the assigned node , but the packets transmitted to the assigned node contain the virtual IP address of the load balancer . US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer above a TCP layer which is above the modified IP layer which is above a link layer (network arrangement) , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 7 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer above a TCP layer which is above the modified IP layer which is above a link layer (network arrangement) , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 8 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer above a TCP layer which is above the modified IP layer which is above a link layer (network arrangement) , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 9 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (IP packets) to the proper port ; and at the proper port , provide the requested network access (load balancing) to the NAD .	US5774660A CLAIM 4 . The web site of claim 1 further comprising : delay means , in the load balancer , for delaying assignment of the assigned node until an incoming data packet containing the request for the resource is received , whereby load balancing (NAD server, network access, network destination, network clients, network interface, network stack) is delayed . US5774660A CLAIM 7 . The computer-implemented method of claim 6 wherein the packets received from the client are TCP/IP packets (data packet) having a destination IP address being a virtual IP address of the load balancer , and wherein the step of transmitting the packets to the assigned node comprises : changing the virtual IP address of the load balancer in the packets to a real IP address of the assigned node and passing the packets to a modified IP layer ; determining from the real IP address a physical route from the load balancer to the assigned node over a network and generating a physical network address for the assigned node and attaching the physical network address to the packets ; changing the real IP address in the packets back to the virtual IP address before transmission of the packets with the physical network address , whereby the physical network address is generated from the real IP address of the assigned node , but the packets transmitted to the assigned node contain the virtual IP address of the load balancer . US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer above a TCP layer which is above the modified IP layer which is above a link layer (network arrangement) , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (load balancing) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (IP packets) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (load balancing) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5774660A CLAIM 4 . The web site of claim 1 further comprising : delay means , in the load balancer , for delaying assignment of the assigned node until an incoming data packet containing the request for the resource is received , whereby load balancing (NAD server, network access, network destination, network clients, network interface, network stack) is delayed . US5774660A CLAIM 7 . The computer-implemented method of claim 6 wherein the packets received from the client are TCP/IP packets (data packet) having a destination IP address being a virtual IP address of the load balancer , and wherein the step of transmitting the packets to the assigned node comprises : changing the virtual IP address of the load balancer in the packets to a real IP address of the assigned node and passing the packets to a modified IP layer ; determining from the real IP address a physical route from the load balancer to the assigned node over a network and generating a physical network address for the assigned node and attaching the physical network address to the packets ; changing the real IP address in the packets back to the virtual IP address before transmission of the packets with the physical network address , whereby the physical network address is generated from the real IP address of the assigned node , but the packets transmitted to the assigned node contain the virtual IP address of the load balancer .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (load balancing) to the NAD is only available through the server .	US5774660A CLAIM 4 . The web site of claim 1 further comprising : delay means , in the load balancer , for delaying assignment of the assigned node until an incoming data packet containing the request for the resource is received , whereby load balancing (NAD server, network access, network destination, network clients, network interface, network stack) is delayed .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (load balancing) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (IP packets) containing the request for network access (load balancing) includes at least one of an IP address of a network source , an IP address of a network destination (load balancing) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5774660A CLAIM 4 . The web site of claim 1 further comprising : delay means , in the load balancer , for delaying assignment of the assigned node until an incoming data packet containing the request for the resource is received , whereby load balancing (NAD server, network access, network destination, network clients, network interface, network stack) is delayed . US5774660A CLAIM 7 . The computer-implemented method of claim 6 wherein the packets received from the client are TCP/IP packets (data packet) having a destination IP address being a virtual IP address of the load balancer , and wherein the step of transmitting the packets to the assigned node comprises : changing the virtual IP address of the load balancer in the packets to a real IP address of the assigned node and passing the packets to a modified IP layer ; determining from the real IP address a physical route from the load balancer to the assigned node over a network and generating a physical network address for the assigned node and attaching the physical network address to the packets ; changing the real IP address in the packets back to the virtual IP address before transmission of the packets with the physical network address , whereby the physical network address is generated from the real IP address of the assigned node , but the packets transmitted to the assigned node contain the virtual IP address of the load balancer .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (load balancing) .	US5774660A CLAIM 4 . The web site of claim 1 further comprising : delay means , in the load balancer , for delaying assignment of the assigned node until an incoming data packet containing the request for the resource is received , whereby load balancing (NAD server, network access, network destination, network clients, network interface, network stack) is delayed .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (application layer) .	US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer (application layer) above a TCP layer which is above the modified IP layer which is above a link layer , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (load balancing) , and a route of the data packet (IP packets) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (load balancing) and other devices in a manner that is in addition to any protection afforded by a firewall .	US5774660A CLAIM 4 . The web site of claim 1 further comprising : delay means , in the load balancer , for delaying assignment of the assigned node until an incoming data packet containing the request for the resource is received , whereby load balancing (NAD server, network access, network destination, network clients, network interface, network stack) is delayed . US5774660A CLAIM 7 . The computer-implemented method of claim 6 wherein the packets received from the client are TCP/IP packets (data packet) having a destination IP address being a virtual IP address of the load balancer , and wherein the step of transmitting the packets to the assigned node comprises : changing the virtual IP address of the load balancer in the packets to a real IP address of the assigned node and passing the packets to a modified IP layer ; determining from the real IP address a physical route from the load balancer to the assigned node over a network and generating a physical network address for the assigned node and attaching the physical network address to the packets ; changing the real IP address in the packets back to the virtual IP address before transmission of the packets with the physical network address , whereby the physical network address is generated from the real IP address of the assigned node , but the packets transmitted to the assigned node contain the virtual IP address of the load balancer .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (application layer) of a network stack (load balancing) .	US5774660A CLAIM 4 . The web site of claim 1 further comprising : delay means , in the load balancer , for delaying assignment of the assigned node until an incoming data packet containing the request for the resource is received , whereby load balancing (NAD server, network access, network destination, network clients, network interface, network stack) is delayed . US5774660A CLAIM 9 . The computer-implemented method of claim 7 wherein the load balancer is a program in an application layer (application layer) above a TCP layer which is above the modified IP layer which is above a link layer , wherein the step of receiving the URL request from the client comprises : receiving at least one TCP/IP packet from the client and assembling an IP datagram from the at least one TCP/IP packet in the modified IP layer ; changing a protocol for the IP datagram from TCP to an unrecognized protocol ; bypassing the TCP layer and transmitting the IP datagram to the load balancer in the application layer through a raw IP socket , whereby the TCP layer is bypassed for incoming TCP/IP packets of the URL request .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5778178A Filed: 1996-08-05 Issued: 1998-07-07 Method and apparatus for enabling real-time bi-directional transactions on a network (Original Assignee) Arunachalam; Lakshmi (Current Assignee) ARUNACHALAM LAKSHMI DR Lakshmi Arunachalam
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (id attribute) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5778178A CLAIM 1 . An object router on a World Wide Web , said object router comprising : means for associating an object identity with information entries and attributes , wherein the object identity represents a networked object ; means for storing said information entries and said attribute (network protocol programs) s in a virtual information store ; and means for assigning a unique network address to said object identity .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (network address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5778178A CLAIM 1 . An object router on a World Wide Web , said object router comprising : means for associating an object identity with information entries and attributes , wherein the object identity represents a networked object ; means for storing said information entries and said attributes in a virtual information store ; and means for assigning a unique network address (IP addresses) to said object identity .

US5778178A

Filed: 1996-08-05 Issued: 1998-07-07

Method and apparatus for enabling real-time bi-directional transactions on a network

(Original Assignee) Arunachalam; Lakshmi (Current Assignee) ARUNACHALAM LAKSHMI DR

Lakshmi Arunachalam

US7739302B2
CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (id attribute) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .

US5778178A
CLAIM 1 . An object router on a World Wide Web , said object router comprising : means for associating an object identity with information entries and attributes , wherein the object identity represents a networked object ;
means for storing said information entries and said attribute (network protocol programs) s in a virtual information store ;
and means for assigning a unique network address to said object identity .

US7739302B2
CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ;

a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (network address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .

US5778178A
CLAIM 1 . An object router on a World Wide Web , said object router comprising : means for associating an object identity with information entries and attributes , wherein the object identity represents a networked object ;
means for storing said information entries and said attributes in a virtual information store ;
and means for assigning a unique network address (IP addresses) to said object identity .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5790789A Filed: 1996-08-02 Issued: 1998-08-04 Method and architecture for the creation, control and deployment of services within a distributed computer environment (Original Assignee) Suarez; Larry Larry Suarez
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (exchange information, more task) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5790789A CLAIM 1 . A distributed computing system comprising : a plurality of computer hosts ; a communication network for exchanging information and data between said computer hosts ; a plurality of services associated with said computer hosts , each of said services adapted to perform a prescribed function in response to the receipt of an electronic message , said plurality of services further adapted to cooperatively perform one or more task (device interface, SCSI interface, data management component, intermediary computing device) s ; and a plurality of agents executing on said computers , wherein each of said services are operatively associated with one or more of said agents and said agents are adapted to control said associated services by manipulating said electronic messages directed to and originating from said associated service ; wherein said services cooperatively perform said tasks by exchanging said electronic messages across said communication network via associated agents . US5790789A CLAIM 4 . The distributed computing system of claim 1 further comprising one or more devices adapted for providing a service , said devices connected to the communication network and adapted to exchange information (device interface, SCSI interface, data management component, intermediary computing device) and data throughout said distributed computing system .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (storing messages) .	US5790789A CLAIM 18 . The distributed computing system of claim 1 wherein said plurality of services includes a queue service for handling messages sent to a destination agent and associated service , said queue service comprises : means for storing messages (network interface) sent to said destination agent until said destination agent retrieves said messages ; and means for forwarding messages when said destination agent and associated service are unavailable to retrieve messages .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (storing messages) coupled to the processing unit and to a network ; an attached device interface (exchange information, more task) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (same compute) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5790789A CLAIM 1 . A distributed computing system comprising : a plurality of computer hosts ; a communication network for exchanging information and data between said computer hosts ; a plurality of services associated with said computer hosts , each of said services adapted to perform a prescribed function in response to the receipt of an electronic message , said plurality of services further adapted to cooperatively perform one or more task (device interface, SCSI interface, data management component, intermediary computing device) s ; and a plurality of agents executing on said computers , wherein each of said services are operatively associated with one or more of said agents and said agents are adapted to control said associated services by manipulating said electronic messages directed to and originating from said associated service ; wherein said services cooperatively perform said tasks by exchanging said electronic messages across said communication network via associated agents . US5790789A CLAIM 4 . The distributed computing system of claim 1 further comprising one or more devices adapted for providing a service , said devices connected to the communication network and adapted to exchange information (device interface, SCSI interface, data management component, intermediary computing device) and data throughout said distributed computing system . US5790789A CLAIM 8 . The distributed computing system of claim 6 wherein one of said host agents and one of said associated service agents are executing on the same compute (storing instructions) r host . US5790789A CLAIM 18 . The distributed computing system of claim 1 wherein said plurality of services includes a queue service for handling messages sent to a destination agent and associated service , said queue service comprises : means for storing messages (network interface) sent to said destination agent until said destination agent retrieves said messages ; and means for forwarding messages when said destination agent and associated service are unavailable to retrieve messages .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (storing messages) .	US5790789A CLAIM 18 . The distributed computing system of claim 1 wherein said plurality of services includes a queue service for handling messages sent to a destination agent and associated service , said queue service comprises : means for storing messages (network interface) sent to said destination agent until said destination agent retrieves said messages ; and means for forwarding messages when said destination agent and associated service are unavailable to retrieve messages .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing device (exchange information, more task) , the selectively generated packet containing the request for access to the directly attached device .	US5790789A CLAIM 1 . A distributed computing system comprising : a plurality of computer hosts ; a communication network for exchanging information and data between said computer hosts ; a plurality of services associated with said computer hosts , each of said services adapted to perform a prescribed function in response to the receipt of an electronic message , said plurality of services further adapted to cooperatively perform one or more task (device interface, SCSI interface, data management component, intermediary computing device) s ; and a plurality of agents executing on said computers , wherein each of said services are operatively associated with one or more of said agents and said agents are adapted to control said associated services by manipulating said electronic messages directed to and originating from said associated service ; wherein said services cooperatively perform said tasks by exchanging said electronic messages across said communication network via associated agents . US5790789A CLAIM 4 . The distributed computing system of claim 1 further comprising one or more devices adapted for providing a service , said devices connected to the communication network and adapted to exchange information (device interface, SCSI interface, data management component, intermediary computing device) and data throughout said distributed computing system .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (exchange information, more task) .	US5790789A CLAIM 1 . A distributed computing system comprising : a plurality of computer hosts ; a communication network for exchanging information and data between said computer hosts ; a plurality of services associated with said computer hosts , each of said services adapted to perform a prescribed function in response to the receipt of an electronic message , said plurality of services further adapted to cooperatively perform one or more task (device interface, SCSI interface, data management component, intermediary computing device) s ; and a plurality of agents executing on said computers , wherein each of said services are operatively associated with one or more of said agents and said agents are adapted to control said associated services by manipulating said electronic messages directed to and originating from said associated service ; wherein said services cooperatively perform said tasks by exchanging said electronic messages across said communication network via associated agents . US5790789A CLAIM 4 . The distributed computing system of claim 1 further comprising one or more devices adapted for providing a service , said devices connected to the communication network and adapted to exchange information (device interface, SCSI interface, data management component, intermediary computing device) and data throughout said distributed computing system .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (exchange information, more task) comprises a SCSI interface (exchange information, more task) .	US5790789A CLAIM 1 . A distributed computing system comprising : a plurality of computer hosts ; a communication network for exchanging information and data between said computer hosts ; a plurality of services associated with said computer hosts , each of said services adapted to perform a prescribed function in response to the receipt of an electronic message , said plurality of services further adapted to cooperatively perform one or more task (device interface, SCSI interface, data management component, intermediary computing device) s ; and a plurality of agents executing on said computers , wherein each of said services are operatively associated with one or more of said agents and said agents are adapted to control said associated services by manipulating said electronic messages directed to and originating from said associated service ; wherein said services cooperatively perform said tasks by exchanging said electronic messages across said communication network via associated agents . US5790789A CLAIM 4 . The distributed computing system of claim 1 further comprising one or more devices adapted for providing a service , said devices connected to the communication network and adapted to exchange information (device interface, SCSI interface, data management component, intermediary computing device) and data throughout said distributed computing system .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (exchange information, more task) if the request is allowed .	US5790789A CLAIM 1 . A distributed computing system comprising : a plurality of computer hosts ; a communication network for exchanging information and data between said computer hosts ; a plurality of services associated with said computer hosts , each of said services adapted to perform a prescribed function in response to the receipt of an electronic message , said plurality of services further adapted to cooperatively perform one or more task (device interface, SCSI interface, data management component, intermediary computing device) s ; and a plurality of agents executing on said computers , wherein each of said services are operatively associated with one or more of said agents and said agents are adapted to control said associated services by manipulating said electronic messages directed to and originating from said associated service ; wherein said services cooperatively perform said tasks by exchanging said electronic messages across said communication network via associated agents . US5790789A CLAIM 4 . The distributed computing system of claim 1 further comprising one or more devices adapted for providing a service , said devices connected to the communication network and adapted to exchange information (device interface, SCSI interface, data management component, intermediary computing device) and data throughout said distributed computing system .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (said communication network) is further configured to manage access over a SCSI interface (exchange information, more task) .	US5790789A CLAIM 1 . A distributed computing system comprising : a plurality of computer hosts ; a communication network for exchanging information and data between said computer hosts ; a plurality of services associated with said computer hosts , each of said services adapted to perform a prescribed function in response to the receipt of an electronic message , said plurality of services further adapted to cooperatively perform one or more task (device interface, SCSI interface, data management component, intermediary computing device) s ; and a plurality of agents executing on said computers , wherein each of said services are operatively associated with one or more of said agents and said agents are adapted to control said associated services by manipulating said electronic messages directed to and originating from said associated service ; wherein said services cooperatively perform said tasks by exchanging said electronic messages across said communication network (managing means) via associated agents . US5790789A CLAIM 4 . The distributed computing system of claim 1 further comprising one or more devices adapted for providing a service , said devices connected to the communication network and adapted to exchange information (device interface, SCSI interface, data management component, intermediary computing device) and data throughout said distributed computing system .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (identity service) of a plurality of protocols .	US5790789A CLAIM 19 . The distributed computing system of claim 1 wherein said plurality of services includes an identity service (requests comprise one) for uniquely identifying objects throughout the distributed computing system such that said objects can be located .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5742768A Filed: 1996-07-16 Issued: 1998-04-21 System and method for providing and displaying a web page having an embedded menu (Original Assignee) Silicon Graphics Inc (Current Assignee) Microsoft Technology Licensing LLC Giuseppe Gennaro, Jake McGowan, Anne P. Wagner, Kinney Wong, Benjamin A. Zamora
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (one action) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (storing code) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5742768A CLAIM 1 . A method for providing a web page having an embedded menu to a web browser , the method comprising : receiving a request for a web page from a web browser ; packaging the web page and an applet associated with the web page for transmission to the web browser ; and transmitting the web page and the applet to the web browser ; wherein the applet is operable to create and manage an embedded menu in a displayed web page when the web page is displayed and the applet is executed by the web browser , the embedded menu providing a user of the web browser with a plurality of links through one action (network client, network protocol programs) in the displayed web page . US5742768A CLAIM 16 . A host system executing a web server to provide a web page having an embedded menu to a web browser , the host system comprising : a data storage device storing a web page and an associated applet ; wherein the associated applet , when executed , can create and manage an embedded menu in a displayed web page ; a memory device storing code (computer executable instructions) for the web server ; and a processor coupled to the data storage device and to the memory device , the processor executing code for the web server such that the web server is operable to : receive a request for the web page from a web browser ; package the web page and the applet for transmission to the web server ; and transmit the web page and the applet to the web browser ; such that the applet creates and manages an embedded menu in the displayed web page when the web page is displayed and the applet is executed by the web browser , the embedded menu providing a user of the web browser with a plurality of links through one action in the displayed web page .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (one action) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5742768A CLAIM 1 . A method for providing a web page having an embedded menu to a web browser , the method comprising : receiving a request for a web page from a web browser ; packaging the web page and an applet associated with the web page for transmission to the web browser ; and transmitting the web page and the applet to the web browser ; wherein the applet is operable to create and manage an embedded menu in a displayed web page when the web page is displayed and the applet is executed by the web browser , the embedded menu providing a user of the web browser with a plurality of links through one action (network client, network protocol programs) in the displayed web page .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (one action) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5742768A CLAIM 1 . A method for providing a web page having an embedded menu to a web browser , the method comprising : receiving a request for a web page from a web browser ; packaging the web page and an applet associated with the web page for transmission to the web browser ; and transmitting the web page and the applet to the web browser ; wherein the applet is operable to create and manage an embedded menu in a displayed web page when the web page is displayed and the applet is executed by the web browser , the embedded menu providing a user of the web browser with a plurality of links through one action (network client, network protocol programs) in the displayed web page .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data storage) .	US5742768A CLAIM 16 . A host system executing a web server to provide a web page having an embedded menu to a web browser , the host system comprising : a data storage (SCSI interface) device storing a web page and an associated applet ; wherein the associated applet , when executed , can create and manage an embedded menu in a displayed web page ; a memory device storing code for the web server ; and a processor coupled to the data storage device and to the memory device , the processor executing code for the web server such that the web server is operable to : receive a request for the web page from a web browser ; package the web page and the applet for transmission to the web server ; and transmit the web page and the applet to the web browser ; such that the applet creates and manages an embedded menu in the displayed web page when the web page is displayed and the applet is executed by the web browser , the embedded menu providing a user of the web browser with a plurality of links through one action in the displayed web page .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (storage device) , and a video codec .	US5742768A CLAIM 16 . A host system executing a web server to provide a web page having an embedded menu to a web browser , the host system comprising : a data storage device (storage device) storing a web page and an associated applet ; wherein the associated applet , when executed , can create and manage an embedded menu in a displayed web page ; a memory device storing code for the web server ; and a processor coupled to the data storage device and to the memory device , the processor executing code for the web server such that the web server is operable to : receive a request for the web page from a web browser ; package the web page and the applet for transmission to the web server ; and transmit the web page and the applet to the web browser ; such that the applet creates and manages an embedded menu in the displayed web page when the web page is displayed and the applet is executed by the web browser , the embedded menu providing a user of the web browser with a plurality of links through one action in the displayed web page .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (data storage) .	US5742768A CLAIM 16 . A host system executing a web server to provide a web page having an embedded menu to a web browser , the host system comprising : a data storage (SCSI interface) device storing a web page and an associated applet ; wherein the associated applet , when executed , can create and manage an embedded menu in a displayed web page ; a memory device storing code for the web server ; and a processor coupled to the data storage device and to the memory device , the processor executing code for the web server such that the web server is operable to : receive a request for the web page from a web browser ; package the web page and the applet for transmission to the web server ; and transmit the web page and the applet to the web browser ; such that the applet creates and manages an embedded menu in the displayed web page when the web page is displayed and the applet is executed by the web browser , the embedded menu providing a user of the web browser with a plurality of links through one action in the displayed web page .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (storage device) , and a video codec .	US5742768A CLAIM 16 . A host system executing a web server to provide a web page having an embedded menu to a web browser , the host system comprising : a data storage device (storage device) storing a web page and an associated applet ; wherein the associated applet , when executed , can create and manage an embedded menu in a displayed web page ; a memory device storing code for the web server ; and a processor coupled to the data storage device and to the memory device , the processor executing code for the web server such that the web server is operable to : receive a request for the web page from a web browser ; package the web page and the applet for transmission to the web server ; and transmit the web page and the applet to the web browser ; such that the applet creates and manages an embedded menu in the displayed web page when the web page is displayed and the applet is executed by the web browser , the embedded menu providing a user of the web browser with a plurality of links through one action in the displayed web page .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9702734A2 Filed: 1996-07-12 Issued: 1997-01-30 Internet protocol (ip) work group routing (Original Assignee) Cabletron Systems, Inc. Kurt A. Dobbins, David L. Cullerot, Stephen H. Negus, William T. Haggerty
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (enhanced security) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (IP datagrams, forward IP) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9702734A2 CLAIM 1 . A method of routing datagrams from a source to a destination in an IP communications network including routers having multiple router interfaces connecting multiple physical networks , wherein the routers forward IP datagrams (network destination, network protocols) based upon IP addresses , the method comprising the steps of : defining an IP work group by assigning multiple router interfaces to a same IP work group address ; and forwarding IP datagrams through the routers based on the IP work group address . WO9702734A2 CLAIM 23 . An IP communications network including routers having multiple router interfaces connecting multiple physical networks , the routers forwarding IP datagrams based on IP addresses , the network providing enhanced security (NAD server) and including : means for defining an IP work group by specifying IP host address ranges for different router interfaces ; and means for filtering IP datagams based on the host address ranges .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (enhanced security) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	WO9702734A2 CLAIM 23 . An IP communications network including routers having multiple router interfaces connecting multiple physical networks , the routers forwarding IP datagrams based on IP addresses , the network providing enhanced security (NAD server) and including : means for defining an IP work group by specifying IP host address ranges for different router interfaces ; and means for filtering IP datagams based on the host address ranges .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (IP addresses) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9702734A2 CLAIM 1 . A method of routing datagrams from a source to a destination in an IP communications network including routers having multiple router interfaces connecting multiple physical networks , wherein the routers forward IP datagrams based upon IP addresses (IP addresses) , the method comprising the steps of : defining an IP work group by assigning multiple router interfaces to a same IP work group address ; and forwarding IP datagrams through the routers based on the IP work group address .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (IP datagrams, forward IP) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9702734A2 CLAIM 1 . A method of routing datagrams from a source to a destination in an IP communications network including routers having multiple router interfaces connecting multiple physical networks , wherein the routers forward IP datagrams (network destination, network protocols) based upon IP addresses , the method comprising the steps of : defining an IP work group by assigning multiple router interfaces to a same IP work group address ; and forwarding IP datagrams through the routers based on the IP work group address .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (IP datagrams, forward IP) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9702734A2 CLAIM 1 . A method of routing datagrams from a source to a destination in an IP communications network including routers having multiple router interfaces connecting multiple physical networks , wherein the routers forward IP datagrams (network destination, network protocols) based upon IP addresses , the method comprising the steps of : defining an IP work group by assigning multiple router interfaces to a same IP work group address ; and forwarding IP datagrams through the routers based on the IP work group address .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (IP datagrams, forward IP) .	WO9702734A2 CLAIM 1 . A method of routing datagrams from a source to a destination in an IP communications network including routers having multiple router interfaces connecting multiple physical networks , wherein the routers forward IP datagrams (network destination, network protocols) based upon IP addresses , the method comprising the steps of : defining an IP work group by assigning multiple router interfaces to a same IP work group address ; and forwarding IP datagrams through the routers based on the IP work group address .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (IP datagrams, forward IP) is TCP/IP .	WO9702734A2 CLAIM 1 . A method of routing datagrams from a source to a destination in an IP communications network including routers having multiple router interfaces connecting multiple physical networks , wherein the routers forward IP datagrams (network destination, network protocols) based upon IP addresses , the method comprising the steps of : defining an IP work group by assigning multiple router interfaces to a same IP work group address ; and forwarding IP datagrams through the routers based on the IP work group address .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (IP datagrams, forward IP) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9702734A2 CLAIM 1 . A method of routing datagrams from a source to a destination in an IP communications network including routers having multiple router interfaces connecting multiple physical networks , wherein the routers forward IP datagrams (network destination, network protocols) based upon IP addresses , the method comprising the steps of : defining an IP work group by assigning multiple router interfaces to a same IP work group address ; and forwarding IP datagrams through the routers based on the IP work group address .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5799154A Filed: 1996-06-27 Issued: 1998-08-25 System and method for the remote monitoring of wireless packet data networks (Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc George W. Kuriyan
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (central location) and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5799154A CLAIM 5 . A method for remotely monitoring the performance of a telecommunications network , comprising the steps of : collecting , prior to and after a scan interval , performance data functionally related to performance parameters in the network ; generating a network control model of the performance of the network using said data collected prior to said scan interval ; and forecasting the performance of the network at a future point in time during said scan interval , using said network (NAD server) control model , whereby a monitored performance of the network during said scan interval is an estimate based on data collected prior to said scan interval in said collecting step and prior forecasts determined in said forecasting step . US5799154A CLAIM 8 . The method as recited in claim 5 , wherein the telecommunications network includes one or more cells and said collecting step comprises the steps of : polling the one or more cells for said data ; creating a data structure for each cell ; transmitting said data to a central location (network client, data management component) in response to said polling ; and for each data structure , storing said data polled from each cell .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5799154A CLAIM 5 . A method for remotely monitoring the performance of a telecommunications network , comprising the steps of : collecting , prior to and after a scan interval , performance data functionally related to performance parameters in the network ; generating a network control model of the performance of the network using said data collected prior to said scan interval ; and forecasting the performance of the network at a future point in time during said scan interval , using said network (NAD server) control model , whereby a monitored performance of the network during said scan interval is an estimate based on data collected prior to said scan interval in said collecting step and prior forecasts determined in said forecasting step .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (central location) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (central location) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5799154A CLAIM 8 . The method as recited in claim 5 , wherein the telecommunications network includes one or more cells and said collecting step comprises the steps of : polling the one or more cells for said data ; creating a data structure for each cell ; transmitting said data to a central location (network client, data management component) in response to said polling ; and for each data structure , storing said data polled from each cell .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (setting means, casting step) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5799154A CLAIM 5 . A method for remotely monitoring the performance of a telecommunications network , comprising the steps of : collecting , prior to and after a scan interval , performance data functionally related to performance parameters in the network ; generating a network control model of the performance of the network using said data collected prior to said scan interval ; and forecasting the performance of the network at a future point in time during said scan interval , using said network control model , whereby a monitored performance of the network during said scan interval is an estimate based on data collected prior to said scan interval in said collecting step and prior forecasts determined in said forecasting step (receiving requests) . US5799154A CLAIM 18 . The system as recited in claim 17 , wherein said spawning means comprises : first generating means for generating an A-matrix ; second generating means for generating a B-matrix ; setting means (receiving requests) for setting a temporary vector equal to AX+BY+C , where X is a vector corresponding to said data , Y is a vector corresponding to previous estimates of the performance of the network , and C is a vector of constants operator actions ; and updating means for updating a forecast of the performance of the network by adding said temporary vector to a previous estimate of the performance of the network .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5727145A Filed: 1996-06-26 Issued: 1998-03-10 Mechanism for locating objects in a secure fashion (Original Assignee) Sun Microsystems Inc (Current Assignee) Oracle America Inc Dan M. Nessett, Christian J. Callsen, Ken M. Cavanaugh, III
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (computer program) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5727145A CLAIM 20 . An object request broker computer program (network protocol programs) embodied in a computer-readable medium for use in brokering a call from a client to a target object on a host computer within a distributed object system , said object request broker computer program being arranged to execute on computer hardware of said distributed object system , the host computer including object servers associated with ports , the object request broker computer program comprising : a computer process embodied in a computer-readable medium arranged to execute on said host computer and adapted to receive the call from the client in response to the client invoking upon an object reference indicative of the target object , the object reference including a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object , a port field identifying a port of the host computer through which the client may communicate with the object server , an object key that uniquely identifies the target object within the object server a security information field that indicates the first security information to be used for secure communications between the client and the target object , and a security class identifier that specifies the first security information out of a plurality of security informations to be used for secure communications ; and a transport mechanism embodied in a computer-readable medium and adapted to transport the call from the client to the target object in a secure fashion using a first security information included in the object reference , said transport mechanism being further adapted to transport information from the target object to the client in a secure fashion using the first security information included in the object reference .
US7739302B2 CLAIM 10 . A system for managing access (different computer) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5727145A CLAIM 5 . A method as recited in claim I wherein the object server is located on the host computer and the client is located on a different computer (managing access) .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (processing unit) ; a network interface coupled to the processing unit and to a network ; an attached device interface (following steps, storage device) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (readable program) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit (processing unit) ; an input/output device coupled to the central processing unit ; a mass storage device (device interface, storage device) in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications . US5727145A CLAIM 23 . A computer program product comprising a computer-usable medium having computer-readable program (storing instructions) code embodied thereon for allowing a client to invoke upon a target object in a secure fashion within a distributed object computing system , the distributed object computing system including clients , object servers , and a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object , the computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within the computing system : receiving a call from the client by the ORB daemon process , the call to the ORB daemon process using a constructed object reference , the constructed object reference including an object server identifier , original security information and a security class identifier , the call to the ORB daemon process using a first security mechanism corresponding to the original security information ; determining that the client is authorized to communicate with the ORB daemon process ; retrieving security information specific to the object server that corresponds to the security class identifier ; returning to the client the retrieved object server security information that corresponds to the security class identifier , such that the client is then able to modify the constructed object reference using the retrieved object server security information to provide a modified object reference and thereby be able to invoke on the target object using the modified object reference .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (processing unit) to determine whether each packet arrived via an authorized network interface .	US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit (processing unit) ; an input/output device coupled to the central processing unit ; a mass storage device in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether each packet contains an unauthorized IP address .	US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit (processing unit) ; an input/output device coupled to the central processing unit ; a mass storage device in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (processing unit) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit (processing unit) ; an input/output device coupled to the central processing unit ; a mass storage device in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (following steps, storage device) .	US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit (processing unit) ; an input/output device coupled to the central processing unit ; a mass storage device (device interface, storage device) in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications . US5727145A CLAIM 23 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for allowing a client to invoke upon a target object in a secure fashion within a distributed object computing system , the distributed object computing system including clients , object servers , and a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object , the computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within the computing system : receiving a call from the client by the ORB daemon process , the call to the ORB daemon process using a constructed object reference , the constructed object reference including an object server identifier , original security information and a security class identifier , the call to the ORB daemon process using a first security mechanism corresponding to the original security information ; determining that the client is authorized to communicate with the ORB daemon process ; retrieving security information specific to the object server that corresponds to the security class identifier ; returning to the client the retrieved object server security information that corresponds to the security class identifier , such that the client is then able to modify the constructed object reference using the retrieved object server security information to provide a modified object reference and thereby be able to invoke on the target object using the modified object reference .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (following steps, storage device) comprises a SCSI interface (mass storage) .	US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit ; an input/output device coupled to the central processing unit ; a mass storage device (device interface, storage device) in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications . US5727145A CLAIM 23 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for allowing a client to invoke upon a target object in a secure fashion within a distributed object computing system , the distributed object computing system including clients , object servers , and a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object , the computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within the computing system : receiving a call from the client by the ORB daemon process , the call to the ORB daemon process using a constructed object reference , the constructed object reference including an object server identifier , original security information and a security class identifier , the call to the ORB daemon process using a first security mechanism corresponding to the original security information ; determining that the client is authorized to communicate with the ORB daemon process ; retrieving security information specific to the object server that corresponds to the security class identifier ; returning to the client the retrieved object server security information that corresponds to the security class identifier , such that the client is then able to modify the constructed object reference using the retrieved object server security information to provide a modified object reference and thereby be able to invoke on the target object using the modified object reference .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (following steps, storage device) , and a video codec .	US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit ; an input/output device coupled to the central processing unit ; a mass storage device (device interface, storage device) in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications . US5727145A CLAIM 23 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for allowing a client to invoke upon a target object in a secure fashion within a distributed object computing system , the distributed object computing system including clients , object servers , and a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object , the computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within the computing system : receiving a call from the client by the ORB daemon process , the call to the ORB daemon process using a constructed object reference , the constructed object reference including an object server identifier , original security information and a security class identifier , the call to the ORB daemon process using a first security mechanism corresponding to the original security information ; determining that the client is authorized to communicate with the ORB daemon process ; retrieving security information specific to the object server that corresponds to the security class identifier ; returning to the client the retrieved object server security information that corresponds to the security class identifier , such that the client is then able to modify the constructed object reference using the retrieved object server security information to provide a modified object reference and thereby be able to invoke on the target object using the modified object reference .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (different computer) to the NAD over a device interface (following steps, storage device) if the request is allowed .	US5727145A CLAIM 5 . A method as recited in claim I wherein the object server is located on the host computer and the client is located on a different computer (managing access) . US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit ; an input/output device coupled to the central processing unit ; a mass storage device (device interface, storage device) in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications . US5727145A CLAIM 23 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for allowing a client to invoke upon a target object in a secure fashion within a distributed object computing system , the distributed object computing system including clients , object servers , and a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object , the computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within the computing system : receiving a call from the client by the ORB daemon process , the call to the ORB daemon process using a constructed object reference , the constructed object reference including an object server identifier , original security information and a security class identifier , the call to the ORB daemon process using a first security mechanism corresponding to the original security information ; determining that the client is authorized to communicate with the ORB daemon process ; retrieving security information specific to the object server that corresponds to the security class identifier ; returning to the client the retrieved object server security information that corresponds to the security class identifier , such that the client is then able to modify the constructed object reference using the retrieved object server security information to provide a modified object reference and thereby be able to invoke on the target object using the modified object reference .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (mass storage) .	US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit ; an input/output device coupled to the central processing unit ; a mass storage (SCSI interface) device in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (following steps, storage device) , and a video codec .	US5727145A CLAIM 19 . A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system , the host computer including object servers associated with ports , the computer apparatus comprising : a processing unit ; an input/output device coupled to the central processing unit ; a mass storage device (device interface, storage device) in communication with the central processing unit ; and a storage device in communication with the central processing unit , the memory device including an object reference data structure having a host field identifying the host computer , a server identifier that identifies an object server of the host computer that includes the target object ; a port field identifying a port of the host computer through which the client may communicate with the object server ; an object key that uniquely identifies the target object within the object server ; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object , and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications . US5727145A CLAIM 23 . A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for allowing a client to invoke upon a target object in a secure fashion within a distributed object computing system , the distributed object computing system including clients , object servers , and a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object , the computer program product comprising computer-readable program code for effecting the following steps (device interface, storage device) within the computing system : receiving a call from the client by the ORB daemon process , the call to the ORB daemon process using a constructed object reference , the constructed object reference including an object server identifier , original security information and a security class identifier , the call to the ORB daemon process using a first security mechanism corresponding to the original security information ; determining that the client is authorized to communicate with the ORB daemon process ; retrieving security information specific to the object server that corresponds to the security class identifier ; returning to the client the retrieved object server security information that corresponds to the security class identifier , such that the client is then able to modify the constructed object reference using the retrieved object server security information to provide a modified object reference and thereby be able to invoke on the target object using the modified object reference .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9700471A2 Filed: 1996-06-16 Issued: 1997-01-03 A system for securing the flow of and selectively modifying packets in a computer network (Original Assignee) Check Point Software Technologies Ltd. Gil Shwed, Shlomo Kramer, Nir Zuk, Gil Dogon, Ehud Ben-Reuven
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9700471A2 CLAIM 1 . A method of inspecting and selectively modifying inbound and outbound data packets in a computer network , the inspection and selective modification of said data packets occurring in accordance with a security rule , the method comprising the steps of : generating a definition of each aspect of the computer network inspected by said security rule ; generating said security rule in terms of said aspect definitions , said security rule controlling at least one of said aspects ; converting said security rule into a set of packet filter language instructions for controlling an operation of a packet filtering module which inspects and selectively modifies said data packets in accordance with said security rule ; coupling said packet filter module to said computer network for inspecting and selectively modifying said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said network (NAD server) computer and selectively modify said data packets so accepted .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	WO9700471A2 CLAIM 1 . A method of inspecting and selectively modifying inbound and outbound data packets in a computer network , the inspection and selective modification of said data packets occurring in accordance with a security rule , the method comprising the steps of : generating a definition of each aspect of the computer network inspected by said security rule ; generating said security rule in terms of said aspect definitions , said security rule controlling at least one of said aspects ; converting said security rule into a set of packet filter language instructions for controlling an operation of a packet filtering module which inspects and selectively modifies said data packets in accordance with said security rule ; coupling said packet filter module to said computer network for inspecting and selectively modifying said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said network (NAD server) computer and selectively modify said data packets so accepted .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (storage device) , and a video codec .	WO9700471A2 CLAIM 18 . In a security system for inspecting and selectively modifying inbound and outbound data packets in a computer network , said security system inspecting and selectively modifying said data packets in said computer network in accordance with a security rule , where each aspect of said computer network inspected by said security rule has been previously defined , said security rule being previously defined in terms of said aspects and converted into packet filter language instructions , a method for operating said security system comprising the steps of : providing a packet filter module coupled to said computer network in at least one entity of said computer network to be controlled by said security rule , said packet filter module emulating a virtual packet filtering machine inspecting and selectively modifying said data packets passing into and out of said computer network ; said packet filter module reading and executing said packet filter language instructions for performing packet filtering operations ; storing the results obtained in said step of reading and executing said packet filter language instructions in a storage device (storage device) ; and said packet filter module utilizing said stored results , from previous inspections , for operating said packet filter module to accept or reject the passage of said data packets into and out of said computer network and to selectively modify said data packets so accepted .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (storage device) , and a video codec .	WO9700471A2 CLAIM 18 . In a security system for inspecting and selectively modifying inbound and outbound data packets in a computer network , said security system inspecting and selectively modifying said data packets in said computer network in accordance with a security rule , where each aspect of said computer network inspected by said security rule has been previously defined , said security rule being previously defined in terms of said aspects and converted into packet filter language instructions , a method for operating said security system comprising the steps of : providing a packet filter module coupled to said computer network in at least one entity of said computer network to be controlled by said security rule , said packet filter module emulating a virtual packet filtering machine inspecting and selectively modifying said data packets passing into and out of said computer network ; said packet filter module reading and executing said packet filter language instructions for performing packet filtering operations ; storing the results obtained in said step of reading and executing said packet filter language instructions in a storage device (storage device) ; and said packet filter module utilizing said stored results , from previous inspections , for operating said packet filter module to accept or reject the passage of said data packets into and out of said computer network and to selectively modify said data packets so accepted .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5727129A Filed: 1996-06-04 Issued: 1998-03-10 Network system for profiling and actively facilitating user activities (Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp Robert Carl Barrett, Daniel Clark Kellem, Paul Philip Maglio
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5727129A CLAIM 3 . A system as recited in claim 2 , wherein the means for developing a profile includes computing , for each document , (i) a number of times the document was previously downloaded , (ii) statistics regarding what other information items were downloaded prior to the given information (network destination) item , and (iii) statistics regarding what other information items were downloaded after the given information item .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (computer program) for accepting requests (facilitating use) for network access to the NAD from a plurality of network clients having different operating systems .	US5727129A CLAIM 1 . A communication system for facilitating communication between a user and a network of information resources at respective remote network nodes , the system comprising : a local node having a user interface program thereon , for allowing a user to interface with the network and request a download of information items from the information resources ; a network interface coupled between the local node and the network ; a user interface including (i) means for receiving user commends representative of user actions and (ii) means for displaying received network responses of network information for viewing by a user ; means for recording a sequence of successive user actions and network responses ; means for developing a profile of user activities based on the user actions and network responses monitored in the step of monitoring ; and means for actively facilitating use (accepting requests) r activities based on the developed profile . US5727129A CLAIM 22 . A computer program (network protocol programs) product , for facilitating communication between a user and a network of information resources at respective remote network nodes , for use with a user communication system including : a local node having a user interface program thereon , for allowing a user to interface with the network and request a download of information items from the information resources , a network interface coupled between the local node and the network , and a user interface including (i) means for receiving user commends representative of user actions and (ii) means for displaying received network responses of network information for viewing by a user , the computer program product comprising : a computer-usable medium ; means , recorded on the medium , for directing the user communication system to record a sequence of successive user actions and network responses ; means , recorded on the medium , for directing the user communication system to develop a profile of user activities based on the user actions and network responses monitored in the step of monitoring ; and means , recorded on the medium , for directing the user communication system to actively facilitate user activities based on the developed profile .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interface) .	US5727129A CLAIM 1 . A communication system for facilitating communication between a user and a network of information resources at respective remote network nodes , the system comprising : a local node having a user interface program thereon , for allowing a user to interface with the network and request a download of information items from the information resources ; a network interface (network interface) coupled between the local node and the network ; a user interface including (i) means for receiving user commends representative of user actions and (ii) means for displaying received network responses of network information for viewing by a user ; means for recording a sequence of successive user actions and network responses ; means for developing a profile of user activities based on the user actions and network responses monitored in the step of monitoring ; and means for actively facilitating user activities based on the developed profile .
US7739302B2 CLAIM 10 . A system for managing access (facilitating communication) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5727129A CLAIM 1 . A communication system for facilitating communication (managing access) between a user and a network of information resources at respective remote network nodes , the system comprising : a local node having a user interface program thereon , for allowing a user to interface with the network and request a download of information items from the information resources ; a network interface coupled between the local node and the network ; a user interface including (i) means for receiving user commends representative of user actions and (ii) means for displaying received network responses of network information for viewing by a user ; means for recording a sequence of successive user actions and network responses ; means for developing a profile of user activities based on the user actions and network responses monitored in the step of monitoring ; and means for actively facilitating user activities based on the developed profile . US5727129A CLAIM 3 . A system as recited in claim 2 , wherein the means for developing a profile includes computing , for each document , (i) a number of times the document was previously downloaded , (ii) statistics regarding what other information items were downloaded prior to the given information (network destination) item , and (iii) statistics regarding what other information items were downloaded after the given information item .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5727129A CLAIM 1 . A communication system for facilitating communication between a user and a network of information resources at respective remote network nodes , the system comprising : a local node having a user interface program thereon , for allowing a user to interface with the network and request a download of information items from the information resources ; a network interface (network interface) coupled between the local node and the network ; a user interface including (i) means for receiving user commends representative of user actions and (ii) means for displaying received network responses of network information for viewing by a user ; means for recording a sequence of successive user actions and network responses ; means for developing a profile of user activities based on the user actions and network responses monitored in the step of monitoring ; and means for actively facilitating user activities based on the developed profile . US5727129A CLAIM 3 . A system as recited in claim 2 , wherein the means for developing a profile includes computing , for each document , (i) a number of times the document was previously downloaded , (ii) statistics regarding what other information items were downloaded prior to the given information (network destination) item , and (iii) statistics regarding what other information items were downloaded after the given information item .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interface) .	US5727129A CLAIM 1 . A communication system for facilitating communication between a user and a network of information resources at respective remote network nodes , the system comprising : a local node having a user interface program thereon , for allowing a user to interface with the network and request a download of information items from the information resources ; a network interface (network interface) coupled between the local node and the network ; a user interface including (i) means for receiving user commends representative of user actions and (ii) means for displaying received network responses of network information for viewing by a user ; means for recording a sequence of successive user actions and network responses ; means for developing a profile of user activities based on the user actions and network responses monitored in the step of monitoring ; and means for actively facilitating user activities based on the developed profile .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5727129A CLAIM 3 . A system as recited in claim 2 , wherein the means for developing a profile includes computing , for each document , (i) a number of times the document was previously downloaded , (ii) statistics regarding what other information items were downloaded prior to the given information (network destination) item , and (iii) statistics regarding what other information items were downloaded after the given information item .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (facilitating communication) to the NAD over a device interface if the request is allowed .	US5727129A CLAIM 1 . A communication system for facilitating communication (managing access) between a user and a network of information resources at respective remote network nodes , the system comprising : a local node having a user interface program thereon , for allowing a user to interface with the network and request a download of information items from the information resources ; a network interface coupled between the local node and the network ; a user interface including (i) means for receiving user commends representative of user actions and (ii) means for displaying received network responses of network information for viewing by a user ; means for recording a sequence of successive user actions and network responses ; means for developing a profile of user activities based on the user actions and network responses monitored in the step of monitoring ; and means for actively facilitating user activities based on the developed profile .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9639668A1 Filed: 1996-06-03 Issued: 1996-12-12 Promotional and product on-line help methods via internet (Original Assignee) Interactive Media Works, L.L.C. Adrian Toader
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9639668A1 CLAIM 59 . A method as in claim 52 , wherein said on-line help answers can selectively be provided in a time delay fashion via electronic mail (network destination) .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9639668A1 CLAIM 59 . A method as in claim 52 , wherein said on-line help answers can selectively be provided in a time delay fashion via electronic mail (network destination) .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9639668A1 CLAIM 59 . A method as in claim 52 , wherein said on-line help answers can selectively be provided in a time delay fashion via electronic mail (network destination) .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access (allowing access) to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9639668A1 CLAIM 55 . A method as in claim 52 , and further comprising the step of : a . conducting said customer through a guided tour of the sponsor' ; s Internet domain prior to allowing access (allowing access) to on-line help . WO9639668A1 CLAIM 59 . A method as in claim 52 , wherein said on-line help answers can selectively be provided in a time delay fashion via electronic mail (network destination) .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5787253A Filed: 1996-05-28 Issued: 1998-07-28 Apparatus and method of analyzing internet activity (Original Assignee) AG Group (Current Assignee) SILKSTREAM Corp Timothy David McCreery, Mahboud Zabetian
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5787253A CLAIM 9 . The apparatus of claim 7 , wherein the data management module accesses the addresses for nodes transacting with the selected site , uses a reverse domain name service lookup to obtain information (network destination) about the nodes , and uses the information about the nodes to produce the profile of the selected site .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (transmission control protocol, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5787253A CLAIM 1 . An apparatus for analyzing internet activity , the apparatus comprising : a packet capturing module , for accessing the packets traversing a network , the packets having source and destination addresses other than an address corresponding to the apparatus , and for filtering the packets to produce raw packet data , wherein the packet capturing module produces the raw packet data by retrieving a predetermined address , comparing the predetermined address to the internet protocol source address (IP addresses) for a current packet , comparing the predetermined address to the internet protocol destination address for the current packet , and retaining the current packet where one of the internet protocol source and destination addresses for the current packet matches the predetermined address ; a packet analyzing module , in communication with the packet capturing module , for producing decoded packet data and for producing transaction data from the decoded packet data ; and a data management module , in communication with the packet capturing module and the packet analyzing module , for analyzing at least one of the raw packet data , the decoded packet data and the transaction data to provide an indication of internet usage . US5787253A CLAIM 2 . An apparatus for analyzing internet activity , the apparatus comprising : a packet capturing module , for accessing the packets traversing a network , the packets having source and destination addresses other than an address corresponding to the apparatus , and for filtering the packets to produce raw packet data , wherein the packet capturing module produces the raw packet data by retrieving a predetermined port address , comparing the predetermined port address to the transmission control protocol (IP addresses) source port address for a current packet , comparing the predetermined port address to the transmission control protocol destination port address for the current packet , and retaining the current packet where one of the transmission control protocol source and destination port addresses for the current packet matches the predetermined port address ; a packet analyzing module , in communication with the packet capturing module , for producing decoded packet data and for producing transaction data from the decoded packet data ; and a data management module , in communication with the packet capturing module and the packet analyzing module , for analyzing at least one of the raw packet data , the decoded packet data and the transaction data to provide an indication of internet usage .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5787253A CLAIM 9 . The apparatus of claim 7 , wherein the data management module accesses the addresses for nodes transacting with the selected site , uses a reverse domain name service lookup to obtain information (network destination) about the nodes , and uses the information about the nodes to produce the profile of the selected site .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5787253A CLAIM 9 . The apparatus of claim 7 , wherein the data management module accesses the addresses for nodes transacting with the selected site , uses a reverse domain name service lookup to obtain information (network destination) about the nodes , and uses the information about the nodes to produce the profile of the selected site .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5787253A CLAIM 9 . The apparatus of claim 7 , wherein the data management module accesses the addresses for nodes transacting with the selected site , uses a reverse domain name service lookup to obtain information (network destination) about the nodes , and uses the information about the nodes to produce the profile of the selected site .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	EP0743777A2 Filed: 1996-05-15 Issued: 1996-11-20 System for packet filtering of data packets at a computer network interface (Original Assignee) Sun Microsystems Inc (Current Assignee) Sun Microsystems Inc Geoffrey G. Baehr, William Danielson, Thomas L. Lyon, Geoffrey Mulligan, Martin Patterson, Glenn C. Scott, Carolyn Turbyfill
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (one action) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (network interface, third network) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (network interface, third network) , an IP address of a network destination (network interface, third network) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0743777A2 CLAIM 1 A method for screening data packets arriving at a screening system connected between a first computer network and a second computer network and for executing actions in a proxy system connected to the screening system , including the steps of : (1) receiving a first said packet directed from the first network to the second network as a current packet ; (2) determining from contents of the current packet whether the current packet is of a predetermined type for being allowed to pass to the second network ; (3) if the determination of step 2 is positive , then determining a destination address within the second network as specified by the current packet , and passing the current packet to an ersatz address substituting for said destination address , the ersatz address residing in the proxy system ; (4) determining whether at least one action (network client, network protocol programs) requested by the current packet is of a type predetermined to be allowed , and if not then rejecting the current packet and proceeding to step 6 , and if so then proceeding to step 5 ; (5) taking the action specified by the current packet in at least one of the screening system and the proxy system ; (6) determining whether another packet has arrived at the screening system , and if so then receiving that packet as the current packet and proceeding to step 1 , and if not then ending the method . EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (one action) for accepting requests for network access (network interface, third network) to the NAD from a plurality of network clients (network interface, third network) having different operating systems .	EP0743777A2 CLAIM 1 A method for screening data packets arriving at a screening system connected between a first computer network and a second computer network and for executing actions in a proxy system connected to the screening system , including the steps of : (1) receiving a first said packet directed from the first network to the second network as a current packet ; (2) determining from contents of the current packet whether the current packet is of a predetermined type for being allowed to pass to the second network ; (3) if the determination of step 2 is positive , then determining a destination address within the second network as specified by the current packet , and passing the current packet to an ersatz address substituting for said destination address , the ersatz address residing in the proxy system ; (4) determining whether at least one action (network client, network protocol programs) requested by the current packet is of a type predetermined to be allowed , and if not then rejecting the current packet and proceeding to step 6 , and if so then proceeding to step 5 ; (5) taking the action specified by the current packet in at least one of the screening system and the proxy system ; (6) determining whether another packet has arrived at the screening system , and if so then receiving that packet as the current packet and proceeding to step 1 , and if not then ending the method . EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (network interface, third network) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source (network interface, third network) , destination , and route of the data packet .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (one action) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (network interface, third network) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (network address, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (network interface, third network) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	EP0743777A2 CLAIM 1 A method for screening data packets arriving at a screening system connected between a first computer network and a second computer network and for executing actions in a proxy system connected to the screening system , including the steps of : (1) receiving a first said packet directed from the first network to the second network as a current packet ; (2) determining from contents of the current packet whether the current packet is of a predetermined type for being allowed to pass to the second network ; (3) if the determination of step 2 is positive , then determining a destination address within the second network as specified by the current packet , and passing the current packet to an ersatz address substituting for said destination address , the ersatz address residing in the proxy system ; (4) determining whether at least one action (network client, network protocol programs) requested by the current packet is of a type predetermined to be allowed , and if not then rejecting the current packet and proceeding to step 6 , and if so then proceeding to step 5 ; (5) taking the action specified by the current packet in at least one of the screening system and the proxy system ; (6) determining whether another packet has arrived at the screening system , and if so then receiving that packet as the current packet and proceeding to step 1 , and if not then ending the method . EP0743777A2 CLAIM 3 The method of claim 1 , wherein the determination of step 4 is based upon at least one of the current packet' ; s source address (IP addresses) , destination address , source port , destination port , requested action and state of connection . EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address (IP addresses) with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interface, third network) .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (network interface, third network) to the NAD .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (network interface, third network) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (network interface, third network) , an IP address of a network destination (network interface, third network) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (network interface, third network) to the NAD is only available through the server .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface, third network) coupled to the processing unit and to a network ; an attached device interface (said module) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (network interface, third network) includes at least one of an IP address of a network source (network interface, third network) , an IP address of a network destination (network interface, third network) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	EP0743777A2 CLAIM 4 A screening system connected to a first computer network and a second computer network for screening data packets transmitted between the first and second networks , including : a processor ; a memory coupled to the processor ; input and output circuits for transmitting and receiving data packets to and from , respectively , said first and second networks ; and program instructions stored in said memory (storing instructions) for controlling flow of data packets between the first and second networks , including : a first program module for determining whether a first data packet transmitted from the first network to the second network meets predetermined criteria ; a second program module for passing the first data packet to the second network if the predetermined criteria are met : a third program module for preventing passage of the first data packet to the second network , if the predetermined criteria are not met . EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module (device interface) configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interface, third network) .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (said module) .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module (device interface) configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (network interface, third network) .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (network interface, third network) is TCP/IP .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (said module) comprises a SCSI interface .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module (device interface) configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source (network interface, third network) , an IP address of a network destination (network interface, third network) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (network interface, third network) and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (said module) if the request is allowed .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module (device interface) configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer of a network stack (network interface, third network) .	EP0743777A2 CLAIM 14 A protection system for inhibiting targeting of a screening system coupled between a first computer network and a second computer network , the screening system including a processor , a memory coupled to the processor and storing instruction modules executable by the processor , a first network interface (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) coupling the screening system to the first network and a second network interface coupling the screening system to the second network , the protection system including : a first said module configured for receiving at least one data packet directed from the first network to the second network , the data packet including a source address identifying the first network and a destination address identifying the second network ; a second said module configured for inspecting the packet based upon a predetermined criterion ; a third said module configured for passing the packet through to the second network with the source and destination addresses unaltered , if the predetermined criterion is met ; a third said module configured for discarding the packet while preventing any response by the screening system to the first network , if the predetermined criterion is not met . EP0743777A2 CLAIM 15 A system for inhibiting targeting of a first computer network , including : a screening system coupled between the first computer network and a second computer network , the screening system including a processor , a first network interface coupling the screening system to the first network , and a second network interface coupling the screening system to the second network ; and a proxy network coupled to the screening system via a third network (network interface, network access, network source, network destination, network clients, network protocols, network stack, providing network access) interface and including at least one proxy host having an internetwork address with a domain in common with the first computer network ; the screening system further including a memory coupled to the processor , the memory storing instruction modules executable by the processor , the modules including : a first said module for receiving a data packet via said first network interface , the data packet including a destination address including said domain ; and a second said module for passing the packet to said proxy host if said destination address pertains to said proxy host .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9635994A1 Filed: 1996-05-08 Issued: 1996-11-14 Rules based electronic message management system (Original Assignee) Compuserve Incorporated Michael S. Finney, Michael L. Snider, Randall S. Wright, James W. Paynter, Robin R. Bard
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said transmission) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9635994A1 CLAIM 10 . A method for managing electronic messages , said method comprising the steps of : providing a first device capable of sending an electronic message ; providing a second device capable of receiving said electronic message ; providing a computer network capable of accepting an electronic message directly or indirectly from said first device and capable of sending said electronic message to said second device or a computer network linked to said second device ; defining a set of rules for accepting electronic messages at said second device ; applying said set of rules to said electronic message at substantiaUy the point of arrival of said electronic message at said computer network , said apphcation of rules being performed by a distributor that is part of said computer network ; transmitting to said second device said electronic message that conforms to said set of rules , said transmission (data packet) of said electronic message being performed by said computer network .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests (information service) for network access to the NAD from a plurality of network clients having different operating systems .	WO9635994A1 CLAIM 4 . The system of claim 1 , wherein said distributor is part of an online information service (accepting requests) wide area network .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said transmission) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	WO9635994A1 CLAIM 10 . A method for managing electronic messages , said method comprising the steps of : providing a first device capable of sending an electronic message ; providing a second device capable of receiving said electronic message ; providing a computer network capable of accepting an electronic message directly or indirectly from said first device and capable of sending said electronic message to said second device or a computer network linked to said second device ; defining a set of rules for accepting electronic messages at said second device ; applying said set of rules to said electronic message at substantiaUy the point of arrival of said electronic message at said computer network , said apphcation of rules being performed by a distributor that is part of said computer network ; transmitting to said second device said electronic message that conforms to said set of rules , said transmission (data packet) of said electronic message being performed by said computer network .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (line information) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said transmission) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9635994A1 CLAIM 4 . The system of claim 1 , wherein said distributor is part of an online information (electronic communication) service wide area network . WO9635994A1 CLAIM 10 . A method for managing electronic messages , said method comprising the steps of : providing a first device capable of sending an electronic message ; providing a second device capable of receiving said electronic message ; providing a computer network capable of accepting an electronic message directly or indirectly from said first device and capable of sending said electronic message to said second device or a computer network linked to said second device ; defining a set of rules for accepting electronic messages at said second device ; applying said set of rules to said electronic message at substantiaUy the point of arrival of said electronic message at said computer network , said apphcation of rules being performed by a distributor that is part of said computer network ; transmitting to said second device said electronic message that conforms to said set of rules , said transmission (data packet) of said electronic message being performed by said computer network .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said transmission) arrived via an authorized network interface .	WO9635994A1 CLAIM 10 . A method for managing electronic messages , said method comprising the steps of : providing a first device capable of sending an electronic message ; providing a second device capable of receiving said electronic message ; providing a computer network capable of accepting an electronic message directly or indirectly from said first device and capable of sending said electronic message to said second device or a computer network linked to said second device ; defining a set of rules for accepting electronic messages at said second device ; applying said set of rules to said electronic message at substantiaUy the point of arrival of said electronic message at said computer network , said apphcation of rules being performed by a distributor that is part of said computer network ; transmitting to said second device said electronic message that conforms to said set of rules , said transmission (data packet) of said electronic message being performed by said computer network .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said transmission) to the proper port ; and at the proper port , provide the requested network access to the NAD .	WO9635994A1 CLAIM 10 . A method for managing electronic messages , said method comprising the steps of : providing a first device capable of sending an electronic message ; providing a second device capable of receiving said electronic message ; providing a computer network capable of accepting an electronic message directly or indirectly from said first device and capable of sending said electronic message to said second device or a computer network linked to said second device ; defining a set of rules for accepting electronic messages at said second device ; applying said set of rules to said electronic message at substantiaUy the point of arrival of said electronic message at said computer network , said apphcation of rules being performed by a distributor that is part of said computer network ; transmitting to said second device said electronic message that conforms to said set of rules , said transmission (data packet) of said electronic message being performed by said computer network .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said transmission) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9635994A1 CLAIM 10 . A method for managing electronic messages , said method comprising the steps of : providing a first device capable of sending an electronic message ; providing a second device capable of receiving said electronic message ; providing a computer network capable of accepting an electronic message directly or indirectly from said first device and capable of sending said electronic message to said second device or a computer network linked to said second device ; defining a set of rules for accepting electronic messages at said second device ; applying said set of rules to said electronic message at substantiaUy the point of arrival of said electronic message at said computer network , said apphcation of rules being performed by a distributor that is part of said computer network ; transmitting to said second device said electronic message that conforms to said set of rules , said transmission (data packet) of said electronic message being performed by said computer network .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said transmission) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9635994A1 CLAIM 10 . A method for managing electronic messages , said method comprising the steps of : providing a first device capable of sending an electronic message ; providing a second device capable of receiving said electronic message ; providing a computer network capable of accepting an electronic message directly or indirectly from said first device and capable of sending said electronic message to said second device or a computer network linked to said second device ; defining a set of rules for accepting electronic messages at said second device ; applying said set of rules to said electronic message at substantiaUy the point of arrival of said electronic message at said computer network , said apphcation of rules being performed by a distributor that is part of said computer network ; transmitting to said second device said electronic message that conforms to said set of rules , said transmission (data packet) of said electronic message being performed by said computer network . WO9635994A1 CLAIM 15 . An electronic messaging system comprising : a first device for sending an electronic message ; a second device for receiving an electronic message ; a computer network for accepting electronic messages directly or indirectly from said first device and for sending electronic messages to said second device or a computer network linked to said second device ; a set of rules defining which electronic messages should be sent to said second device ; a memory unit for storing said rules ; a distributor that is part of said computer network for retrieving said rules from said memory (storing instructions) unit , interpreting and applying said rules to said electronic message from said first device and for transmitting through said computer network to said second device or a computer network linked to said second device said electronic messages in conformance with said rules .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (said transmission) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9635994A1 CLAIM 10 . A method for managing electronic messages , said method comprising the steps of : providing a first device capable of sending an electronic message ; providing a second device capable of receiving said electronic message ; providing a computer network capable of accepting an electronic message directly or indirectly from said first device and capable of sending said electronic message to said second device or a computer network linked to said second device ; defining a set of rules for accepting electronic messages at said second device ; applying said set of rules to said electronic message at substantiaUy the point of arrival of said electronic message at said computer network , said apphcation of rules being performed by a distributor that is part of said computer network ; transmitting to said second device said electronic message that conforms to said set of rules , said transmission (data packet) of said electronic message being performed by said computer network .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5787412A Filed: 1996-04-17 Issued: 1998-07-28 Object oriented data access and analysis system (Original Assignee) Sabre Group Inc (Current Assignee) PAICINES PINNACLES LLC Robert M. Bosch, Marshall P. Reeder
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5787412A CLAIM 1 . A system for accessing and analyzing data through a central processing unit , said system comprising : a non modal user interface for providing a user access to the system ; a plurality of application analysis objects for creating an analysis network , said analysis network comprising a plurality of user interactively selected nodes and connections wherein the nodes and connections determine the analysis of a selected database , said application analysis objects having means for automatically generating the required analysis paths without user interaction responsive to the connection of selected analysis objects in the created analysis network and including decision model analysis means for analyzing said data analysis network in response to said decision model and for generating a new analysis network path in response to the requirement of said decision model ; a metadata management facility for providing data structure and location information (network destination) to said application analysis objects ; a plurality of application graphics objects for interactively manipulating the plurality of analysis objects through the non-modal user interface to create said analysis network ; and a plurality of application data access objects for allowing application object to access required databases and for generating Structured Query Language in response to the analysis network .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5787412A CLAIM 1 . A system for accessing and analyzing data through a central processing unit , said system comprising : a non modal user interface for providing a user access to the system ; a plurality of application analysis objects for creating an analysis network , said analysis network comprising a plurality of user interactively selected nodes and connections wherein the nodes and connections determine the analysis of a selected database , said application analysis objects having means for automatically generating the required analysis paths without user interaction responsive to the connection of selected analysis objects in the created analysis network and including decision model analysis means for analyzing said data analysis network in response to said decision model and for generating a new analysis network path in response to the requirement of said decision model ; a metadata management facility for providing data structure and location information (network destination) to said application analysis objects ; a plurality of application graphics objects for interactively manipulating the plurality of analysis objects through the non-modal user interface to create said analysis network ; and a plurality of application data access objects for allowing application object to access required databases and for generating Structured Query Language in response to the analysis network .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (processing unit) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5787412A CLAIM 1 . A system for accessing and analyzing data through a central processing unit (processing unit) , said system comprising : a non modal user interface for providing a user access to the system ; a plurality of application analysis objects for creating an analysis network , said analysis network comprising a plurality of user interactively selected nodes and connections wherein the nodes and connections determine the analysis of a selected database , said application analysis objects having means for automatically generating the required analysis paths without user interaction responsive to the connection of selected analysis objects in the created analysis network and including decision model analysis means for analyzing said data analysis network in response to said decision model and for generating a new analysis network path in response to the requirement of said decision model ; a metadata management facility for providing data structure and location information (network destination) to said application analysis objects ; a plurality of application graphics objects for interactively manipulating the plurality of analysis objects through the non-modal user interface to create said analysis network ; and a plurality of application data access objects for allowing application object to access required databases and for generating Structured Query Language in response to the analysis network .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (processing unit) to determine whether each packet arrived via an authorized network interface .	US5787412A CLAIM 1 . A system for accessing and analyzing data through a central processing unit (processing unit) , said system comprising : a non modal user interface for providing a user access to the system ; a plurality of application analysis objects for creating an analysis network , said analysis network comprising a plurality of user interactively selected nodes and connections wherein the nodes and connections determine the analysis of a selected database , said application analysis objects having means for automatically generating the required analysis paths without user interaction responsive to the connection of selected analysis objects in the created analysis network and including decision model analysis means for analyzing said data analysis network in response to said decision model and for generating a new analysis network path in response to the requirement of said decision model ; a metadata management facility for providing data structure and location information to said application analysis objects ; a plurality of application graphics objects for interactively manipulating the plurality of analysis objects through the non-modal user interface to create said analysis network ; and a plurality of application data access objects for allowing application object to access required databases and for generating Structured Query Language in response to the analysis network .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether each packet contains an unauthorized IP address .	US5787412A CLAIM 1 . A system for accessing and analyzing data through a central processing unit (processing unit) , said system comprising : a non modal user interface for providing a user access to the system ; a plurality of application analysis objects for creating an analysis network , said analysis network comprising a plurality of user interactively selected nodes and connections wherein the nodes and connections determine the analysis of a selected database , said application analysis objects having means for automatically generating the required analysis paths without user interaction responsive to the connection of selected analysis objects in the created analysis network and including decision model analysis means for analyzing said data analysis network in response to said decision model and for generating a new analysis network path in response to the requirement of said decision model ; a metadata management facility for providing data structure and location information to said application analysis objects ; a plurality of application graphics objects for interactively manipulating the plurality of analysis objects through the non-modal user interface to create said analysis network ; and a plurality of application data access objects for allowing application object to access required databases and for generating Structured Query Language in response to the analysis network .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (processing unit) to selectively generate a packet for communication to an intermediary computing device (network path) , the selectively generated packet containing the request for access to the directly attached device .	US5787412A CLAIM 1 . A system for accessing and analyzing data through a central processing unit (processing unit) , said system comprising : a non modal user interface for providing a user access to the system ; a plurality of application analysis objects for creating an analysis network , said analysis network comprising a plurality of user interactively selected nodes and connections wherein the nodes and connections determine the analysis of a selected database , said application analysis objects having means for automatically generating the required analysis paths without user interaction responsive to the connection of selected analysis objects in the created analysis network and including decision model analysis means for analyzing said data analysis network in response to said decision model and for generating a new analysis network path (intermediary computing device) in response to the requirement of said decision model ; a metadata management facility for providing data structure and location information to said application analysis objects ; a plurality of application graphics objects for interactively manipulating the plurality of analysis objects through the non-modal user interface to create said analysis network ; and a plurality of application data access objects for allowing application object to access required databases and for generating Structured Query Language in response to the analysis network .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US5787412A CLAIM 1 . A system for accessing and analyzing data through a central processing unit (processing unit) , said system comprising : a non modal user interface for providing a user access to the system ; a plurality of application analysis objects for creating an analysis network , said analysis network comprising a plurality of user interactively selected nodes and connections wherein the nodes and connections determine the analysis of a selected database , said application analysis objects having means for automatically generating the required analysis paths without user interaction responsive to the connection of selected analysis objects in the created analysis network and including decision model analysis means for analyzing said data analysis network in response to said decision model and for generating a new analysis network path in response to the requirement of said decision model ; a metadata management facility for providing data structure and location information to said application analysis objects ; a plurality of application graphics objects for interactively manipulating the plurality of analysis objects through the non-modal user interface to create said analysis network ; and a plurality of application data access objects for allowing application object to access required databases and for generating Structured Query Language in response to the analysis network .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5787412A CLAIM 1 . A system for accessing and analyzing data through a central processing unit , said system comprising : a non modal user interface for providing a user access to the system ; a plurality of application analysis objects for creating an analysis network , said analysis network comprising a plurality of user interactively selected nodes and connections wherein the nodes and connections determine the analysis of a selected database , said application analysis objects having means for automatically generating the required analysis paths without user interaction responsive to the connection of selected analysis objects in the created analysis network and including decision model analysis means for analyzing said data analysis network in response to said decision model and for generating a new analysis network path in response to the requirement of said decision model ; a metadata management facility for providing data structure and location information (network destination) to said application analysis objects ; a plurality of application graphics objects for interactively manipulating the plurality of analysis objects through the non-modal user interface to create said analysis network ; and a plurality of application data access objects for allowing application object to access required databases and for generating Structured Query Language in response to the analysis network .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5754830A Filed: 1996-04-01 Issued: 1998-05-19 Server and web browser terminal emulator for persistent connection to a legacy host system and method of operation (Original Assignee) Openconnect Systems Inc (Current Assignee) Openconnect Systems Inc Thomas H. Butts, Stuart H. Burris, Jr., Stephen J. Clark, Eric P. Armstrong, Daniel B. Kuhn, Stanley M. Ratliff, Mohammad K. Sharif, Gene E. Toye
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (socket connection) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5754830A CLAIM 5 . The server of claim 4 , wherein the first and second persistent connections are persistent TCP/IP socket connection (electronic communication) s .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (communication protocol) .	US5754830A CLAIM 2 . The server of claim 1 , wherein the client thread and the applet process are operable to communicate using a data flow based upon a specified communication protocol (network protocols) .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (communication protocol) is TCP/IP .	US5754830A CLAIM 2 . The server of claim 1 , wherein the client thread and the applet process are operable to communicate using a data flow based upon a specified communication protocol (network protocols) .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5706502A Filed: 1996-03-25 Issued: 1998-01-06 Internet-enabled portfolio manager system and method (Original Assignee) Sun Microsystems Inc (Current Assignee) Oracle America Inc Jill Paula Foley, Karen Lynn Sielski
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5706502A CLAIM 1 . A portfolio management system for portfolios of software projects that are distributed over a set of networked computers connected to the Internet , said portfolio management system being resident on a first computer of said set of networked computers and comprising : a set of portfolio files , each of a subset of said set of portfolio files representing one portfolio and including respective references to members of a set of project files , said references being selected from a file name when said project file member is local to said first computer or a URL when said project file member is remote from said first computer ; each member of said set of project files respectively specifying project attributes of one member of a set of projects , said set of projects being the projects associated said one portfolio ; a portfolio manager including a set of user-selectable portfolio methods that are configured to process said portfolios based on information (network destination) in said portfolio files ; and a Web browser that is configured to download to said portfolio manager system selected remote portfolio files from the Internet as said selected portfolio files are needed by said portfolio methods to process said portfolios .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (id attribute) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5706502A CLAIM 19 . The method of claim 18 , wherein , when said selected option is associated with said project create method , said step of executing said associated method comprises : displaying a project create menu on which said user enters attributes of a new project , said attribute (network protocol programs) s including a project type name and location , said project type being selected from a predefined set of values including applet and at least one of standalone program , Java package , image file and remote applet ; writing said attributes to a new project file having a project file name and location that are derived from said project name and location ; when said project type is selected from said applet , standalone program or Java package values : enabling said user to enter source code links to source code files associated with said new project ; and writing said source code links to said new project file ; and writing into a particular portfolio file associated with a particular portfolio of which said project is a component , said project name and project location so that said project can be accessed via said particular portfolio by said portfolio and project methods .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (said subset, said memory) .	US5706502A CLAIM 10 . The system of claim 9 , further comprising : a project menu including a set of selectable options , each of a subset of said set of selectable options corresponding to one of said subset (network interface, storing instructions) of said project methods . US5706502A CLAIM 28 . The computer-readable memory of claim 27 , further comprising : a project manager including a set of user-selectable project methods that are configured to process said projects based on said project attributes in project files respectively associated with said projects ; said browser being further configured to download to said memory (network interface, storing instructions) selected remote project files from the Internet as said selected remote project files are needed by said portfolio methods and said project methods to process said projects ; and said user interface being further configured to enable user interaction with said project methods so that the user can determine and manipulate displayed projects using said project methods .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5706502A CLAIM 1 . A portfolio management system for portfolios of software projects that are distributed over a set of networked computers connected to the Internet , said portfolio management system being resident on a first computer of said set of networked computers and comprising : a set of portfolio files , each of a subset of said set of portfolio files representing one portfolio and including respective references to members of a set of project files , said references being selected from a file name when said project file member is local to said first computer or a URL when said project file member is remote from said first computer ; each member of said set of project files respectively specifying project attributes of one member of a set of projects , said set of projects being the projects associated said one portfolio ; a portfolio manager including a set of user-selectable portfolio methods that are configured to process said portfolios based on information (network destination) in said portfolio files ; and a Web browser that is configured to download to said portfolio manager system selected remote portfolio files from the Internet as said selected portfolio files are needed by said portfolio methods to process said portfolios .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (said subset, said memory) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said subset, said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5706502A CLAIM 1 . A portfolio management system for portfolios of software projects that are distributed over a set of networked computers connected to the Internet , said portfolio management system being resident on a first computer of said set of networked computers and comprising : a set of portfolio files , each of a subset of said set of portfolio files representing one portfolio and including respective references to members of a set of project files , said references being selected from a file name when said project file member is local to said first computer or a URL when said project file member is remote from said first computer ; each member of said set of project files respectively specifying project attributes of one member of a set of projects , said set of projects being the projects associated said one portfolio ; a portfolio manager including a set of user-selectable portfolio methods that are configured to process said portfolios based on information (network destination) in said portfolio files ; and a Web browser that is configured to download to said portfolio manager system selected remote portfolio files from the Internet as said selected portfolio files are needed by said portfolio methods to process said portfolios . US5706502A CLAIM 10 . The system of claim 9 , further comprising : a project menu including a set of selectable options , each of a subset of said set of selectable options corresponding to one of said subset (network interface, storing instructions) of said project methods . US5706502A CLAIM 28 . The computer-readable memory of claim 27 , further comprising : a project manager including a set of user-selectable project methods that are configured to process said projects based on said project attributes in project files respectively associated with said projects ; said browser being further configured to download to said memory (network interface, storing instructions) selected remote project files from the Internet as said selected remote project files are needed by said portfolio methods and said project methods to process said projects ; and said user interface being further configured to enable user interaction with said project methods so that the user can determine and manipulate displayed projects using said project methods .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (said subset, said memory) .	US5706502A CLAIM 10 . The system of claim 9 , further comprising : a project menu including a set of selectable options , each of a subset of said set of selectable options corresponding to one of said subset (network interface, storing instructions) of said project methods . US5706502A CLAIM 28 . The computer-readable memory of claim 27 , further comprising : a project manager including a set of user-selectable project methods that are configured to process said projects based on said project attributes in project files respectively associated with said projects ; said browser being further configured to download to said memory (network interface, storing instructions) selected remote project files from the Internet as said selected remote project files are needed by said portfolio methods and said project methods to process said projects ; and said user interface being further configured to enable user interaction with said project methods so that the user can determine and manipulate displayed projects using said project methods .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto (software entity) , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5706502A CLAIM 1 . A portfolio management system for portfolios of software projects that are distributed over a set of networked computers connected to the Internet , said portfolio management system being resident on a first computer of said set of networked computers and comprising : a set of portfolio files , each of a subset of said set of portfolio files representing one portfolio and including respective references to members of a set of project files , said references being selected from a file name when said project file member is local to said first computer or a URL when said project file member is remote from said first computer ; each member of said set of project files respectively specifying project attributes of one member of a set of projects , said set of projects being the projects associated said one portfolio ; a portfolio manager including a set of user-selectable portfolio methods that are configured to process said portfolios based on information (network destination) in said portfolio files ; and a Web browser that is configured to download to said portfolio manager system selected remote portfolio files from the Internet as said selected portfolio files are needed by said portfolio methods to process said portfolios . US5706502A CLAIM 12 . A method for use in a local computer connected via the Internet with a set of remote computers , said method enabling a user of said first computer to perform software development operations on software portfolios that are collections of projects , said method comprising the steps of : displaying a set of software development icons , including a portfolio manager icon and a project manager icon ; enabling said user to select one of said icons ; executing a software development object corresponding to the selected software development icon , said portfolio manager and project manager icons being respectively associated with a portfolio manager software development object and a project manager software development object ; displaying a set of options associated with said executing software development object that correspond to said executing object' ; s associated software development methods ; enabling said user to select one of said set of options associated with said executing software development object and to specify as said object' ; s input a software entity (external thereto) selected from a portfolio or a project ; said software entity not being constrained to be located solely on said local computer , and executing said selected option' ; s associated method on said selected software entity .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5673322A Filed: 1996-03-22 Issued: 1997-09-30 System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks (Original Assignee) Telcordia Technologies Inc (Current Assignee) Rakuten Inc David Mathew Pepe, Lisa B. Blitzer, James Joseph Brockman, William Cruz, Dwight Omar Hakim, Richard Reid Hovey, Michael Kramer, Dawn Diane Petr, Josefa Ramaroson, Gerardo Ramirez, Yang-Wei Wang, Robert G. White
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (transmitted data) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5673322A CLAIM 5 . The method according to claim 4 , further comprising the steps oft converting said data object into a transport protocol ; transmitting said data object in said transport protocol over said communication path from said remote proxy to said local proxy ; converting said transport protocol of the transmitted data (network protocol programs) object into an application layer protocol at said local proxy ; and communicating said data object into said client application using said application layer protocol .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (first location) , and a video codec .	US5673322A CLAIM 1 . A method for communicating between a host computer with a client application in a first location (storage device) and a server application in a second locatlon over a communication path , said method comprising : placing a local proxy at said first location ; placing a remote proxy at said second location in communication with said local proxy through said communication path ; initiating a query on said client application and sending said query to said local proxy using an application layer protocol ; converting said application layer protocol of said query into a transport protocol ; transmitting said query in said transport protocol over said communication path from said local proxy to said remote proxy ; and converting said transport protocol of the transmitted query into an application layer protocol for execution of said query on said server application .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (first location) , and a video codec .	US5673322A CLAIM 1 . A method for communicating between a host computer with a client application in a first location (storage device) and a server application in a second locatlon over a communication path , said method comprising : placing a local proxy at said first location ; placing a remote proxy at said second location in communication with said local proxy through said communication path ; initiating a query on said client application and sending said query to said local proxy using an application layer protocol ; converting said application layer protocol of said query into a transport protocol ; transmitting said query in said transport protocol over said communication path from said local proxy to said remote proxy ; and converting said transport protocol of the transmitted query into an application layer protocol for execution of said query on said server application .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9716911A1 Filed: 1996-03-20 Issued: 1997-05-09 Secured gateway interface (Original Assignee) International Business Machines Corporation; Ibm United Kingdom Limited Robert Cecil Gore, John Frederick Haugh
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (child process) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9716911A1 CLAIM 9 . A method as claimed in claim 8 , further comprising the step of : in response to receiving a call by the script , authenticating by the second daemon the client routine ; forking by the second daemon , passing the third socket connection to a child process (executable instructions, computer executable instructions) , whereby a parent process listens at the first socket connection for calls from the internal computer system ; and in response to authenticating the client routine , transmitting by the child process the type of transaction request to a third daemon residing on the internal computer system .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (socket connection) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9716911A1 CLAIM 9 . A method as claimed in claim 8 , further comprising the step of : in response to receiving a call by the script , authenticating by the second daemon the client routine ; forking by the second daemon , passing the third socket connection (electronic communication) to a child process , whereby a parent process listens at the first socket connection for calls from the internal computer system ; and in response to authenticating the client routine , transmitting by the child process the type of transaction request to a third daemon residing on the internal computer system .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (readable program) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9716911A1 CLAIM 12 . An article of manufacture , comprising : a computer usable medium having computer readable program (storing instructions) code means embodied therein for causing an internal computer system to allow an external computer system to initiate a transaction request using internal resources without violating a security firewall between the internal computer system and the external computer system , the computer readable program code means in said article of manufacture comprising : computer readable program means for authenticating a connection initiated by the internal computer system between the internal computer system and the external computer system , thereby establishing an authenticated connection ; computer readable program means for calling by the external computer system a transaction request received by the external computer system ; m response to calling the transaction request , computer readable program means for creating by the external computer system an original process environment containing process environment variables , and computer readable program means for creating a string comprising the transaction request and the process environment variables for executing the transaction request ; computer readable program means for transmitting by the external computer system the string to the internal computer system through the authenticated connection ; computer readable program means for verifying by the internal computer system the transaction request ; computer readable program means for recreating by the internal computer system the original process environment ; and computer readable program means for executing by the internal computer system the transaction request , thereby generating an output .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (d log) of a plurality of protocols .	WO9716911A1 CLAIM 4 . A method as claimed in claim 3 wherein the mangling step comprises the steps of : logically ANDmg the timestamp with a hexadecimal number 0177 to produce a unique result ; and log (requests comprise one) ically exclusive ORing the unique result with each character of the first password , thereby producing the mangled first password .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5671354A Filed: 1996-02-23 Issued: 1997-09-23 Method of assisting server access by use of user authentication information held in one of servers and a method of assisting management user account for use of servers (Original Assignee) Hitachi Ltd; Hitachi Computer Engineering Co Ltd (Current Assignee) Hitachi Ltd ; Hitachi Computer Engineering Co Ltd Tsutomu Ito, Toshio Hirosawa, Atsushi Ueoka, Motohide Kokunishi, Tadashi Yamagishi, Kouichi Nakatsu
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (client terminal, said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5671354A CLAIM 1 . A method of assisting account information management in a network system which has a plurality of servers , and a network for connecting said plurality of servers , the method comprising the steps of : gathering , by a particular one of said servers , server account information from each server for each of plural users who have authorization to access said each server via a client terminal (NAD server, network clients) ; holding , by said particular server , account information for each of the users , as gathered from said plurality of servers ; transmitting , by one client terminal connected to said network (NAD server, network clients) , to said one particular server , user authentication information predetermined for one of said users for said particular server and an account display request ; transmitting , by said particular server to said one client terminal , account information as gathered by said particular server from said plurality of servers for a user to whom said transmitted user authentication information has been assigned ; and displaying said transmitted account information by said one client terminal .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (client terminal, said network) comprises a plurality of network protocol programs for accepting requests (server request) for network access to the NAD from a plurality of network clients (client terminal, said network) having different operating systems .	US5671354A CLAIM 1 . A method of assisting account information management in a network system which has a plurality of servers , and a network for connecting said plurality of servers , the method comprising the steps of : gathering , by a particular one of said servers , server account information from each server for each of plural users who have authorization to access said each server via a client terminal (NAD server, network clients) ; holding , by said particular server , account information for each of the users , as gathered from said plurality of servers ; transmitting , by one client terminal connected to said network (NAD server, network clients) , to said one particular server , user authentication information predetermined for one of said users for said particular server and an account display request ; transmitting , by said particular server to said one client terminal , account information as gathered by said particular server from said plurality of servers for a user to whom said transmitted user authentication information has been assigned ; and displaying said transmitted account information by said one client terminal . US5671354A CLAIM 11 . A method of assisting in obtaining access by a client computer to a plurality of servers which are connected by a network , comprising the steps of : logging in a predetermined one of said plurality of servers , by a client computer , connected to said network , in response to a request by a user , by sending to said predetermined server first user authentication information predetermined for use by said user for accessing said predetermined server , wherein said plurality of servers include servers which transmit commands which are different from each other depending upon said servers when said servers request user authorization information , each of said plurality of servers , other than said predetermined server , holding a plurality of second user authentication information each predetermined for access to the respective server by a user who is permitted to access said server wherein said predetermined server holds (a) the plurality of second user authentication information predetermined for said plurality of servers , other than said predetermined server , and (b) a plurality of commands predetermined for said plurality of other servers ; each of said plurality of commands predetermined for a corresponding one of said plurality of other servers being a command which said one server transmits when said one server request (accepting requests, requests originating one) s user authorization information ; transmitting a request from said client computer to said predetermined server for transfer of second user identification information predetermined for use by said user to access one of said plurality of said client computer said requested second user identification information and one of said plurality of commands predetermined for use by said user selected server ; and logging in said user selected server , by said client computer , by sending said transmitted second user identification information to said user selected server from said client computer , in response to receipt of the same command from said user selected server as said one command transmitted from said predetermined server .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (server address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5671354A CLAIM 10 . A method of assisting in obtaining access from a client computer to a plurality of servers which are connected by a network , comprising the steps of : logging in a predetermined one of said plurality of servers , by a client computer , connected to said network , in response to a request by a user , by sending to said predetermined server first user authentication information predetermined for use by said user for accessing said predetermined server , wherein each of said plurality of servers , other than said predetermined server , holds a plurality of second user authentication information each predetermined for access to the respective server by a user who is permitted to access said server , wherein said predetermined server holds (a) said plurality of second user authentication information for said plurality of servers , other than said predetermined server , and (b) a plurality of server address (IP addresses) es of said plurality of servers ; transmitting a request from said client computer to said predetermined server for transfer of second user authentication information predetermined for said user to effect access to one of said plurality of other servers which said user has selected ; transmitting , from said predetermined server to said client computer , said requested second user identification information and one of said plurality of server addresses corresponding to said user selected server ; and logging in said user selected server , by said client computer , using said transmitted server address and said transmitted second user identification information .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (respective server) device , the selectively generated packet containing the request for access to the directly attached device .	US5671354A CLAIM 5 . A method according to claim 4 , further comprising the steps of : holding , in said particular server , a budgetary limit for each of said users on a sum of accounts for respective server (intermediary computing) s for said each user ; updating , by said particular server , account information held therein for each user , each time when said each user uses one of said plurality of servers , said updating being executed depending upon amount of actual usage , of said one server ; judging , by said particular server , whether an actual account to be charge to said each user has exceeded said budgetary limit held for said each user , based upon said updated account information ; and limiting subsequent use of one of said plurality of servers by said each user , when said actual account has exceeded said budgetary limit .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (information management) .	US5671354A CLAIM 1 . A method of assisting account information management (application layer) in a network system which has a plurality of servers , and a network for connecting said plurality of servers , the method comprising the steps of : gathering , by a particular one of said servers , server account information from each server for each of plural users who have authorization to access said each server via a client terminal ; holding , by said particular server , account information for each of the users , as gathered from said plurality of servers ; transmitting , by one client terminal connected to said network , to said one particular server , user authentication information predetermined for one of said users for said particular server and an account display request ; transmitting , by said particular server to said one client terminal , account information as gathered by said particular server from said plurality of servers for a user to whom said transmitted user authentication information has been assigned ; and displaying said transmitted account information by said one client terminal .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one (server request) of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (client terminal, said network) and other devices in a manner that is in addition to any protection afforded by a firewall .	US5671354A CLAIM 1 . A method of assisting account information management in a network system which has a plurality of servers , and a network for connecting said plurality of servers , the method comprising the steps of : gathering , by a particular one of said servers , server account information from each server for each of plural users who have authorization to access said each server via a client terminal (NAD server, network clients) ; holding , by said particular server , account information for each of the users , as gathered from said plurality of servers ; transmitting , by one client terminal connected to said network (NAD server, network clients) , to said one particular server , user authentication information predetermined for one of said users for said particular server and an account display request ; transmitting , by said particular server to said one client terminal , account information as gathered by said particular server from said plurality of servers for a user to whom said transmitted user authentication information has been assigned ; and displaying said transmitted account information by said one client terminal . US5671354A CLAIM 11 . A method of assisting in obtaining access by a client computer to a plurality of servers which are connected by a network , comprising the steps of : logging in a predetermined one of said plurality of servers , by a client computer , connected to said network , in response to a request by a user , by sending to said predetermined server first user authentication information predetermined for use by said user for accessing said predetermined server , wherein said plurality of servers include servers which transmit commands which are different from each other depending upon said servers when said servers request user authorization information , each of said plurality of servers , other than said predetermined server , holding a plurality of second user authentication information each predetermined for access to the respective server by a user who is permitted to access said server wherein said predetermined server holds (a) the plurality of second user authentication information predetermined for said plurality of servers , other than said predetermined server , and (b) a plurality of commands predetermined for said plurality of other servers ; each of said plurality of commands predetermined for a corresponding one of said plurality of other servers being a command which said one server transmits when said one server request (accepting requests, requests originating one) s user authorization information ; transmitting a request from said client computer to said predetermined server for transfer of second user identification information predetermined for use by said user to access one of said plurality of said client computer said requested second user identification information and one of said plurality of commands predetermined for use by said user selected server ; and logging in said user selected server , by said client computer , by sending said transmitted second user identification information to said user selected server from said client computer , in response to receipt of the same command from said user selected server as said one command transmitted from said predetermined server .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (d log) of a plurality of protocols .	US5671354A CLAIM 10 . A method of assisting in obtaining access from a client computer to a plurality of servers which are connected by a network , comprising the steps of : logging in a predetermined one of said plurality of servers , by a client computer , connected to said network , in response to a request by a user , by sending to said predetermined server first user authentication information predetermined for use by said user for accessing said predetermined server , wherein each of said plurality of servers , other than said predetermined server , holds a plurality of second user authentication information each predetermined for access to the respective server by a user who is permitted to access said server , wherein said predetermined server holds (a) said plurality of second user authentication information for said plurality of servers , other than said predetermined server , and (b) a plurality of server addresses of said plurality of servers ; transmitting a request from said client computer to said predetermined server for transfer of second user authentication information predetermined for said user to effect access to one of said plurality of other servers which said user has selected ; transmitting , from said predetermined server to said client computer , said requested second user identification information and one of said plurality of server addresses corresponding to said user selected server ; and log (requests comprise one) ging in said user selected server , by said client computer , using said transmitted server address and said transmitted second user identification information .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (information management) of a network stack .	US5671354A CLAIM 1 . A method of assisting account information management (application layer) in a network system which has a plurality of servers , and a network for connecting said plurality of servers , the method comprising the steps of : gathering , by a particular one of said servers , server account information from each server for each of plural users who have authorization to access said each server via a client terminal ; holding , by said particular server , account information for each of the users , as gathered from said plurality of servers ; transmitting , by one client terminal connected to said network , to said one particular server , user authentication information predetermined for one of said users for said particular server and an account display request ; transmitting , by said particular server to said one client terminal , account information as gathered by said particular server from said plurality of servers for a user to whom said transmitted user authentication information has been assigned ; and displaying said transmitted account information by said one client terminal .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5740375A Filed: 1996-02-15 Issued: 1998-04-14 Forwarding internetwork packets by replacing the destination address (Original Assignee) Bay Networks Inc (Current Assignee) Avaya Inc James W. Dunne, Igor Lasic
US7739302B2 CLAIM 1 . A network arrangement (ink layer) comprising : a network client (work layer) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (work layer) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link layer (network arrangement) processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet . US5740375A CLAIM 5 . A router comprising : a plurality of ports for coupling to a plurality of subnetworks each having a unique network layer (network client, network access, providing network access) address ; and a routing engine coupled to the ports for processing packets received from the plurality of ports , the routing engine including a filter that , when activated for a source network , copies a local broadcast packet received from the source network and modifies a destination address field of a network layer header of the copied packet to specify the network layer address of a destination network , wherein the routing engine forwards the copied packet as modified to the destination network .
US7739302B2 CLAIM 2 . The network arrangement (ink layer) of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (work layer) to the NAD from a plurality of network clients having different operating systems .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link layer (network arrangement) processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet . US5740375A CLAIM 5 . A router comprising : a plurality of ports for coupling to a plurality of subnetworks each having a unique network layer (network client, network access, providing network access) address ; and a routing engine coupled to the ports for processing packets received from the plurality of ports , the routing engine including a filter that , when activated for a source network , copies a local broadcast packet received from the source network and modifies a destination address field of a network layer header of the copied packet to specify the network layer address of a destination network , wherein the routing engine forwards the copied packet as modified to the destination network .
US7739302B2 CLAIM 3 . The network arrangement (ink layer) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link layer (network arrangement) processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet .
US7739302B2 CLAIM 4 . The network arrangement (ink layer) of claim 1 , wherein the step of determining whether the request for network access (work layer) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link layer (network arrangement) processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet . US5740375A CLAIM 5 . A router comprising : a plurality of ports for coupling to a plurality of subnetworks each having a unique network layer (network client, network access, providing network access) address ; and a routing engine coupled to the ports for processing packets received from the plurality of ports , the routing engine including a filter that , when activated for a source network , copies a local broadcast packet received from the source network and modifies a destination address field of a network layer header of the copied packet to specify the network layer address of a destination network , wherein the routing engine forwards the copied packet as modified to the destination network .
US7739302B2 CLAIM 5 . A local area network arrangement (ink layer) comprising a network client (work layer) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (work layer) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address, network address, new address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5740375A CLAIM 1 . A method for filtering and forwarding local broadcast traffic across network boundaries , comprising : receiving a local broadcast packet from a source network , said packet having said source network in a destination address (IP addresses) field ; copying the local broadcast packet to produce a copied packet ; writing a new address (IP addresses) of a destination network to said destination address field of the copied packet , said new address being across a network boundary ; and transmitting the copied packet to the destination network . US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link layer (network arrangement) processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet . US5740375A CLAIM 3 . A method for filtering and forwarding local broadcast traffic across network boundaries comprising : providing a broadcast list for a source network , the broadcast list comprising at least one destination network address (IP addresses) being across a network boundary ; receiving a local broadcast packet from the source network , said packet having said source network in a destination address field ; copying the local broadcast packet for each entry in the broadcast list to produce at least one copied packet ; for each copied packet , writing a corresponding destination network address of the broadcast list to a destination address field of the copied packet , said destination address being across a network boundary ; and transmitting each packet such that each packer is delivered to a network specified by a destination network address of the broadcast list . US5740375A CLAIM 5 . A router comprising : a plurality of ports for coupling to a plurality of subnetworks each having a unique network layer (network client, network access, providing network access) address ; and a routing engine coupled to the ports for processing packets received from the plurality of ports , the routing engine including a filter that , when activated for a source network , copies a local broadcast packet received from the source network and modifies a destination address field of a network layer header of the copied packet to specify the network layer address of a destination network , wherein the routing engine forwards the copied packet as modified to the destination network .
US7739302B2 CLAIM 6 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link layer (network arrangement) processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet .
US7739302B2 CLAIM 7 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link layer (network arrangement) processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet .
US7739302B2 CLAIM 8 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link layer (network arrangement) processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet .
US7739302B2 CLAIM 9 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (work layer) to the NAD .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link layer (network arrangement) processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet . US5740375A CLAIM 5 . A router comprising : a plurality of ports for coupling to a plurality of subnetworks each having a unique network layer (network client, network access, providing network access) address ; and a routing engine coupled to the ports for processing packets received from the plurality of ports , the routing engine including a filter that , when activated for a source network , copies a local broadcast packet received from the source network and modifies a destination address field of a network layer header of the copied packet to specify the network layer address of a destination network , wherein the routing engine forwards the copied packet as modified to the destination network .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (work layer) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5740375A CLAIM 5 . A router comprising : a plurality of ports for coupling to a plurality of subnetworks each having a unique network layer (network client, network access, providing network access) address ; and a routing engine coupled to the ports for processing packets received from the plurality of ports , the routing engine including a filter that , when activated for a source network , copies a local broadcast packet received from the source network and modifies a destination address field of a network layer header of the copied packet to specify the network layer address of a destination network , wherein the routing engine forwards the copied packet as modified to the destination network .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (work layer) to the NAD is only available through the server .	US5740375A CLAIM 5 . A router comprising : a plurality of ports for coupling to a plurality of subnetworks each having a unique network layer (network client, network access, providing network access) address ; and a routing engine coupled to the ports for processing packets received from the plurality of ports , the routing engine including a filter that , when activated for a source network , copies a local broadcast packet received from the source network and modifies a destination address field of a network layer header of the copied packet to specify the network layer address of a destination network , wherein the routing engine forwards the copied packet as modified to the destination network .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (work layer) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5740375A CLAIM 5 . A router comprising : a plurality of ports for coupling to a plurality of subnetworks each having a unique network layer (network client, network access, providing network access) address ; and a routing engine coupled to the ports for processing packets received from the plurality of ports , the routing engine including a filter that , when activated for a source network , copies a local broadcast packet received from the source network and modifies a destination address field of a network layer header of the copied packet to specify the network layer address of a destination network , wherein the routing engine forwards the copied packet as modified to the destination network .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (data link) .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link (application layer) layer processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (data link) of a network stack .	US5740375A CLAIM 2 . The method of claim 1 wherein the step of receiving a local broadcast packet comprises : receiving a packet from the source network ; performing data link (application layer) layer processing of the packet to determine whether the packet is a local broadcast packet ; dropping the packet if the packet is not a local broadcast packet ; and continuing processing the packet if the packet is a local broadcast packet .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5781550A Filed: 1996-02-02 Issued: 1998-07-14 Transparent and secure network gateway (Original Assignee) Digital Equipment Corp (Current Assignee) Hewlett Packard Enterprise Development LP Fred L. Templin, Ajay Gupta, Gregory D. Skinner, Dermot Matthew Tynan
US7739302B2 CLAIM 1 . A network arrangement (ink layer) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link layer (network arrangement) , an Internet layer , a transport layer , and an application layer , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .
US7739302B2 CLAIM 2 . The network arrangement (ink layer) of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link layer (network arrangement) , an Internet layer , a transport layer , and an application layer , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .
US7739302B2 CLAIM 3 . The network arrangement (ink layer) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link layer (network arrangement) , an Internet layer , a transport layer , and an application layer , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .
US7739302B2 CLAIM 4 . The network arrangement (ink layer) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link layer (network arrangement) , an Internet layer , a transport layer , and an application layer , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .
US7739302B2 CLAIM 5 . A local area network arrangement (ink layer) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (local address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link layer (network arrangement) , an Internet layer , a transport layer , and an application layer , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet . US5781550A CLAIM 5 . The method of claim 1 wherein the gateway includes a session control table having at least one entry to control the communication of packets between the trusted computer and the untrusted computer , the entry including a local address (IP addresses) field and a remote address field , and further comprising : storing the address of the untrusted computer in the local address field ; and storing the address of the trusted computer in the remote address field to spoof the trusted computer into believing that the trusted computer is communicating directly with the untrusted computer .
US7739302B2 CLAIM 6 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link layer (network arrangement) , an Internet layer , a transport layer , and an application layer , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .
US7739302B2 CLAIM 7 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link layer (network arrangement) , an Internet layer , a transport layer , and an application layer , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .
US7739302B2 CLAIM 8 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link layer (network arrangement) , an Internet layer , a transport layer , and an application layer , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .
US7739302B2 CLAIM 9 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link layer (network arrangement) , an Internet layer , a transport layer , and an application layer , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (application layer, data link) .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link (application layer) layer , an Internet layer , a transport layer , and an application layer (application layer) , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (application layer, data link) of a network stack .	US5781550A CLAIM 2 . The method of claim 1 wherein the gateway includes a protocol stack , the protocol stack including a data link (application layer) layer , an Internet layer , a transport layer , and an application layer (application layer) , and further comprising : intercepting the first packet in the Internet layer ; diverting the first packet through a transport layer to a proxy server operating in the application layer ; and consuming the first packet while generating the second packet .

US5790797A

Filed: 1996-01-26 Issued: 1998-08-04

Load distribution system for monitoring device

(Original Assignee) Fujitsu Ltd (Current Assignee) Fujitsu Ltd

Junichi Shimada, Satoshi Kumano

US7739302B2
CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating (operation control) systems .

US5790797A
CLAIM 31 . A monitoring system for monitoring the operating conditions of a plurality of transmission devices which are provided in a network so as to transmit data , said system comprising : a plurality of monitoring devices disposed in said network ;
each of said monitoring devices including : a supervisory screen image data holding means for holding supervisory screen image data which correspond to various monitoring zones ;
a means for designating a predetermined monitoring zone as the object of monitoring at a designated time ;
a displaying means for displaying a supervisory screen image on the basis of supervisory screen image data which corresponds to the designated monitoring zone and also displaying , in said supervisory screen image , the operating conditions of said transmission devices in said monitoring zone as the object of monitoring ;
an operation control (different operating) ler for causing said display means to automatically switch and display said monitoring zone in accordance with a time basis .

US7739302B2
CLAIM 24 . The apparatus of claim 23 , wherein the managing means (monitoring system, determined area) is further configured to manage access over a SCSI interface .

US5790797A
CLAIM 13 . In a network monitoring system (managing means) including a plurality of monitoring devices provided in a network which have a plurality of transmission devices for transmitting data so that each of said monitoring devices monitors operating conditions of the transmission devices in a monitoring zone allocated thereto , a monitoring device comprising : a supervisory screen image data holding means for holding supervisory screen image data which correspond to various monitoring zones ;
a means for designating a predetermined monitoring zone as the object of monitoring ;
and a displaying means for displaying a supervisory screen image on the basis of supervisory screen image data which corresponds to the designated monitoring zone .

US5790797A
CLAIM 17 . A monitoring device according to claim 13 , further comprising : an operating condition controller for controlling the operating conditions of all the transmission devices in said network without limiting the transmission devices to the transmission devices in said monitoring zone as the object of monitoring ;
wherein said displaying means displays , in said supervisory screen image , the operating conditions of said transmission devices in said monitoring zone as the object of monitoring which are controlled by said operating condition controller and also displays the operating conditions of the transmission devices outside of said monitoring zone in a predetermined area (managing means) of said supervisory screen image in the form of a summarized display .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5764756A Filed: 1996-01-11 Issued: 1998-06-09 Networked telephony central offices (Original Assignee) US West Inc (Current Assignee) Qwest Communications International Inc Arthur E. Onweller
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (first port) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (said converter) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5764756A CLAIM 1 . A method for managing a network , comprising ; determining a plurality of process interfaces , each said process interface being connected to said network (NAD server) ; performing for each of said process interfaces the following steps (A1) through (A2) : (A1) identifying a corresponding set of hardware components wherein network communications with the process interface utilize a corresponding communication channel defined by said hardware components of said set ; (A2) assigning a corresponding network address for routing network communications to the process interface , wherein said corresponding network address comprises an encoded identification of each hardware component of said set of hardware components for the corresponding communication channel ; wherein each of said process interfaces is responsive to its corresponding network address when the corresponding network address is identified in network communications by the process interface ; and providing one or more of said corresponding network addresses for communicating with one or more of said process interfaces on the network ; decoding at least a first network address of said one or more corresponding network addresses to determine said hardware components in said corresponding set of hardware components for locating one or more of said hardware components in the corresponding set of hardware components . US5764756A CLAIM 38 . A method as claimed in claim 1 , wherein said step of decoding includes identifying a first port (data packet) ion of the first network address for identifying a telephony central office having the process interface to which the first network address corresponds . US5764756A CLAIM 51 . A method as claimed in claim 50 , wherein said converter (network source) converts between an IP protocol and a different protocol used by the at least one process interface .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5764756A CLAIM 1 . A method for managing a network , comprising ; determining a plurality of process interfaces , each said process interface being connected to said network (NAD server) ; performing for each of said process interfaces the following steps (A1) through (A2) : (A1) identifying a corresponding set of hardware components wherein network communications with the process interface utilize a corresponding communication channel defined by said hardware components of said set ; (A2) assigning a corresponding network address for routing network communications to the process interface , wherein said corresponding network address comprises an encoded identification of each hardware component of said set of hardware components for the corresponding communication channel ; wherein each of said process interfaces is responsive to its corresponding network address when the corresponding network address is identified in network communications by the process interface ; and providing one or more of said corresponding network addresses for communicating with one or more of said process interfaces on the network ; decoding at least a first network address of said one or more corresponding network addresses to determine said hardware components in said corresponding set of hardware components for locating one or more of said hardware components in the corresponding set of hardware components .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (first port) containing the request for network access is complete , the information relating to at least one of the network source (said converter) , destination , and route of the data packet .	US5764756A CLAIM 38 . A method as claimed in claim 1 , wherein said step of decoding includes identifying a first port (data packet) ion of the first network address for identifying a telephony central office having the process interface to which the first network address corresponds . US5764756A CLAIM 51 . A method as claimed in claim 50 , wherein said converter (network source) converts between an IP protocol and a different protocol used by the at least one process interface .
US7739302B2 CLAIM 5 . A local area (local area) network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (first port) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (particular address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (said converter) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5764756A CLAIM 4 . A method as claimed in claim 1 , wherein said step of determining includes determining , for each of said plurality of process interfaces , a local area (local area) network of a telephony central office for communicating with the process interface . US5764756A CLAIM 21 . A method as claimed in claim 19 , wherein said step of determining network addresses includes providing address extension portions for the network addresses having host identification portions , wherein for the at least one process interface , the corresponding network address has a particular one of the address extension portions such that the communication channel for the process interface includes a communication card as one of the hardware components of the set of hardware components for the process interface , and the communication card is identified by the particular address (IP addresses) extension portion . US5764756A CLAIM 38 . A method as claimed in claim 1 , wherein said step of decoding includes identifying a first port (data packet) ion of the first network address for identifying a telephony central office having the process interface to which the first network address corresponds . US5764756A CLAIM 51 . A method as claimed in claim 50 , wherein said converter (network source) converts between an IP protocol and a different protocol used by the at least one process interface .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (first port) arrived via an authorized network interface .	US5764756A CLAIM 38 . A method as claimed in claim 1 , wherein said step of decoding includes identifying a first port (data packet) ion of the first network address for identifying a telephony central office having the process interface to which the first network address corresponds .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (first port) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5764756A CLAIM 38 . A method as claimed in claim 1 , wherein said step of decoding includes identifying a first port (data packet) ion of the first network address for identifying a telephony central office having the process interface to which the first network address corresponds .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (first port) containing the request for network access includes at least one of an IP address of a network source (said converter) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5764756A CLAIM 38 . A method as claimed in claim 1 , wherein said step of decoding includes identifying a first port (data packet) ion of the first network address for identifying a telephony central office having the process interface to which the first network address corresponds . US5764756A CLAIM 51 . A method as claimed in claim 50 , wherein said converter (network source) converts between an IP protocol and a different protocol used by the at least one process interface .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface (following steps) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (first port) containing the request for network access includes at least one of an IP address of a network source (said converter) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5764756A CLAIM 1 . A method for managing a network , comprising ; determining a plurality of process interfaces , each said process interface being connected to said network ; performing for each of said process interfaces the following steps (device interface, storage device) (A1) through (A2) : (A1) identifying a corresponding set of hardware components wherein network communications with the process interface utilize a corresponding communication channel defined by said hardware components of said set ; (A2) assigning a corresponding network address for routing network communications to the process interface , wherein said corresponding network address comprises an encoded identification of each hardware component of said set of hardware components for the corresponding communication channel ; wherein each of said process interfaces is responsive to its corresponding network address when the corresponding network address is identified in network communications by the process interface ; and providing one or more of said corresponding network addresses for communicating with one or more of said process interfaces on the network ; decoding at least a first network address of said one or more corresponding network addresses to determine said hardware components in said corresponding set of hardware components for locating one or more of said hardware components in the corresponding set of hardware components . US5764756A CLAIM 38 . A method as claimed in claim 1 , wherein said step of decoding includes identifying a first port (data packet) ion of the first network address for identifying a telephony central office having the process interface to which the first network address corresponds . US5764756A CLAIM 51 . A method as claimed in claim 50 , wherein said converter (network source) converts between an IP protocol and a different protocol used by the at least one process interface .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (following steps) .	US5764756A CLAIM 1 . A method for managing a network , comprising ; determining a plurality of process interfaces , each said process interface being connected to said network ; performing for each of said process interfaces the following steps (device interface, storage device) (A1) through (A2) : (A1) identifying a corresponding set of hardware components wherein network communications with the process interface utilize a corresponding communication channel defined by said hardware components of said set ; (A2) assigning a corresponding network address for routing network communications to the process interface , wherein said corresponding network address comprises an encoded identification of each hardware component of said set of hardware components for the corresponding communication channel ; wherein each of said process interfaces is responsive to its corresponding network address when the corresponding network address is identified in network communications by the process interface ; and providing one or more of said corresponding network addresses for communicating with one or more of said process interfaces on the network ; decoding at least a first network address of said one or more corresponding network addresses to determine said hardware components in said corresponding set of hardware components for locating one or more of said hardware components in the corresponding set of hardware components .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (communication protocol) .	US5764756A CLAIM 20 . A method as claimed in claim 19 , wherein the converter translates between communication protocol (network protocols) s .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (communication protocol) is TCP/IP .	US5764756A CLAIM 20 . A method as claimed in claim 19 , wherein the converter translates between communication protocol (network protocols) s .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (following steps) comprises a SCSI interface .	US5764756A CLAIM 1 . A method for managing a network , comprising ; determining a plurality of process interfaces , each said process interface being connected to said network ; performing for each of said process interfaces the following steps (device interface, storage device) (A1) through (A2) : (A1) identifying a corresponding set of hardware components wherein network communications with the process interface utilize a corresponding communication channel defined by said hardware components of said set ; (A2) assigning a corresponding network address for routing network communications to the process interface , wherein said corresponding network address comprises an encoded identification of each hardware component of said set of hardware components for the corresponding communication channel ; wherein each of said process interfaces is responsive to its corresponding network address when the corresponding network address is identified in network communications by the process interface ; and providing one or more of said corresponding network addresses for communicating with one or more of said process interfaces on the network ; decoding at least a first network address of said one or more corresponding network addresses to determine said hardware components in said corresponding set of hardware components for locating one or more of said hardware components in the corresponding set of hardware components .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (following steps) , and a video codec .	US5764756A CLAIM 1 . A method for managing a network , comprising ; determining a plurality of process interfaces , each said process interface being connected to said network ; performing for each of said process interfaces the following steps (device interface, storage device) (A1) through (A2) : (A1) identifying a corresponding set of hardware components wherein network communications with the process interface utilize a corresponding communication channel defined by said hardware components of said set ; (A2) assigning a corresponding network address for routing network communications to the process interface , wherein said corresponding network address comprises an encoded identification of each hardware component of said set of hardware components for the corresponding communication channel ; wherein each of said process interfaces is responsive to its corresponding network address when the corresponding network address is identified in network communications by the process interface ; and providing one or more of said corresponding network addresses for communicating with one or more of said process interfaces on the network ; decoding at least a first network address of said one or more corresponding network addresses to determine said hardware components in said corresponding set of hardware components for locating one or more of said hardware components in the corresponding set of hardware components .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source (said converter) , an IP address of a network destination , and a route of the data packet (first port) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5764756A CLAIM 38 . A method as claimed in claim 1 , wherein said step of decoding includes identifying a first port (data packet) ion of the first network address for identifying a telephony central office having the process interface to which the first network address corresponds . US5764756A CLAIM 51 . A method as claimed in claim 50 , wherein said converter (network source) converts between an IP protocol and a different protocol used by the at least one process interface .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (following steps) if the request is allowed .	US5764756A CLAIM 1 . A method for managing a network , comprising ; determining a plurality of process interfaces , each said process interface being connected to said network ; performing for each of said process interfaces the following steps (device interface, storage device) (A1) through (A2) : (A1) identifying a corresponding set of hardware components wherein network communications with the process interface utilize a corresponding communication channel defined by said hardware components of said set ; (A2) assigning a corresponding network address for routing network communications to the process interface , wherein said corresponding network address comprises an encoded identification of each hardware component of said set of hardware components for the corresponding communication channel ; wherein each of said process interfaces is responsive to its corresponding network address when the corresponding network address is identified in network communications by the process interface ; and providing one or more of said corresponding network addresses for communicating with one or more of said process interfaces on the network ; decoding at least a first network address of said one or more corresponding network addresses to determine said hardware components in said corresponding set of hardware components for locating one or more of said hardware components in the corresponding set of hardware components .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (following steps) , and a video codec .	US5764756A CLAIM 1 . A method for managing a network , comprising ; determining a plurality of process interfaces , each said process interface being connected to said network ; performing for each of said process interfaces the following steps (device interface, storage device) (A1) through (A2) : (A1) identifying a corresponding set of hardware components wherein network communications with the process interface utilize a corresponding communication channel defined by said hardware components of said set ; (A2) assigning a corresponding network address for routing network communications to the process interface , wherein said corresponding network address comprises an encoded identification of each hardware component of said set of hardware components for the corresponding communication channel ; wherein each of said process interfaces is responsive to its corresponding network address when the corresponding network address is identified in network communications by the process interface ; and providing one or more of said corresponding network addresses for communicating with one or more of said process interfaces on the network ; decoding at least a first network address of said one or more corresponding network addresses to determine said hardware components in said corresponding set of hardware components for locating one or more of said hardware components in the corresponding set of hardware components .

US5742763A

Filed: 1995-12-29 Issued: 1998-04-21

Universal message delivery system for handles identifying network presences

(Original Assignee) AT&T Corp (Current Assignee) AT&T Corp

Mark Alan Jones

US7739302B2
CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ;

a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ;

and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .

US7739302B2
CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs (id attribute) for accepting requests (media format) for network access to the NAD from a plurality of network clients having different operating (said handle) systems .

US5742763A
CLAIM 1 . A message delivery system for use with a communication network and means for providing a network presence for an entity , said message delivery system comprising : delivery means for delivering a message from a sender to a handle identifying said network (NAD server) presence , said handle (different operating) not corresponding to a physical endpoint , and means for omitting identifying information for said sender from said message .

US5742763A
CLAIM 4 . A message delivery system for use with a communication network and means for providing a network presence for an entity having attributes , said attribute (network protocol programs) s including a processing preference for messages delivered to said network presence , said message delivery system comprising : delivery means for delivering a message from a sender to a handle identifying said network presence , said handle not corresponding to a physical endpoint , and a software agent for processing the delivered message in accordance with said processing preference .

US5742763A
CLAIM 5 . The system of claim 4 , wherein said processing preference is a preferred media format (accepting requests) , and said software agent is operative to convert a media format of the delivered message to the preferred media format .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5602918A Filed: 1995-12-22 Issued: 1997-02-11 Application level security system and method (Original Assignee) Virtual Open Network Environment Corp (Current Assignee) SSL SERVICES LLC James F. Chen, Jieh-Shan Wang
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (private network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5602918A CLAIM 5 . A method of establishing a secured communication pathway between a party on a private network (IP addresses) and a party on an open unsecured network , comprising the steps of : reading from a smartcard a shared secret key ; authenticating communications between the respective parties based on the shared secret key and generating session keys ; and prompting a card holder to enter a secret code into the smartcard reader and confirming the code in order to authenticate the card holder before permitting further communications , wherein the step of authenticating communications between the respective parties and generating the session key comprises the steps of : the gateway processor generating a first number and sending the first number to the smart card ; the smartcard encrypting the first number by the shared secret key ; the smart card generating a second number and encrypting a combination of the encrypted first number and the second number ; the gateway processor verifying whether the first number has been encrypted by the shared secret key , thereby authenticating the smartcard ; the gateway processor generating a session key by combining the encrypted first number with the second number and encrypting the result : the gateway processor encrypting the second number by the shared secret key ; the smartcard verifying whether the second random number has been encrypted by the shared secret and thereby authenticating the gateway processor ; and the smartcard combining the encrypted first number with the second number and encrypting same to generate a second session key corresponding to the first session key generated by the gateway processor : and further comprising the step of encrypting further communications between the respective parties using the first and second session keys .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path (communication path) to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5602918A CLAIM 5 . A method of establishing a secured communication path (communication path) way between a party on a private network and a party on an open unsecured network , comprising the steps of : reading from a smartcard a shared secret key ; authenticating communications between the respective parties based on the shared secret key and generating session keys ; and prompting a card holder to enter a secret code into the smartcard reader and confirming the code in order to authenticate the card holder before permitting further communications , wherein the step of authenticating communications between the respective parties and generating the session key comprises the steps of : the gateway processor generating a first number and sending the first number to the smart card ; the smartcard encrypting the first number by the shared secret key ; the smart card generating a second number and encrypting a combination of the encrypted first number and the second number ; the gateway processor verifying whether the first number has been encrypted by the shared secret key , thereby authenticating the smartcard ; the gateway processor generating a session key by combining the encrypted first number with the second number and encrypting the result : the gateway processor encrypting the second number by the shared secret key ; the smartcard verifying whether the second random number has been encrypted by the shared secret and thereby authenticating the gateway processor ; and the smartcard combining the encrypted first number with the second number and encrypting same to generate a second session key corresponding to the first session key generated by the gateway processor : and further comprising the step of encrypting further communications between the respective parties using the first and second session keys .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (unsecured network) .	US5602918A CLAIM 1 . A system for establishing secured communications pathways across an open unsecured network (application layer) between a secured party and a possibly unsecured party , without compromising the security of either of the parties , comprising : a smartcard reader and a smartcard located at a client node of the unsecured party , the smartcard having stored thereon a shared secret key known to the secured party ; a gateway processor which controls access from the open unsecured network to said secured party and having access to the shared secret key ; means for authenticating communications between the respective parties based on said shared secret key and for generating session keys , wherein the smartcard reader includes means for prompting a card holder to enter a secret code and for confirming the code in order to authenticate the card holder before permitting further communications , and wherein the means for authenticating communication between the respective parties and for generating the session keys comprises : means associated with the gateway processor for generating a first number and sending the first number to the smart card ; means on the smartcard for encrypting the first number by the shared secret key ; means on the smartcard for generating a second number and encrypting a combination of the encrypted first number and the second number ; means in the gateway processor for verifying whether the first number has been encrypted by the shared secret key , thereby authenticating the smartcard ; means in the gateway processor for generating a first session key by combining the encrypted first number with the second number and encrypting the combination ; means in the gateway processor for encrypting the second number by the shared secret key ; means in the smartcard for verifying whether the second random number has been encrypted by the shared secret key and thereby authenticating the gateway processor ; and means in the smartcard for combining the encrypted first number with the second number and encrypting same to generate a second session key corresponding to the first session key generated by the gateway processor ; and means for encrypting further communications between the respective parties using the first and second session keys .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (unsecured network) of a network stack .	US5602918A CLAIM 1 . A system for establishing secured communications pathways across an open unsecured network (application layer) between a secured party and a possibly unsecured party , without compromising the security of either of the parties , comprising : a smartcard reader and a smartcard located at a client node of the unsecured party , the smartcard having stored thereon a shared secret key known to the secured party ; a gateway processor which controls access from the open unsecured network to said secured party and having access to the shared secret key ; means for authenticating communications between the respective parties based on said shared secret key and for generating session keys , wherein the smartcard reader includes means for prompting a card holder to enter a secret code and for confirming the code in order to authenticate the card holder before permitting further communications , and wherein the means for authenticating communication between the respective parties and for generating the session keys comprises : means associated with the gateway processor for generating a first number and sending the first number to the smart card ; means on the smartcard for encrypting the first number by the shared secret key ; means on the smartcard for generating a second number and encrypting a combination of the encrypted first number and the second number ; means in the gateway processor for verifying whether the first number has been encrypted by the shared secret key , thereby authenticating the smartcard ; means in the gateway processor for generating a first session key by combining the encrypted first number with the second number and encrypting the combination ; means in the gateway processor for encrypting the second number by the shared secret key ; means in the smartcard for verifying whether the second random number has been encrypted by the shared secret key and thereby authenticating the gateway processor ; and means in the smartcard for combining the encrypted first number with the second number and encrypting same to generate a second session key corresponding to the first session key generated by the gateway processor ; and means for encrypting further communications between the respective parties using the first and second session keys .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5761397A Filed: 1995-12-13 Issued: 1998-06-02 Controlling logical channel use based upon printing system environment (Original Assignee) HP Inc (Current Assignee) Hewlett Packard Development Co LP Elizabeth L. Bagley, Vincent J. Kenkel
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (executable instructions) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5761397A CLAIM 21 . A computer-readable medium having computer-executable instructions (executable instructions) for performing steps in the method recited in claim 1 .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (data transfers) device , the selectively generated packet containing the request for access to the directly attached device .	US5761397A CLAIM 2 . The method of claim 1 wherein the predefined communication mode is a high data transfer rate protocol for specifying how data transfers (intermediary computing, receiving requests) occur over a port between the host computer and the printer .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (high data) .	US5761397A CLAIM 2 . The method of claim 1 wherein the predefined communication mode is a high data (application layer) transfer rate protocol for specifying how data transfers occur over a port between the host computer and the printer .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (data transfers) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5761397A CLAIM 2 . The method of claim 1 wherein the predefined communication mode is a high data transfer rate protocol for specifying how data transfers (intermediary computing, receiving requests) occur over a port between the host computer and the printer .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (high data) of a network stack .	US5761397A CLAIM 2 . The method of claim 1 wherein the predefined communication mode is a high data (application layer) transfer rate protocol for specifying how data transfers occur over a port between the host computer and the printer .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	EP0713311A1 Filed: 1995-11-17 Issued: 1996-05-22 Secure gateway and method for communication between networks (Original Assignee) Milkyway Networks Corp (Current Assignee) Milkyway Networks Corp Hung T. Vu
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (data packet, IP packets) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0713311A1 CLAIM 10 A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : a) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; b) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; c) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; d) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; d) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and e) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . EP0713311A1 CLAIM 19 Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having becn modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (data packet, IP packets) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	EP0713311A1 CLAIM 10 A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : a) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; b) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; c) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; d) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; d) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and e) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . EP0713311A1 CLAIM 19 Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having becn modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (potential security) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (data packet, IP packets) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	EP0713311A1 CLAIM 1 A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : a) accepting from either network all communications packets that are encapsulated with a hardware destination address (IP addresses) which matches the device address of the gateway ; b) determining whether there is a process bound to a destination port number of an accepted communications packet ; c) establishing a first communications session with a source address/source port of the accepted communications packet if there is a process bound to the destination port number , else dropping the packet ; d) establishing a second communications session with a destination address/destination port of the accepted communications packet if a first communications session is established ; and e) transparently moving data associated with each subsequent communications packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . EP0713311A1 CLAIM 10 A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : a) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; b) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; c) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; d) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; d) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and e) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . EP0713311A1 CLAIM 18 A method for providing a secure gateway between a private network and potentially hostile network as claimed in claim 10 wherein the method further involves the steps of : a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving the data between the respective first and second communications sessions , whereby the TCP/IP packet is passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts the data from the packet and passes the data from a one of the first and second communications sessions to a proxy process which operates at an application layer of the gateway station and the proxy process executes data screening algorithms to screen the data for elements that could represent a potential security (data management component) breach before the data is passed to the other of the first and second communications sessions . EP0713311A1 CLAIM 19 Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having becn modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (data packet, IP packets) arrived via an authorized network interface .	EP0713311A1 CLAIM 10 A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : a) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; b) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; c) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; d) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; d) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and e) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . EP0713311A1 CLAIM 19 Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having becn modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (data packet, IP packets) to the proper port ; and at the proper port , provide the requested network access to the NAD .	EP0713311A1 CLAIM 10 A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : a) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; b) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; c) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; d) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; d) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and e) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . EP0713311A1 CLAIM 19 Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having becn modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (data packet, IP packets) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access (new communication) to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	EP0713311A1 CLAIM 5 A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 3 , wherein the method further involves the steps of : a) creating a user authentication file which contains the source address of the authenticated user in a user authentication directory ; and b) referring to the authentication file to determine if a source address has been authenticated each time a new communication (providing network access) s session is initiated so that the gateway is completely transparent to an authenticated source . EP0713311A1 CLAIM 10 A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : a) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; b) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; c) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; d) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; d) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and e) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . EP0713311A1 CLAIM 19 Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having becn modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (data packet, IP packets) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	EP0713311A1 CLAIM 10 A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : a) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; b) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; c) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; d) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; d) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and e) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . EP0713311A1 CLAIM 19 Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having becn modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (requested service) device , the selectively generated packet containing the request for access to the directly attached device .	EP0713311A1 CLAIM 13 A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 10 wherein the method further involves the steps of : a) referencing a rule base after the first communications session is established to determine whether a user identification/password at the source address is permitted to communicate with the destination address for a requested service (intermediary computing) ; and b) cancelling the first communications session if the rule base does not include a rule to permit the user identification/password at the source address to communicate with the destination address for the requested type of service .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (application layer) .	EP0713311A1 CLAIM 18 A method for providing a secure gateway between a private network and potentially hostile network as claimed in claim 10 wherein the method further involves the steps of : a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving the data between the respective first and second communications sessions , whereby the TCP/IP packet is passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts the data from the packet and passes the data from a one of the first and second communications sessions to a proxy process which operates at an application layer (application layer) of the gateway station and the proxy process executes data screening algorithms to screen the data for elements that could represent a potential security breach before the data is passed to the other of the first and second communications sessions .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (data packet, IP packets) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0713311A1 CLAIM 10 A method of providing a secure gateway between a private network and a potentially hostile network , comprising the steps of : a) accepting from either network all TCP/IP packets (data packet) that are encapsulated with a hardware destination address which matches the device address of the gateway ; b) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet ; c) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is proxy process bound to the port for serving the destination port number , else dropping the packet ; d) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base , and dropping the packet if a permission rule cannot be located ; d) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located ; and e) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions , whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions . EP0713311A1 CLAIM 19 Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile network , comprising in combination : a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network ; an operating system executable by the gateway station , a kernel of the operating system having becn modified so that the operating system : a) cannot forward any communications packet from the private network to the potentially hostile network or from the potentially hostile network to the private network ; and b) will accept for processing any communications packet from either of the private network and the potentially hostile network provided that the packet is encapsulated with a hardware destination address that matches the device address of the gateway station on the respective network ; and at least one proxy process executable by the gateway station , the at least one proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet (data packet) accepted by the operating system and to transparently initiate a second communications session with a destination of the packet , and to transparently pass the data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session , whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (application layer) of a network stack .	EP0713311A1 CLAIM 18 A method for providing a secure gateway between a private network and potentially hostile network as claimed in claim 10 wherein the method further involves the steps of : a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving the data between the respective first and second communications sessions , whereby the TCP/IP packet is passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts the data from the packet and passes the data from a one of the first and second communications sessions to a proxy process which operates at an application layer (application layer) of the gateway station and the proxy process executes data screening algorithms to screen the data for elements that could represent a potential security breach before the data is passed to the other of the first and second communications sessions .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5790809A Filed: 1995-11-17 Issued: 1998-08-04 Registry communications middleware (Original Assignee) MCI Corp (Current Assignee) MCI Corp ; Verizon Patent and Licensing Inc Ralph Holmes
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network destination, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5790809A CLAIM 2 . The system set forth in claim 1 wherein the first registry further comprises : an application programming interface , connected to an output of the client , for receiving a verb command from the client and translating a related application specific message from the client to a corresponding registry format ; a validating device for validating parameters of the verb command and subsequently resolving a destination address for the message from the client ; a directory services database queried by the validated verb command for determining a logical network destination (network destination) to the server for which the client' ; s message is intended ; an inter-process communicator for switching the message in registry format to one of a plurality of adapters connected in parallel to the output of the inter-process communicator , in response to destination information (network destination) derived from the directory services database , the adapter mapping the registry message into a specific protocol format required by a selected first messaging device and destined for a server .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating (different operating) systems (executing applications) .	US5790809A CLAIM 4 . In a computer system having a plurality of client and server machines selectively interconnected over a network , each capable of executing applications (different operating (different operating) systems) controlled by a different operating system , a logical layer of communications between the machines and comprising the steps : performing a first registry process including (a) accepting application specific messages from a client , destined for a preselected server , and encapsulating them into a standard registry specific message ; and (b) translating the registry specific messages into one of a plurality of preselected protocols ; subjecting the registry specific message to a plurality of diverse messaging routes for communicating , to the network , the registry specific messages in the preselected protocol of a selected messaging route , the selected messaging route being selected by the first registry process ; performing a second registry process at a distant end including (c) accepting the translated messages ; and (d) converting the messages from protocol format to the original application specific format ; connecting the converted application specific message to the preselected server .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5790809A CLAIM 2 . The system set forth in claim 1 wherein the first registry further comprises : an application programming interface , connected to an output of the client , for receiving a verb command from the client and translating a related application specific message from the client to a corresponding registry format ; a validating device for validating parameters of the verb command and subsequently resolving a destination address (IP addresses) for the message from the client ; a directory services database queried by the validated verb command for determining a logical network destination to the server for which the client' ; s message is intended ; an inter-process communicator for switching the message in registry format to one of a plurality of adapters connected in parallel to the output of the inter-process communicator , in response to destination information derived from the directory services database , the adapter mapping the registry message into a specific protocol format required by a selected first messaging device and destined for a server .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network destination, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5790809A CLAIM 2 . The system set forth in claim 1 wherein the first registry further comprises : an application programming interface , connected to an output of the client , for receiving a verb command from the client and translating a related application specific message from the client to a corresponding registry format ; a validating device for validating parameters of the verb command and subsequently resolving a destination address for the message from the client ; a directory services database queried by the validated verb command for determining a logical network destination (network destination) to the server for which the client' ; s message is intended ; an inter-process communicator for switching the message in registry format to one of a plurality of adapters connected in parallel to the output of the inter-process communicator , in response to destination information (network destination) derived from the directory services database , the adapter mapping the registry message into a specific protocol format required by a selected first messaging device and destined for a server .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network destination, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5790809A CLAIM 2 . The system set forth in claim 1 wherein the first registry further comprises : an application programming interface , connected to an output of the client , for receiving a verb command from the client and translating a related application specific message from the client to a corresponding registry format ; a validating device for validating parameters of the verb command and subsequently resolving a destination address for the message from the client ; a directory services database queried by the validated verb command for determining a logical network destination (network destination) to the server for which the client' ; s message is intended ; an inter-process communicator for switching the message in registry format to one of a plurality of adapters connected in parallel to the output of the inter-process communicator , in response to destination information (network destination) derived from the directory services database , the adapter mapping the registry message into a specific protocol format required by a selected first messaging device and destined for a server .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (network destination, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5790809A CLAIM 2 . The system set forth in claim 1 wherein the first registry further comprises : an application programming interface , connected to an output of the client , for receiving a verb command from the client and translating a related application specific message from the client to a corresponding registry format ; a validating device for validating parameters of the verb command and subsequently resolving a destination address for the message from the client ; a directory services database queried by the validated verb command for determining a logical network destination (network destination) to the server for which the client' ; s message is intended ; an inter-process communicator for switching the message in registry format to one of a plurality of adapters connected in parallel to the output of the inter-process communicator , in response to destination information (network destination) derived from the directory services database , the adapter mapping the registry message into a specific protocol format required by a selected first messaging device and destined for a server .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5793763A Filed: 1995-11-03 Issued: 1998-08-11 Security system for network address translation systems (Original Assignee) Cisco Technology Inc (Current Assignee) Cisco Technology Inc John C. Mayes, Brantley W. Coile
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network destination) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5793763A CLAIM 4 . The method of claim 1 , further comprising the following steps : creating the translation slot data structure when the particular local host on the private network sends an outbound packet to an external network destination (network destination) ; removing the translation slot data structure after said defined time period has elapsed .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (local address, IP addresses) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5793763A CLAIM 3 . The method of claim 2 , wherein there are fewer global IP addresses (IP addresses) in the collection of IP addresses than there are hosts on said private network . US5793763A CLAIM 16 . A network address translation system for translating network addresses on packets sent from an external host on an external network to a local host on a private network , the private network having a plurality of local hosts at least some of which communicate with hosts on the external network , the network address translation system comprising : an outside interface connected to the external network ; an inside interface connected to the private network ; and a translation slot data structure stored on the network address translation system , the translation slot specifying at least (i) a global IP address temporarily held by the local host , (ii) a local address (IP addresses) fixed with local host , wherein the network address translation system creates the translation slot when the local host sends a packet to said external host and times out the translation slot after a defined time period has elapsed .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network destination) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5793763A CLAIM 4 . The method of claim 1 , further comprising the following steps : creating the translation slot data structure when the particular local host on the private network sends an outbound packet to an external network destination (network destination) ; removing the translation slot data structure after said defined time period has elapsed .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface (following steps) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network destination) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5793763A CLAIM 1 . A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network , the method comprising the following steps (device interface, storage device) : identifying a global IP destination address on an inbound packet arriving at the private network ; determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address , which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period ; if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period , determining whether the inbound packet meets defined security criteria ; if the inbound packet meets said security criteria , replacing the inbound packet' ; s global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed ; and forwarding the inbound packet to the particular local host to which the inbound packet was addressed . US5793763A CLAIM 4 . The method of claim 1 , further comprising the following steps : creating the translation slot data structure when the particular local host on the private network sends an outbound packet to an external network destination (network destination) ; removing the translation slot data structure after said defined time period has elapsed .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (following steps) .	US5793763A CLAIM 1 . A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network , the method comprising the following steps (device interface, storage device) : identifying a global IP destination address on an inbound packet arriving at the private network ; determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address , which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period ; if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period , determining whether the inbound packet meets defined security criteria ; if the inbound packet meets said security criteria , replacing the inbound packet' ; s global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed ; and forwarding the inbound packet to the particular local host to which the inbound packet was addressed .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (following steps) comprises a SCSI interface .	US5793763A CLAIM 1 . A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network , the method comprising the following steps (device interface, storage device) : identifying a global IP destination address on an inbound packet arriving at the private network ; determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address , which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period ; if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period , determining whether the inbound packet meets defined security criteria ; if the inbound packet meets said security criteria , replacing the inbound packet' ; s global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed ; and forwarding the inbound packet to the particular local host to which the inbound packet was addressed .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (following steps) , and a video codec .	US5793763A CLAIM 1 . A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network , the method comprising the following steps (device interface, storage device) : identifying a global IP destination address on an inbound packet arriving at the private network ; determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address , which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period ; if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period , determining whether the inbound packet meets defined security criteria ; if the inbound packet meets said security criteria , replacing the inbound packet' ; s global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed ; and forwarding the inbound packet to the particular local host to which the inbound packet was addressed .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (network destination) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5793763A CLAIM 4 . The method of claim 1 , further comprising the following steps : creating the translation slot data structure when the particular local host on the private network sends an outbound packet to an external network destination (network destination) ; removing the translation slot data structure after said defined time period has elapsed .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (following steps) if the request is allowed .	US5793763A CLAIM 1 . A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network , the method comprising the following steps (device interface, storage device) : identifying a global IP destination address on an inbound packet arriving at the private network ; determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address , which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period ; if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period , determining whether the inbound packet meets defined security criteria ; if the inbound packet meets said security criteria , replacing the inbound packet' ; s global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed ; and forwarding the inbound packet to the particular local host to which the inbound packet was addressed .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (following steps) , and a video codec .	US5793763A CLAIM 1 . A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network , the method comprising the following steps (device interface, storage device) : identifying a global IP destination address on an inbound packet arriving at the private network ; determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address , which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period ; if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period , determining whether the inbound packet meets defined security criteria ; if the inbound packet meets said security criteria , replacing the inbound packet' ; s global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed ; and forwarding the inbound packet to the particular local host to which the inbound packet was addressed .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	WO9613113A1 Filed: 1995-10-12 Issued: 1996-05-02 System and method for providing secure internetwork services (Original Assignee) Secure Computing Corporation William E. Boebert, Clyde O. Rogers, Glenn Andreas, Scott W. Hammond, Mark P. Gooderum
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (network interfaces, first work) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network interfaces, first work) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (second client) for accepting requests for network access (network interfaces, first work) to the NAD from a plurality of network clients having different operating systems .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 14 . A system for secure internetwork communication across an external network , the system comprising : first and second internal networks (64) ; first and second secure computers (48) connected to the external network , wherein the first and second secure computers include : an internal network interface (60) ; and an external network interface (72) for secure transfer of data from the first secure computer to the second secure computer over the external network , wherein the external network interface includes means (70) for encrypting data to be transferred from the first secure computer to the second secure computer ; a first computing system (63) , wherein the first computing system includes a first client subsystem (60) connected over the first internal network to the internal network interface of the first secure computer , wherein the first client subsystem includes means for secure transfer of data between the first computing system and the first secure computer ; and a second computing system (63) , wherein the second computing system includes a second client (network protocol programs) subsystem (60) connected over the second internal network to the internal network interface of the second secure computer , wherein the second client subsystem includes means for secure transfer of data between the second computing system and the second secure computer . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (network interfaces, first work) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (network interfaces, first work) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (private network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	WO9613113A1 CLAIM 1 . A secure wide-area access system , comprising : a secure computer (48) ; an internal network (64) ; and a workstation (63) connected across the internal network to the secure computer ; wherein the secure computer comprises an internal network interface (66) , a public network interface (72) , public network program code (70) used to communicate through the public network interface to a public network , private network (IP addresses) program code (66) used to communicate through the internal network interface to the workstation and security policy program code (68) for enforcing a Type Enforcement security mechanism to restrict access of a process to data . WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interfaces, first work) .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (network interfaces, first work) to the NAD .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (network interfaces, first work) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (network interfaces, first work) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (network interfaces, first work) to the NAD is only available through the server .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interfaces, first work) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (network interfaces, first work) includes at least one of an IP address of a network source , an IP address of a network destination (network interfaces, first work) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interfaces, first work) .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (network interfaces, first work) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	WO9613113A1 CLAIM 9 . A secure server , comprising : a processor (80) ; an internal network interface (90) , connected to the processor , for communicating on an internal network ; and an external network interface (96) , connected to the processor , for communicating on an external network ; wherein the processor includes server program code (92) for transferring data between the internal and external network interfaces (network access, network destination, network interface, providing network access) and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network . WO9613113A1 CLAIM 22 . A method of transferring data between a first and a second network connected by an external network , wherein the first network comprises a first work (network access, network destination, network interface, providing network access) station connected to a first secure computer server and wherein the second network comprises a second workstation connected to a second secure computer server , wherein each secure computer server comprises a trusted subsystem , first encryption means for encrypting and decrypting data transferred between the secure computer server and its respective workstation and second encryption means for encrypting and decrypting data transferred between the secure computer server and the external network , the method comprising the steps of : establishing an authenticated and protected interaction between the first workstation and the first secure computer server ; sending data from the first workstation to the first secure computer server ; selecting an authentication and protection mechanism for interaction on the external network ; encrypting , via the second encryption means of the first secure computer server , the data received from the first workstation ; and sending the encrypted data over the external network to the second secure computer server .

US5751914A

Filed: 1995-10-10 Issued: 1998-05-12

Method and system for correlating a plurality of events within a data processing system

(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp

Brett Angus Coley, Vincent G. Chin, Patrick Francis Downing, David M. Wormald

US5751914A
CLAIM 22 . The system for correlating a plurality of events of claim 18 , said system further comprising : means for parsing said series of events into a uniform event format utilized by said plurality of program objects within said network (NAD server) prior to said evaluation .

US7739302B2
CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs (computer program) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .

US5751914A
CLAIM 11 . A computer program (network protocol programs) product within a computer readable media for causing a data processing system to correlate a plurality of events to determine an action to be performed , said computer program product comprising : instruction means for causing said data processing system to permit provision of a plurality of rule networks , each of said plurality of rule networks including a plurality of program objects arranged in a tree structure having at least one parent program object and a plurality of child program objects , wherein said at least one parent program object is logically linked to said plurality of child program objects by passing input events received by said at least one parent program object to said plurality of child program objects , wherein at least one of said plurality of program objects invokes an action in response to receiving a particular input event ;
instruction means , responsive to two rule networks among said plurality of rule networks both including identical program objects , for causing said data processing system to minimize said plurality of rule networks by sharing one of said identical program objects between said two rule networks ;
instruction means for causing said data processing system to register at a first application program with a rule processor that passes events within said data processing system to particular rule networks among a plurality of rule networks , wherein said first application program has associated therewith one or more of said plurality of rule networks ;
instruction means , responsive to receipt of said series of events at said rule processor , for causing said data processing system to pass said series of events to each rule network associated with said first registered application program ;
instruction means , responsive to receipt of said series of events by one of said one or more associated rule networks , for causing said data processing system to evaluate said series of events through said tree structure ;
and instruction means , responsive to said evaluation , for causing said data processing system to invoke an action at one of said plurality of program objects , wherein event correlation efficiency is enhanced .

US5751914A
CLAIM 22 . The system for correlating a plurality of events of claim 18 , said system further comprising : means for parsing said series of events into a uniform event format utilized by said plurality of program objects within said network (NAD server) prior to said evaluation .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5774670A Filed: 1995-10-06 Issued: 1998-06-30 Persistent client state in a hypertext transfer protocol based client-server system (Original Assignee) Netscape Communications Corp (Current Assignee) Facebook Inc Lou Montulli
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5774670A CLAIM 13 . A network as in claim 12 wherein said network (NAD server) medium comprises a client modem and a server modem and an interconnection between said client modem and said server modem .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5774670A CLAIM 13 . A network as in claim 12 wherein said network (NAD server) medium comprises a client modem and a server modem and an interconnection between said client modem and said server modem .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5774670A CLAIM 14 . A computer system , said computer system comprising : a processor ; a memory coupled to said processor ; a computer readable medium coupled to said processor , said computer readable medium containing executable program instructions for : requesting a file on a server ; receiving said file from said server ; receiving a state object which specifies state information from said server ; and storing said state object in one of said memory (storing instructions) and said computer readable medium .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5623600A Filed: 1995-09-26 Issued: 1997-04-22 Virus detection and removal apparatus for computer networks (Original Assignee) Trend Micro Inc (Current Assignee) Trend Micro Inc Shuang Ji, Eva Chen
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (transfer data) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (control signals) for accepting requests for network access (transfer data) to the NAD from a plurality of network clients having different operating systems .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals (network protocol programs) , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (transfer data) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (processor control) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (transfer data) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor control (electronic communication) ling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (transfer data) to the NAD .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (transfer data) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (transfer data) to the NAD is only available through the server .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (processing unit) ; a network interface coupled to the processing unit and to a network ; an attached device interface (control output) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (transfer data) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data (network access, providing network access) depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output (device interface) the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (processing unit) to determine whether each packet arrived via an authorized network interface .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether each packet contains an unauthorized IP address .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (processing unit) to selectively generate a packet for communication to an intermediary computing (data transfers) device , the selectively generated packet containing the request for access to the directly attached device .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers (intermediary computing, receiving requests) , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (control output) .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit (processing unit) for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output (device interface) the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (control output) comprises a SCSI interface .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output (device interface) the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (data transfers) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers (intermediary computing, receiving requests) , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (control output) if the request is allowed .	US5623600A CLAIM 1 . A system for detecting and selectively removing viruses in data transfers , the system comprising : a memory for storing data and routines , the memory having inputs and outputs , the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus ; a communications unit for receiving and sending data in response to control signals , the communications unit having an input and an output ; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit ; the processing unit having inputs and outputs ; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit ; the outputs of the processing unit coupled to the inputs of memory , the input of the communications unit , the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted ; a proxy server for receiving data to be transferred , the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses , the proxy server having a data input a data output and a control output (device interface) the data input coupled to receive the data to be transferred ; and a daemon for transferring data from the proxy server in response to control signals from the proxy server , the daemon having a control input , a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals , and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	JPH0964870A Filed: 1995-08-23 Issued: 1997-03-07 ネットワークシステムとその運用処理方法および使用アクセス方法 (Original Assignee) Nippon Telegr & Teleph Corp <Ntt>; 日本電信電話株式会社 Hatsuo Hoshino, Shigeru Ikeda, Yoichi Kuriyama, Satoshi Nakaoka, Kazuhiko Sato, 聡中岡, 和彦佐藤, 肇夫星野, 洋一栗山, 茂池田
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (クライアント装置) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (デジタルネットワーク, インターネット) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	JPH0964870A CLAIM 1 【請求項１】サーバ装置とクライアント装置 (network client) からなる個別ネットワークの１又は複数をネットワーク接続用装置に接続し、該ネットワーク接続用装置の複数をバックボーン・ネットワークに接続するとともに当該バックボーン・ネットワークにネットワーク管理装置を設け、該ネットワーク管理装置に該バックボーン・ネットワーク全体の制御機能を持たせた、ことを特徴とするネットワークシステム。 JPH0964870A CLAIM 8 【請求項８】前記ネットワークシステムは、インターネット (IP address) システムであって、ＣＤ−ＲＯＭとパソコン通信の組合せ接続、ＬＤ（レーザーディスク）やカラオケやあらゆる種類のデータベース等と電算機応用通信の組合せ接続、都市単位での仮想都市との接続等が可能である、ことを特徴とする請求項１、２、３、４、５、６又は７に記載のネットワークシステム。 JPH0964870A CLAIM 11 【請求項１１】前記個別ネットワークは、アナログネットワーク又はデジタルネットワーク (IP address) であって、アナログネットワークはバックボーン・ネットワークに対してデジタル変換する、ことを特徴とする請求項１、２、３、４、５、６、７、８、９又は１０に記載のネットワークシステム。
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests (の要求) for network access to the NAD from a plurality of network clients having different operating systems .	JPH0964870A CLAIM 14 【請求項１４】サーバ装置とクライアント装置からなる個別ネットワークの１又は複数を収容するとともに当該個別ネットワークに属する利用者を個別に管理する利用者管理手段を有するネットワーク接続用装置と、該ネットワーク接続用装置の複数が接続されたネットワーク全体を管理するとともに前記個別ネットワーク内の利用者が他の個別ネットワークにサービス要求を行うことが許容されるか否かを判別する利用者認証手段を有するネットワーク管理装置から構成されるネットワークシステムの運用処理にあたり、前記ネットワーク接続用装置においては、まず、その収容する個別ネットワークに属する利用者から他の個別ネットワークにサービス要求を行うための利用者認証の要求 (accepting requests, allow requests, requests contain information to gain access, receiving requests, requests originating one, requests comprise one) を受けると、前記ネットワーク管理装置に利用者認証を要求し、ついで、当該ネットワーク管理装置より利用者認証結果の情報を受信すると、その情報を前記利用者管理手段に登録するとともに当該利用者に通知し、引続き、その収容する個別ネットワークに属する利用者から他の個別ネットワークへのサービス要求を受けると、前記利用者管理手段により当該利用者が利用者認証を受けているか否かの判別を行い、利用者認証を受けていると判断したときには、当該他の個別ネットワークへのサービス要求の接続を行い、これと平行して、前記ネットワーク管理装置においては、前記ネットワーク接続用装置から利用者認証の要求を受けると、前記利用者認証手段により、当該利用者認証を要求した利用者が正当な利用者か否かの判断を行い、その結果情報を当該要求を行ったネットワーク接続用装置に送出する、ことを特徴とするネットワークシステムの運用処理方法。
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (クライアント装置) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	JPH0964870A CLAIM 1 【請求項１】サーバ装置とクライアント装置 (network client) からなる個別ネットワークの１又は複数をネットワーク接続用装置に接続し、該ネットワーク接続用装置の複数をバックボーン・ネットワークに接続するとともに当該バックボーン・ネットワークにネットワーク管理装置を設け、該ネットワーク管理装置に該バックボーン・ネットワーク全体の制御機能を持たせた、ことを特徴とするネットワークシステム。
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address (デジタルネットワーク, インターネット) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	JPH0964870A CLAIM 8 【請求項８】前記ネットワークシステムは、インターネット (IP address) システムであって、ＣＤ−ＲＯＭとパソコン通信の組合せ接続、ＬＤ（レーザーディスク）やカラオケやあらゆる種類のデータベース等と電算機応用通信の組合せ接続、都市単位での仮想都市との接続等が可能である、ことを特徴とする請求項１、２、３、４、５、６又は７に記載のネットワークシステム。 JPH0964870A CLAIM 11 【請求項１１】前記個別ネットワークは、アナログネットワーク又はデジタルネットワーク (IP address) であって、アナログネットワークはバックボーン・ネットワークに対してデジタル変換する、ことを特徴とする請求項１、２、３、４、５、６、７、８、９又は１０に記載のネットワークシステム。
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (デジタルネットワーク, インターネット) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests (の要求) for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	JPH0964870A CLAIM 8 【請求項８】前記ネットワークシステムは、インターネット (IP address) システムであって、ＣＤ−ＲＯＭとパソコン通信の組合せ接続、ＬＤ（レーザーディスク）やカラオケやあらゆる種類のデータベース等と電算機応用通信の組合せ接続、都市単位での仮想都市との接続等が可能である、ことを特徴とする請求項１、２、３、４、５、６又は７に記載のネットワークシステム。 JPH0964870A CLAIM 11 【請求項１１】前記個別ネットワークは、アナログネットワーク又はデジタルネットワーク (IP address) であって、アナログネットワークはバックボーン・ネットワークに対してデジタル変換する、ことを特徴とする請求項１、２、３、４、５、６、７、８、９又は１０に記載のネットワークシステム。 JPH0964870A CLAIM 14 【請求項１４】サーバ装置とクライアント装置からなる個別ネットワークの１又は複数を収容するとともに当該個別ネットワークに属する利用者を個別に管理する利用者管理手段を有するネットワーク接続用装置と、該ネットワーク接続用装置の複数が接続されたネットワーク全体を管理するとともに前記個別ネットワーク内の利用者が他の個別ネットワークにサービス要求を行うことが許容されるか否かを判別する利用者認証手段を有するネットワーク管理装置から構成されるネットワークシステムの運用処理にあたり、前記ネットワーク接続用装置においては、まず、その収容する個別ネットワークに属する利用者から他の個別ネットワークにサービス要求を行うための利用者認証の要求 (accepting requests, allow requests, requests contain information to gain access, receiving requests, requests originating one, requests comprise one) を受けると、前記ネットワーク管理装置に利用者認証を要求し、ついで、当該ネットワーク管理装置より利用者認証結果の情報を受信すると、その情報を前記利用者管理手段に登録するとともに当該利用者に通知し、引続き、その収容する個別ネットワークに属する利用者から他の個別ネットワークへのサービス要求を受けると、前記利用者管理手段により当該利用者が利用者認証を受けているか否かの判別を行い、利用者認証を受けていると判断したときには、当該他の個別ネットワークへのサービス要求の接続を行い、これと平行して、前記ネットワーク管理装置においては、前記ネットワーク接続用装置から利用者認証の要求を受けると、前記利用者認証手段により、当該利用者認証を要求した利用者が正当な利用者か否かの判断を行い、その結果情報を当該要求を行ったネットワーク接続用装置に送出する、ことを特徴とするネットワークシステムの運用処理方法。
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit to determine whether each packet contains an unauthorized IP address (デジタルネットワーク, インターネット) .	JPH0964870A CLAIM 8 【請求項８】前記ネットワークシステムは、インターネット (IP address) システムであって、ＣＤ−ＲＯＭとパソコン通信の組合せ接続、ＬＤ（レーザーディスク）やカラオケやあらゆる種類のデータベース等と電算機応用通信の組合せ接続、都市単位での仮想都市との接続等が可能である、ことを特徴とする請求項１、２、３、４、５、６又は７に記載のネットワークシステム。 JPH0964870A CLAIM 11 【請求項１１】前記個別ネットワークは、アナログネットワーク又はデジタルネットワーク (IP address) であって、アナログネットワークはバックボーン・ネットワークに対してデジタル変換する、ことを特徴とする請求項１、２、３、４、５、６、７、８、９又は１０に記載のネットワークシステム。
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access (の要求) to a proper port over the directly attached device interface .	JPH0964870A CLAIM 14 【請求項１４】サーバ装置とクライアント装置からなる個別ネットワークの１又は複数を収容するとともに当該個別ネットワークに属する利用者を個別に管理する利用者管理手段を有するネットワーク接続用装置と、該ネットワーク接続用装置の複数が接続されたネットワーク全体を管理するとともに前記個別ネットワーク内の利用者が他の個別ネットワークにサービス要求を行うことが許容されるか否かを判別する利用者認証手段を有するネットワーク管理装置から構成されるネットワークシステムの運用処理にあたり、前記ネットワーク接続用装置においては、まず、その収容する個別ネットワークに属する利用者から他の個別ネットワークにサービス要求を行うための利用者認証の要求 (accepting requests, allow requests, requests contain information to gain access, receiving requests, requests originating one, requests comprise one) を受けると、前記ネットワーク管理装置に利用者認証を要求し、ついで、当該ネットワーク管理装置より利用者認証結果の情報を受信すると、その情報を前記利用者管理手段に登録するとともに当該利用者に通知し、引続き、その収容する個別ネットワークに属する利用者から他の個別ネットワークへのサービス要求を受けると、前記利用者管理手段により当該利用者が利用者認証を受けているか否かの判別を行い、利用者認証を受けていると判断したときには、当該他の個別ネットワークへのサービス要求の接続を行い、これと平行して、前記ネットワーク管理装置においては、前記ネットワーク接続用装置から利用者認証の要求を受けると、前記利用者認証手段により、当該利用者認証を要求した利用者が正当な利用者か否かの判断を行い、その結果情報を当該要求を行ったネットワーク接続用装置に送出する、ことを特徴とするネットワークシステムの運用処理方法。
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (少なくとも) , and a video codec .	JPH0964870A CLAIM 3 【請求項３】前記ネットワーク管理装置は、前記個別ネットワーク内の利用者が他の個別ネットワーク又はバックボーン・ネットワークにサービス要求を行うことが許容されるか否かを判別する利用者認証サーバと、前記個別ネットワーク内の利用者の前記サービス要求に伴う利用に基づく課金情報を管理する課金情報管理サーバと、前記利用者認証サーバと該課金情報管理サーバを含め前記バックボーン・ネットワーク全体を制御する制御部と、を少なくとも (storage device) 有する、ことを特徴とする請求項１又は２に記載のネットワークシステム。
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (の要求) over a network for access to a network attached device (NAD) , the requests originating one (の要求) of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address (デジタルネットワーク, インターネット) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	JPH0964870A CLAIM 8 【請求項８】前記ネットワークシステムは、インターネット (IP address) システムであって、ＣＤ−ＲＯＭとパソコン通信の組合せ接続、ＬＤ（レーザーディスク）やカラオケやあらゆる種類のデータベース等と電算機応用通信の組合せ接続、都市単位での仮想都市との接続等が可能である、ことを特徴とする請求項１、２、３、４、５、６又は７に記載のネットワークシステム。 JPH0964870A CLAIM 11 【請求項１１】前記個別ネットワークは、アナログネットワーク又はデジタルネットワーク (IP address) であって、アナログネットワークはバックボーン・ネットワークに対してデジタル変換する、ことを特徴とする請求項１、２、３、４、５、６、７、８、９又は１０に記載のネットワークシステム。 JPH0964870A CLAIM 14 【請求項１４】サーバ装置とクライアント装置からなる個別ネットワークの１又は複数を収容するとともに当該個別ネットワークに属する利用者を個別に管理する利用者管理手段を有するネットワーク接続用装置と、該ネットワーク接続用装置の複数が接続されたネットワーク全体を管理するとともに前記個別ネットワーク内の利用者が他の個別ネットワークにサービス要求を行うことが許容されるか否かを判別する利用者認証手段を有するネットワーク管理装置から構成されるネットワークシステムの運用処理にあたり、前記ネットワーク接続用装置においては、まず、その収容する個別ネットワークに属する利用者から他の個別ネットワークにサービス要求を行うための利用者認証の要求 (accepting requests, allow requests, requests contain information to gain access, receiving requests, requests originating one, requests comprise one) を受けると、前記ネットワーク管理装置に利用者認証を要求し、ついで、当該ネットワーク管理装置より利用者認証結果の情報を受信すると、その情報を前記利用者管理手段に登録するとともに当該利用者に通知し、引続き、その収容する個別ネットワークに属する利用者から他の個別ネットワークへのサービス要求を受けると、前記利用者管理手段により当該利用者が利用者認証を受けているか否かの判別を行い、利用者認証を受けていると判断したときには、当該他の個別ネットワークへのサービス要求の接続を行い、これと平行して、前記ネットワーク管理装置においては、前記ネットワーク接続用装置から利用者認証の要求を受けると、前記利用者認証手段により、当該利用者認証を要求した利用者が正当な利用者か否かの判断を行い、その結果情報を当該要求を行ったネットワーク接続用装置に送出する、ことを特徴とするネットワークシステムの運用処理方法。
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (の要求) of a plurality of protocols .	JPH0964870A CLAIM 14 【請求項１４】サーバ装置とクライアント装置からなる個別ネットワークの１又は複数を収容するとともに当該個別ネットワークに属する利用者を個別に管理する利用者管理手段を有するネットワーク接続用装置と、該ネットワーク接続用装置の複数が接続されたネットワーク全体を管理するとともに前記個別ネットワーク内の利用者が他の個別ネットワークにサービス要求を行うことが許容されるか否かを判別する利用者認証手段を有するネットワーク管理装置から構成されるネットワークシステムの運用処理にあたり、前記ネットワーク接続用装置においては、まず、その収容する個別ネットワークに属する利用者から他の個別ネットワークにサービス要求を行うための利用者認証の要求 (accepting requests, allow requests, requests contain information to gain access, receiving requests, requests originating one, requests comprise one) を受けると、前記ネットワーク管理装置に利用者認証を要求し、ついで、当該ネットワーク管理装置より利用者認証結果の情報を受信すると、その情報を前記利用者管理手段に登録するとともに当該利用者に通知し、引続き、その収容する個別ネットワークに属する利用者から他の個別ネットワークへのサービス要求を受けると、前記利用者管理手段により当該利用者が利用者認証を受けているか否かの判別を行い、利用者認証を受けていると判断したときには、当該他の個別ネットワークへのサービス要求の接続を行い、これと平行して、前記ネットワーク管理装置においては、前記ネットワーク接続用装置から利用者認証の要求を受けると、前記利用者認証手段により、当該利用者認証を要求した利用者が正当な利用者か否かの判断を行い、その結果情報を当該要求を行ったネットワーク接続用装置に送出する、ことを特徴とするネットワークシステムの運用処理方法。
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (少なくとも) , and a video codec .	JPH0964870A CLAIM 3 【請求項３】前記ネットワーク管理装置は、前記個別ネットワーク内の利用者が他の個別ネットワーク又はバックボーン・ネットワークにサービス要求を行うことが許容されるか否かを判別する利用者認証サーバと、前記個別ネットワーク内の利用者の前記サービス要求に伴う利用に基づく課金情報を管理する課金情報管理サーバと、前記利用者認証サーバと該課金情報管理サーバを含め前記バックボーン・ネットワーク全体を制御する制御部と、を少なくとも (storage device) 有する、ことを特徴とする請求項１又は２に記載のネットワークシステム。

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5764863A Filed: 1995-07-19 Issued: 1998-06-09 Multiple original copy data printer (Original Assignee) HP Inc (Current Assignee) Hewlett Packard Development Co LP Jeffrey E. Fall, Kevin C. Hess, Richard G. Lea
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (other port) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5764863A CLAIM 1 . An image forming device for printing a desired number of multiple original copies of a document from an electronic transmission of a single copy of the document by a source document generating device , the transmission including a command indicating the number of copies desired , where the image forming device comprises : an input for receiving the electronic transmission of data representing a document to be printed and the desired number of times it is to be printed ; a controller , including a non-volatile data storage device , the controller being electrically connected to the input , the controller being configured to : (i) distinguish between cases of multiple original copy (mopy) print jobs and single copy print jobs , and (ii) in the case of a mopy print job , copy the data to the data storage device as the data is sent to other port (electronic communication, network protocol programs) ions of the controller for rendering into a rasterized image , and (iii) in either case render the data into a rasterized image , and (iv) in the case of a mopy print job read the data copied to the data storage device and render this data into a rasterized image the desired number of times less one ; and a print engine being connected to the controller for printing the rendered image .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (other port) with each other over a same network , the NAD comprising ; a data management component (communicatively couple) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5764863A CLAIM 1 . An image forming device for printing a desired number of multiple original copies of a document from an electronic transmission of a single copy of the document by a source document generating device , the transmission including a command indicating the number of copies desired , where the image forming device comprises : an input for receiving the electronic transmission of data representing a document to be printed and the desired number of times it is to be printed ; a controller , including a non-volatile data storage device , the controller being electrically connected to the input , the controller being configured to : (i) distinguish between cases of multiple original copy (mopy) print jobs and single copy print jobs , and (ii) in the case of a mopy print job , copy the data to the data storage device as the data is sent to other port (electronic communication, network protocol programs) ions of the controller for rendering into a rasterized image , and (iii) in either case render the data into a rasterized image , and (iv) in the case of a mopy print job read the data copied to the data storage device and render this data into a rasterized image the desired number of times less one ; and a print engine being connected to the controller for printing the rendered image . US5764863A CLAIM 3 . A system for printing multiple original copies of a document comprising : a source document generator being configured to generate and transmit an electronic version of a document and to transmit a command indicating a desired number of copies of the document to be printed , if any ; an image forming device capable of being communicatively couple (data management component) d with the source document generator for receiving transmissions therefrom , the image forming device including an input for receiving the electronic transmission of a document to be printed ; a controller , including a non-volatile data storage device , the controller being electrically connected to the input and configured to ; (i) distinguish between cases of mulitple original copy (mopy) print jobs and single copy print jobs , and (ii) in the case of a mopy print job , copy the data to the data storage device as the data is sent to other portions of the controller for rendering into a rasterized image , and (iii) in either case render the data into a rasterized image , and (iv) in the case of a mopy print job read the data copied to the data storage device and render this data into a rasterized image the desired number of times less one ; and a print engine being connected to the controller for printing the rendered image .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data storage) .	US5764863A CLAIM 1 . An image forming device for printing a desired number of multiple original copies of a document from an electronic transmission of a single copy of the document by a source document generating device , the transmission including a command indicating the number of copies desired , where the image forming device comprises : an input for receiving the electronic transmission of data representing a document to be printed and the desired number of times it is to be printed ; a controller , including a non-volatile data storage (SCSI interface) device , the controller being electrically connected to the input , the controller being configured to : (i) distinguish between cases of multiple original copy (mopy) print jobs and single copy print jobs , and (ii) in the case of a mopy print job , copy the data to the data storage device as the data is sent to other portions of the controller for rendering into a rasterized image , and (iii) in either case render the data into a rasterized image , and (iv) in the case of a mopy print job read the data copied to the data storage device and render this data into a rasterized image the desired number of times less one ; and a print engine being connected to the controller for printing the rendered image .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (storage device) , and a video codec .	US5764863A CLAIM 1 . An image forming device for printing a desired number of multiple original copies of a document from an electronic transmission of a single copy of the document by a source document generating device , the transmission including a command indicating the number of copies desired , where the image forming device comprises : an input for receiving the electronic transmission of data representing a document to be printed and the desired number of times it is to be printed ; a controller , including a non-volatile data storage device (storage device) , the controller being electrically connected to the input , the controller being configured to : (i) distinguish between cases of multiple original copy (mopy) print jobs and single copy print jobs , and (ii) in the case of a mopy print job , copy the data to the data storage device as the data is sent to other portions of the controller for rendering into a rasterized image , and (iii) in either case render the data into a rasterized image , and (iv) in the case of a mopy print job read the data copied to the data storage device and render this data into a rasterized image the desired number of times less one ; and a print engine being connected to the controller for printing the rendered image .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (data storage) .	US5764863A CLAIM 1 . An image forming device for printing a desired number of multiple original copies of a document from an electronic transmission of a single copy of the document by a source document generating device , the transmission including a command indicating the number of copies desired , where the image forming device comprises : an input for receiving the electronic transmission of data representing a document to be printed and the desired number of times it is to be printed ; a controller , including a non-volatile data storage (SCSI interface) device , the controller being electrically connected to the input , the controller being configured to : (i) distinguish between cases of multiple original copy (mopy) print jobs and single copy print jobs , and (ii) in the case of a mopy print job , copy the data to the data storage device as the data is sent to other portions of the controller for rendering into a rasterized image , and (iii) in either case render the data into a rasterized image , and (iv) in the case of a mopy print job read the data copied to the data storage device and render this data into a rasterized image the desired number of times less one ; and a print engine being connected to the controller for printing the rendered image .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (storage device) , and a video codec .	US5764863A CLAIM 1 . An image forming device for printing a desired number of multiple original copies of a document from an electronic transmission of a single copy of the document by a source document generating device , the transmission including a command indicating the number of copies desired , where the image forming device comprises : an input for receiving the electronic transmission of data representing a document to be printed and the desired number of times it is to be printed ; a controller , including a non-volatile data storage device (storage device) , the controller being electrically connected to the input , the controller being configured to : (i) distinguish between cases of multiple original copy (mopy) print jobs and single copy print jobs , and (ii) in the case of a mopy print job , copy the data to the data storage device as the data is sent to other portions of the controller for rendering into a rasterized image , and (iii) in either case render the data into a rasterized image , and (iv) in the case of a mopy print job read the data copied to the data storage device and render this data into a rasterized image the desired number of times less one ; and a print engine being connected to the controller for printing the rendered image .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5621727A Filed: 1995-07-07 Issued: 1997-04-15 System and method for private addressing plans using community addressing (Original Assignee) Octel Communications Corp (Current Assignee) Avaya Inc Gregory M. Vaudreuil
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (public access) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5621727A CLAIM 1 . A communications system , comprising : a network hub system comprising at least one public access (local area, IP address, local area network arrangement) port and at least one private access port ; a messaging system operable to contact and connect to both the private and public access ports , the messaging system accessible to users and operable to receive and deliver messages from and to the users of the messaging system where at least some of the users are able to use public addressing and private addressing forms to address messages ; and the network hub system comprising stored user tables comprising community information identifying particular users who are able to use private addressing forms to route messages to each other such that such users may use private global address forms unique within a community to address messages .
US7739302B2 CLAIM 5 . A local area (public access) network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (private address, global address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5621727A CLAIM 1 . A communications system , comprising : a network hub system comprising at least one public access (local area, IP address, local area network arrangement) port and at least one private access port ; a messaging system operable to contact and connect to both the private and public access ports , the messaging system accessible to users and operable to receive and deliver messages from and to the users of the messaging system where at least some of the users are able to use public addressing and private address (IP addresses) ing forms to address messages ; and the network hub system comprising stored user tables comprising community information identifying particular users who are able to use private addressing forms to route messages to each other such that such users may use private global address (IP addresses) forms unique within a community to address messages .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address (public access) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5621727A CLAIM 1 . A communications system , comprising : a network hub system comprising at least one public access (local area, IP address, local area network arrangement) port and at least one private access port ; a messaging system operable to contact and connect to both the private and public access ports , the messaging system accessible to users and operable to receive and deliver messages from and to the users of the messaging system where at least some of the users are able to use public addressing and private addressing forms to address messages ; and the network hub system comprising stored user tables comprising community information identifying particular users who are able to use private addressing forms to route messages to each other such that such users may use private global address forms unique within a community to address messages .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (public access) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5621727A CLAIM 1 . A communications system , comprising : a network hub system comprising at least one public access (local area, IP address, local area network arrangement) port and at least one private access port ; a messaging system operable to contact and connect to both the private and public access ports , the messaging system accessible to users and operable to receive and deliver messages from and to the users of the messaging system where at least some of the users are able to use public addressing and private addressing forms to address messages ; and the network hub system comprising stored user tables comprising community information identifying particular users who are able to use private addressing forms to route messages to each other such that such users may use private global address forms unique within a community to address messages .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit to determine whether each packet contains an unauthorized IP address (public access) .	US5621727A CLAIM 1 . A communications system , comprising : a network hub system comprising at least one public access (local area, IP address, local area network arrangement) port and at least one private access port ; a messaging system operable to contact and connect to both the private and public access ports , the messaging system accessible to users and operable to receive and deliver messages from and to the users of the messaging system where at least some of the users are able to use public addressing and private addressing forms to address messages ; and the network hub system comprising stored user tables comprising community information identifying particular users who are able to use private addressing forms to route messages to each other such that such users may use private global address forms unique within a community to address messages .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address (public access) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5621727A CLAIM 1 . A communications system , comprising : a network hub system comprising at least one public access (local area, IP address, local area network arrangement) port and at least one private access port ; a messaging system operable to contact and connect to both the private and public access ports , the messaging system accessible to users and operable to receive and deliver messages from and to the users of the messaging system where at least some of the users are able to use public addressing and private addressing forms to address messages ; and the network hub system comprising stored user tables comprising community information identifying particular users who are able to use private addressing forms to route messages to each other such that such users may use private global address forms unique within a community to address messages .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5793762A Filed: 1995-07-06 Issued: 1998-08-11 System and method for providing packet data and voice services to mobile subscribers (Original Assignee) US West Advanced Technologies Inc (Current Assignee) Qwest Communications International Inc John Henry Hubert Penners, Purushottam Vithal Kamat, Dejan Sirovica
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5793762A CLAIM 1 . For use in cooperation with an Internet Packet Data Network (IPDN) and an Advanced Intelligent Network (AIN) having an existing wireline switch , a system for providing Internet data and voice services to mobile subscribers at mobile terminals without using a mobile telephone switch , the system comprising : a Home Location Register (HLR) for storing and providing subscription information (network destination) of said mobile terminals and keeping track of where said mobile terminals are registered in order to deliver Internet data and voice calls thereto ; a plurality of Radio Port Controllers (RPCs) each having a corresponding serving area and provided in electrical communication with said wireline switch via ISDN signalling , each of said RPCs further having at least one Radio Port (RP) provided in electrical communication with an RPC for transmitting and receiving Internet data and voice calls to and from mobile terminals registered in said RPC serving area and means for performing handover between a target RPC and an RPC currently serving a mobile terminal by bridging a call made from the target RPC to the RPC currently serving the mobile terminal internally , wherein said wireline switch has no knowledge of said handover ; an Internet Access Node in electrical communication with said wireline switch ; a Home Agent in electrical communication with said Internet Access Node via said IPDN and operable with the RPCs for transmitting and receiving Internet data to and from said mobile terminals ; and a Visitor Location Register/Directory Number Manager (VLD/DN-Mgr) in electrical communication with said wireline switch , said HLR , and said plurality of RPCs for managing call information about said mobile terminals registered in said RPC serving areas by assigning and deleting temporary routing Directory Numbers (DNs) for said calls .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5793762A CLAIM 1 . For use in cooperation with an Internet Packet Data Network (IPDN) and an Advanced Intelligent Network (AIN) having an existing wireline switch , a system for providing Internet data and voice services to mobile subscribers at mobile terminals without using a mobile telephone switch , the system comprising : a Home Location Register (HLR) for storing and providing subscription information (network destination) of said mobile terminals and keeping track of where said mobile terminals are registered in order to deliver Internet data and voice calls thereto ; a plurality of Radio Port Controllers (RPCs) each having a corresponding serving area and provided in electrical communication with said wireline switch via ISDN signalling , each of said RPCs further having at least one Radio Port (RP) provided in electrical communication with an RPC for transmitting and receiving Internet data and voice calls to and from mobile terminals registered in said RPC serving area and means for performing handover between a target RPC and an RPC currently serving a mobile terminal by bridging a call made from the target RPC to the RPC currently serving the mobile terminal internally , wherein said wireline switch has no knowledge of said handover ; an Internet Access Node in electrical communication with said wireline switch ; a Home Agent in electrical communication with said Internet Access Node via said IPDN and operable with the RPCs for transmitting and receiving Internet data to and from said mobile terminals ; and a Visitor Location Register/Directory Number Manager (VLD/DN-Mgr) in electrical communication with said wireline switch , said HLR , and said plurality of RPCs for managing call information about said mobile terminals registered in said RPC serving areas by assigning and deleting temporary routing Directory Numbers (DNs) for said calls .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5793762A CLAIM 1 . For use in cooperation with an Internet Packet Data Network (IPDN) and an Advanced Intelligent Network (AIN) having an existing wireline switch , a system for providing Internet data and voice services to mobile subscribers at mobile terminals without using a mobile telephone switch , the system comprising : a Home Location Register (HLR) for storing and providing subscription information (network destination) of said mobile terminals and keeping track of where said mobile terminals are registered in order to deliver Internet data and voice calls thereto ; a plurality of Radio Port Controllers (RPCs) each having a corresponding serving area and provided in electrical communication with said wireline switch via ISDN signalling , each of said RPCs further having at least one Radio Port (RP) provided in electrical communication with an RPC for transmitting and receiving Internet data and voice calls to and from mobile terminals registered in said RPC serving area and means for performing handover between a target RPC and an RPC currently serving a mobile terminal by bridging a call made from the target RPC to the RPC currently serving the mobile terminal internally , wherein said wireline switch has no knowledge of said handover ; an Internet Access Node in electrical communication with said wireline switch ; a Home Agent in electrical communication with said Internet Access Node via said IPDN and operable with the RPCs for transmitting and receiving Internet data to and from said mobile terminals ; and a Visitor Location Register/Directory Number Manager (VLD/DN-Mgr) in electrical communication with said wireline switch , said HLR , and said plurality of RPCs for managing call information about said mobile terminals registered in said RPC serving areas by assigning and deleting temporary routing Directory Numbers (DNs) for said calls .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means (mobile terminals) for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5793762A CLAIM 1 . For use in cooperation with an Internet Packet Data Network (IPDN) and an Advanced Intelligent Network (AIN) having an existing wireline switch , a system for providing Internet data and voice services to mobile subscribers at mobile terminals (filtering comprises means) without using a mobile telephone switch , the system comprising : a Home Location Register (HLR) for storing and providing subscription information (network destination) of said mobile terminals and keeping track of where said mobile terminals are registered in order to deliver Internet data and voice calls thereto ; a plurality of Radio Port Controllers (RPCs) each having a corresponding serving area and provided in electrical communication with said wireline switch via ISDN signalling , each of said RPCs further having at least one Radio Port (RP) provided in electrical communication with an RPC for transmitting and receiving Internet data and voice calls to and from mobile terminals registered in said RPC serving area and means for performing handover between a target RPC and an RPC currently serving a mobile terminal by bridging a call made from the target RPC to the RPC currently serving the mobile terminal internally , wherein said wireline switch has no knowledge of said handover ; an Internet Access Node in electrical communication with said wireline switch ; a Home Agent in electrical communication with said Internet Access Node via said IPDN and operable with the RPCs for transmitting and receiving Internet data to and from said mobile terminals ; and a Visitor Location Register/Directory Number Manager (VLD/DN-Mgr) in electrical communication with said wireline switch , said HLR , and said plurality of RPCs for managing call information about said mobile terminals registered in said RPC serving areas by assigning and deleting temporary routing Directory Numbers (DNs) for said calls .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5706507A Filed: 1995-07-05 Issued: 1998-01-06 System and method for controlling access to data located on a content server (Original Assignee) International Business Machines Corp (Current Assignee) Activision Publishing Inc Robert Jeffrey Schloss
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data request) .	US5706507A CLAIM 1 . In a distributed data communication system wherein communication between a content requestor and a first content server occurs over a first communication link , wherein said content requestor under control of user input communicates a data request (SCSI interface) signal to said first content server over said first communication link , and wherein said first content server , upon receiving said data request signal , communicates content data to said content requestor according to said data request signal , a method of filtering said content data comprising the steps of : setting said content requestor in an advisory mode wherein said content requestor communicates portions of said data request signal to a first advisory server over a seond communication link , and wherein said first advisory server is remote from said first content server ; controlling said first advisory server upon receipt of said portions of said request signal to retrieve characterization data from a data base coupled to said first advisory server and to communicate said characterization data to said content requestor over said second communication link ; and inhibiting loading of at least a portion of said content data according to said characterization data .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device , and a video codec (generates information) .	US5706507A CLAIM 10 . The method of claim 8 , wherein said content requestor generates information (video codec) related to said characterization data and said user profile data .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (data request) .	US5706507A CLAIM 1 . In a distributed data communication system wherein communication between a content requestor and a first content server occurs over a first communication link , wherein said content requestor under control of user input communicates a data request (SCSI interface) signal to said first content server over said first communication link , and wherein said first content server , upon receiving said data request signal , communicates content data to said content requestor according to said data request signal , a method of filtering said content data comprising the steps of : setting said content requestor in an advisory mode wherein said content requestor communicates portions of said data request signal to a first advisory server over a seond communication link , and wherein said first advisory server is remote from said first content server ; controlling said first advisory server upon receipt of said portions of said request signal to retrieve characterization data from a data base coupled to said first advisory server and to communicate said characterization data to said content requestor over said second communication link ; and inhibiting loading of at least a portion of said content data according to said characterization data .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device , and a video codec (generates information) .	US5706507A CLAIM 10 . The method of claim 8 , wherein said content requestor generates information (video codec) related to said characterization data and said user profile data .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5636371A Filed: 1995-06-07 Issued: 1997-06-03 Virtual network mechanism to access well known port application programs running on a single host system (Original Assignee) Bull HN Information Systems Inc (Current Assignee) Bull HN Information Systems Inc Kin C. Yu
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (standard communication) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (data packet) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (pointer value, IP address) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5636371A CLAIM 4 . The method of claim 1 wherein the standard communication (network client) s network protocol is the TCP/IP protocol , the station address identifier value corresponds to an IP address (IP address) containing IP source and IP destination addresses and the well-known service function identifier value corresponds to a TCP well-known port number value containing TCP source and TCP destination port numbers . US5636371A CLAIM 8 . The method of claim 7 wherein the second structure contains a predetermined number of fields , a first field for storing the state of the virtual network mechanism , a second field for maintaining a count of the number of different client entries being managed by the virtual network mechanism , third and fourth fields for storing the local host and virtual host station address identifier values wherein the virtual host station value is generated by performing an arithmetic operation on the local host station address identifier value and a fifth field for storing a client pointer value (IP address) for accessing the first client table structure generated by the virtual network mechanism .
US7739302B2 CLAIM 5 . A local area (local area) network arrangement comprising a network client (standard communication) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (data packet) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5636371A CLAIM 4 . The method of claim 1 wherein the standard communication (network client) s network protocol is the TCP/IP protocol , the station address identifier value corresponds to an IP address containing IP source and IP destination address (IP addresses) es and the well-known service function identifier value corresponds to a TCP well-known port number value containing TCP source and TCP destination port numbers .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (data packet) arrived via an authorized network interface (network interface) .	US5636371A CLAIM 2 . The method of claim 1 wherein the virtual network mechanism includes interfacing software similar to the network interface (network interface) unit for minimizing the amount of software required to be added to the local host operating system and for utilizing the network routing capabilities of the communications network software facility .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (data packet) containing the request for network access includes at least one of an IP address (pointer value, IP address) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5636371A CLAIM 4 . The method of claim 1 wherein the standard communications network protocol is the TCP/IP protocol , the station address identifier value corresponds to an IP address (IP address) containing IP source and IP destination addresses and the well-known service function identifier value corresponds to a TCP well-known port number value containing TCP source and TCP destination port numbers . US5636371A CLAIM 8 . The method of claim 7 wherein the second structure contains a predetermined number of fields , a first field for storing the state of the virtual network mechanism , a second field for maintaining a count of the number of different client entries being managed by the virtual network mechanism , third and fourth fields for storing the local host and virtual host station address identifier values wherein the virtual host station value is generated by performing an arithmetic operation on the local host station address identifier value and a fifth field for storing a client pointer value (IP address) for accessing the first client table structure generated by the virtual network mechanism .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (data packet) containing the request for network access includes at least one of an IP address (pointer value, IP address) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5636371A CLAIM 2 . The method of claim 1 wherein the virtual network mechanism includes interfacing software similar to the network interface (network interface) unit for minimizing the amount of software required to be added to the local host operating system and for utilizing the network routing capabilities of the communications network software facility . US5636371A CLAIM 4 . The method of claim 1 wherein the standard communications network protocol is the TCP/IP protocol , the station address identifier value corresponds to an IP address (IP address) containing IP source and IP destination addresses and the well-known service function identifier value corresponds to a TCP well-known port number value containing TCP source and TCP destination port numbers . US5636371A CLAIM 8 . The method of claim 7 wherein the second structure contains a predetermined number of fields , a first field for storing the state of the virtual network mechanism , a second field for maintaining a count of the number of different client entries being managed by the virtual network mechanism , third and fourth fields for storing the local host and virtual host station address identifier values wherein the virtual host station value is generated by performing an arithmetic operation on the local host station address identifier value and a fifth field for storing a client pointer value (IP address) for accessing the first client table structure generated by the virtual network mechanism .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interface) .	US5636371A CLAIM 2 . The method of claim 1 wherein the virtual network mechanism includes interfacing software similar to the network interface (network interface) unit for minimizing the amount of software required to be added to the local host operating system and for utilizing the network routing capabilities of the communications network software facility .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit to determine whether each packet contains an unauthorized IP address (pointer value, IP address) .	US5636371A CLAIM 4 . The method of claim 1 wherein the standard communications network protocol is the TCP/IP protocol , the station address identifier value corresponds to an IP address (IP address) containing IP source and IP destination addresses and the well-known service function identifier value corresponds to a TCP well-known port number value containing TCP source and TCP destination port numbers . US5636371A CLAIM 8 . The method of claim 7 wherein the second structure contains a predetermined number of fields , a first field for storing the state of the virtual network mechanism , a second field for maintaining a count of the number of different client entries being managed by the virtual network mechanism , third and fourth fields for storing the local host and virtual host station address identifier values wherein the virtual host station value is generated by performing an arithmetic operation on the local host station address identifier value and a fifth field for storing a client pointer value (IP address) for accessing the first client table structure generated by the virtual network mechanism .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (first structure) , and a video codec .	US5636371A CLAIM 6 . The method of claim 5 wherein the predetermined types of control data structures includes a first structure (storage device) which defines the existence of the virtual network mechanism to the network software facility and a second structure which defines the virtual network mechanism .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address (pointer value, IP address) of a network source , an IP address of a network destination , and a route of the data packet (data packet) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5636371A CLAIM 4 . The method of claim 1 wherein the standard communications network protocol is the TCP/IP protocol , the station address identifier value corresponds to an IP address (IP address) containing IP source and IP destination addresses and the well-known service function identifier value corresponds to a TCP well-known port number value containing TCP source and TCP destination port numbers . US5636371A CLAIM 8 . The method of claim 7 wherein the second structure contains a predetermined number of fields , a first field for storing the state of the virtual network mechanism , a second field for maintaining a count of the number of different client entries being managed by the virtual network mechanism , third and fourth fields for storing the local host and virtual host station address identifier values wherein the virtual host station value is generated by performing an arithmetic operation on the local host station address identifier value and a fifth field for storing a client pointer value (IP address) for accessing the first client table structure generated by the virtual network mechanism .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (face component) is further configured to manage access over a SCSI interface .	US5636371A CLAIM 18 . The mechanism of claim 17 wherein the mechanism further includes an initialization component for setting up and building predetermined types of control data structures for enabling processing of each incoming and outgoing packet received from the interface component (managing means) .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (first structure) , and a video codec .	US5636371A CLAIM 6 . The method of claim 5 wherein the predetermined types of control data structures includes a first structure (storage device) which defines the existence of the virtual network mechanism to the network software facility and a second structure which defines the virtual network mechanism .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5708780A Filed: 1995-06-07 Issued: 1998-01-13 Internet server access control and monitoring systems (Original Assignee) Open Market Inc (Current Assignee) Soverain Ip LLC ; Open Market Inc Thomas Mark Levergood, Lawrence C. Stewart, Stephen Jeffrey Morris, Andrew C. Payne, George Winfield Treese
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5708780A CLAIM 32 . An information (network destination) system on a network , comprising : means for receiving service requests from clients and for determining whether a service request includes a session identifier , wherein communications between the client and server system are according to hypertext transfer protocol ; means for appending the session identifier as part of a path name in a uniform resource locator in response to an initial service request in a session of requests ; and means for servicing service requests from a client which include the session identifier , the subsequent service request being processed in the session .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients (client request) having different operating systems .	US5708780A CLAIM 22 . A method of processing service requests from a client to a server system through a network , said method comprising the steps of : appending as part of a path name in a uniform resource locator a session identifier to the request , wherein communications between the client and server system are according to hypertext transfer protocol ; responding to requests for hypertext pages received from a client through the network by returning the requested hypertext pages to the client ; responding to further client request (network clients) s related to links in the hypertext pages ; and tracking the further client requests related to a particular hypertext page .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5708780A CLAIM 32 . An information (network destination) system on a network , comprising : means for receiving service requests from clients and for determining whether a service request includes a session identifier , wherein communications between the client and server system are according to hypertext transfer protocol ; means for appending the session identifier as part of a path name in a uniform resource locator in response to an initial service request in a session of requests ; and means for servicing service requests from a client which include the session identifier , the subsequent service request being processed in the session .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5708780A CLAIM 32 . An information (network destination) system on a network , comprising : means for receiving service requests from clients and for determining whether a service request includes a session identifier , wherein communications between the client and server system are according to hypertext transfer protocol ; means for appending the session identifier as part of a path name in a uniform resource locator in response to an initial service request in a session of requests ; and means for servicing service requests from a client which include the session identifier , the subsequent service request being processed in the session .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (requested service) device , the selectively generated packet containing the request for access to the directly attached device .	US5708780A CLAIM 13 . A method as claimed in claim 12 wherein : a client directs a service request to a first server which is to provide the requested service (intermediary computing) ; the first server checks the service request for a session identifier and only services a service request having a valid session identifier , and where the service request has no valid identifier : the first server redirects the service request from the client to the authorization server ; the authorization server subjects the client to the authorization routine and issues the session identifier to be appended to the service request to the first server ; the client forwards the service request appended with the session identifier to the first server ; and the first server recognizes the session identifier and services the service request to the client ; and the client appends the session identifier to subsequent service requests to the server system and is serviced without further authorization .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (client request) and other devices in a manner that is in addition to any protection afforded by a firewall .	US5708780A CLAIM 22 . A method of processing service requests from a client to a server system through a network , said method comprising the steps of : appending as part of a path name in a uniform resource locator a session identifier to the request , wherein communications between the client and server system are according to hypertext transfer protocol ; responding to requests for hypertext pages received from a client through the network by returning the requested hypertext pages to the client ; responding to further client request (network clients) s related to links in the hypertext pages ; and tracking the further client requests related to a particular hypertext page . US5708780A CLAIM 32 . An information (network destination) system on a network , comprising : means for receiving service requests from clients and for determining whether a service request includes a session identifier , wherein communications between the client and server system are according to hypertext transfer protocol ; means for appending the session identifier as part of a path name in a uniform resource locator in response to an initial service request in a session of requests ; and means for servicing service requests from a client which include the session identifier , the subsequent service request being processed in the session .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5721908A Filed: 1995-06-07 Issued: 1998-02-24 Computer network for WWW server data access over internet (Original Assignee) International Business Machines Corp (Current Assignee) Google LLC Konrad Charles Lagarde, Richard Michael Rogers
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (multiple network) for network access (support functions) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (public access) of a network source (support functions) , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5721908A CLAIM 9 . A computer network according to claim 7 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5721908A CLAIM 22 . A computer network according to claim 21 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and communicated to said web browser after passing through multiple network (data packet) s . US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (support functions) to the NAD from a plurality of network clients (client request) having different operating systems .	US5721908A CLAIM 1 . A computer network comprising a plurality of servers , each supporting at least one client computer , said network comprising : said client computer for making requests ; said server coupled to said client for receiving and fulfilling a request as an agent of said client ; a plurality of information access servers , for acting a sub-agents for said server during a process of fulfilling requests , said information access servers providing access to capsule objects which perform programmable functions which are executable upon a received command initiated from said server , said server including a control program agent for receiving a user request initiated at the client computer for information and for transmitting said request to a sub-agent information access server having capsule objects which execute upon control programmable functions requested by said server ; said sub-agent information access servers being coupled directly and/or via the network to a plurality of database resource gateways for information retrieval from ones of a plurality of database resources having data which may fulfill a data need of said request ; said sub-agent information access servers executing a capsule object to cause any relevant information contained in said plurality of database resources which fulfill a data need of said request to be retrieved and processed by said sub-agent capsule object , said sub-agent after retrieval from the databases and processing of said data storing said retrieved and processed data as results in a file created for return to said control program agent of said server and returning said created file to said server in response to said control program agent transmission , said control program agent of said server upon receipt of said file from said sub-agent causing a report of said results of said sub-agent' ; s processed to a facility determined by said client request (network clients) ; and wherein said network includes a web browser , means for associating said web browser with a homepage including a first control program agent node supporting a control program agent coupled to and supporting said homepage and supporting an API to access a database available to said first control program agent node , said control program agent and API enabling a user of said web browser to gather information from said database available to said first control program agent node and to gather information from an intranet resource and to provide access thereto in response to an interrogation initiated at a remote web browser , and wherein said web browser is at a web server location with said web server providing said control program agent node , and browser requests , if authorized for access across said intranet , accesses a command file agent in a web server on said intranet providing said second command file agent node , which then utilize capsule objects provided by a server functioning as a command file server . US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (support functions) to the NAD is authorized comprises determining whether information in the header of a received data packet (multiple network) containing the request for network access is complete , the information relating to at least one of the network source (support functions) , destination , and route of the data packet .	US5721908A CLAIM 22 . A computer network according to claim 21 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and communicated to said web browser after passing through multiple network (data packet) s . US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 5 . A local area (public access) network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (support functions) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (multiple network) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (support functions) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5721908A CLAIM 9 . A computer network according to claim 7 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5721908A CLAIM 22 . A computer network according to claim 21 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and communicated to said web browser after passing through multiple network (data packet) s . US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (multiple network) arrived via an authorized network interface (support functions) .	US5721908A CLAIM 22 . A computer network according to claim 21 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and communicated to said web browser after passing through multiple network (data packet) s . US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (multiple network) to the proper port ; and at the proper port , provide the requested network access (support functions) to the NAD .	US5721908A CLAIM 22 . A computer network according to claim 21 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and communicated to said web browser after passing through multiple network (data packet) s . US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (support functions) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (multiple network) containing the request for network access includes at least one of an IP address (public access) of a network source (support functions) , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5721908A CLAIM 9 . A computer network according to claim 7 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5721908A CLAIM 22 . A computer network according to claim 21 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and communicated to said web browser after passing through multiple network (data packet) s . US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (support functions) to the NAD is only available through the server .	US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (support functions) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (multiple network) containing the request for network access (support functions) includes at least one of an IP address (public access) of a network source (support functions) , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5721908A CLAIM 9 . A computer network according to claim 7 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5721908A CLAIM 22 . A computer network according to claim 21 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and communicated to said web browser after passing through multiple network (data packet) s . US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (support functions) .	US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit to determine whether each packet contains an unauthorized IP address (public access) .	US5721908A CLAIM 9 . A computer network according to claim 7 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (other service) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address (public access) of a network source (support functions) , an IP address of a network destination (n information) , and a route of the data packet (multiple network) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (client request) and other devices in a manner that is in addition to any protection afforded by a firewall .	US5721908A CLAIM 6 . A computer network according to claim 4 , further comprising command objects for performing calculations , formatting , and other service (receiving requests) s prior to reporting to the web browser or to other locations , in a selected format a requested result report selected from a set of result reports , including a display report , facsimile report , a printer report , a report to customer installations , and a report to TV video subscribers , with account tracking . US5721908A CLAIM 9 . A computer network according to claim 7 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5721908A CLAIM 22 . A computer network according to claim 21 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and communicated to said web browser after passing through multiple network (data packet) s . US5721908A CLAIM 23 . A computer network comprising a plurality of servers , each supporting at least one client computer , said network comprising : said client computer for making requests ; said server coupled to said client for receiving and fulfilling a request as an agent of said client ; a plurality of information access servers , for acting a sub-agents for said server during a process of fulfilling requests , said information access servers providing access to capsule objects which perform programmable functions which are executable upon a received command initiated from said server , said server including a control program agent for receiving a user request initiated at the client computer for information and for transmitting said request to a sub-agent information access server having capsule objects which execute upon control programmable functions requested by said server ; said sub-agent information access servers being coupled directly and/or via the network to a plurality of database resource gateways for information retrieval from ones of a plurality of database resources having data which may fulfill a data need of said request ; said sub-agent information access servers executing a capsule object to cause any relevant information contained in said plurality of database resources which fulfill a data need of said request to be retrieved and processed by said sub-agent capsule object , said sub-agent after retrieval from the databases and processing of said data storing said retrieved and processed data as results in a file created for return to said control program agent of said server and returning said created file to said server in response to said control program agent transmission , said control program agent of said server upon receipt of said file from said sub-agent causing a report of said results of said sub-agent' ; s processed to a facility determined by said client request (network clients) ; and wherein said network includes a web browser , means for associating said web browser with a homepage including a first control program agent node supporting a control program agent coupled to and supporting said homepage and supporting an API to access a database available to said first control program agent node , said control program agent and API enabling a user of said web browser to gather information from said database available to said first control program agent node and to gather information from an intranet resource and to provide access thereto in response to an interrogation initiated at a remote web browser . US5721908A CLAIM 25 . A computer network according to claim 23 , wherein said second control program agent node is coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said second control program agent node located somewhere on the Internet supporting said second control program agent by a coupling or addressing with a uniform resource locator , said first control program agent being coupled to said second control program agent node located somewhere on the Internet supporting said second control program agent and coupled to and supporting a a command file server , said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5745754A Filed: 1995-06-07 Issued: 1998-04-28 Sub-agent for fulfilling requests of a web browser using an intelligent agent and providing a report (Original Assignee) International Business Machines Corp (Current Assignee) Google LLC Konrad Charles Lagarde, Richard Michael Rogers
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said format) for network access (processing step) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5745754A CLAIM 21 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 , having a method which includes a step of : performing additional steps (91(b) , 91(c) , 91(d) , and 91(n)) of database queries to retrieve data and store in a command file object buffer data retrieved from other base databases , each returning data back to a command file declared buffer , and in a subsequent linked processing step (network access, providing network access) (92) data from said database queries in any preceding data retrieval steps is joined according to an object command file and stored in a buffer related to this joining object command file . US5745754A CLAIM 23 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; having a method which includes a step wherein in accordance with request parameters text is formatted to space text delimited by a format object command file (94) , and the formatted text results are stored in a buffer associated with said format (data packet) object command file (94) .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (processing step) to the NAD from a plurality of network clients having different operating systems .	US5745754A CLAIM 21 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 , having a method which includes a step of : performing additional steps (91(b) , 91(c) , 91(d) , and 91(n)) of database queries to retrieve data and store in a command file object buffer data retrieved from other base databases , each returning data back to a command file declared buffer , and in a subsequent linked processing step (network access, providing network access) (92) data from said database queries in any preceding data retrieval steps is joined according to an object command file and stored in a buffer related to this joining object command file .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (processing step) to the NAD is authorized comprises determining whether information in the header of a received data packet (said format) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5745754A CLAIM 21 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 , having a method which includes a step of : performing additional steps (91(b) , 91(c) , 91(d) , and 91(n)) of database queries to retrieve data and store in a command file object buffer data retrieved from other base databases , each returning data back to a command file declared buffer , and in a subsequent linked processing step (network access, providing network access) (92) data from said database queries in any preceding data retrieval steps is joined according to an object command file and stored in a buffer related to this joining object command file . US5745754A CLAIM 23 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; having a method which includes a step wherein in accordance with request parameters text is formatted to space text delimited by a format object command file (94) , and the formatted text results are stored in a buffer associated with said format (data packet) object command file (94) .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (specific functions) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (processing step) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said format) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5745754A CLAIM 13 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; having a method which includes a step of : providing functions as by successive execution of a list of commands listed in a command file , including any calls to link commands provided in a file external to said command file , to perform specific functions (electronic communication) that are requested by a user from an initiation session . US5745754A CLAIM 21 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 , having a method which includes a step of : performing additional steps (91(b) , 91(c) , 91(d) , and 91(n)) of database queries to retrieve data and store in a command file object buffer data retrieved from other base databases , each returning data back to a command file declared buffer , and in a subsequent linked processing step (network access, providing network access) (92) data from said database queries in any preceding data retrieval steps is joined according to an object command file and stored in a buffer related to this joining object command file . US5745754A CLAIM 23 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; having a method which includes a step wherein in accordance with request parameters text is formatted to space text delimited by a format object command file (94) , and the formatted text results are stored in a buffer associated with said format (data packet) object command file (94) .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said format) arrived via an authorized network interface .	US5745754A CLAIM 23 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; having a method which includes a step wherein in accordance with request parameters text is formatted to space text delimited by a format object command file (94) , and the formatted text results are stored in a buffer associated with said format (data packet) object command file (94) .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said format) to the proper port ; and at the proper port , provide the requested network access (processing step) to the NAD .	US5745754A CLAIM 21 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 , having a method which includes a step of : performing additional steps (91(b) , 91(c) , 91(d) , and 91(n)) of database queries to retrieve data and store in a command file object buffer data retrieved from other base databases , each returning data back to a command file declared buffer , and in a subsequent linked processing step (network access, providing network access) (92) data from said database queries in any preceding data retrieval steps is joined according to an object command file and stored in a buffer related to this joining object command file . US5745754A CLAIM 23 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; having a method which includes a step wherein in accordance with request parameters text is formatted to space text delimited by a format object command file (94) , and the formatted text results are stored in a buffer associated with said format (data packet) object command file (94) .
US7739302B2 CLAIM 10 . A system for managing access (search requests) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (processing step) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said format) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5745754A CLAIM 20 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; wherein a multiple data retrieval command file (91(a) . . . 91(n)) initiates as a first step , multiple queries to different databases which are specified by parameters of the request to initiate multiple queries as SQL search requests (managing access) with as multiple steps (91(a) . . . 91(n)) executed by a command file server with a database gateway to select data from differing base databases located inside an intranet and on the Internet by internetwork routing to at least one other database gateway and its linked databases , and storing data selected from differing databases in a buffer declared by the command file . US5745754A CLAIM 21 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 , having a method which includes a step of : performing additional steps (91(b) , 91(c) , 91(d) , and 91(n)) of database queries to retrieve data and store in a command file object buffer data retrieved from other base databases , each returning data back to a command file declared buffer , and in a subsequent linked processing step (network access, providing network access) (92) data from said database queries in any preceding data retrieval steps is joined according to an object command file and stored in a buffer related to this joining object command file . US5745754A CLAIM 23 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; having a method which includes a step wherein in accordance with request parameters text is formatted to space text delimited by a format object command file (94) , and the formatted text results are stored in a buffer associated with said format (data packet) object command file (94) .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (processing step) to the NAD is only available through the server .	US5745754A CLAIM 21 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 , having a method which includes a step of : performing additional steps (91(b) , 91(c) , 91(d) , and 91(n)) of database queries to retrieve data and store in a command file object buffer data retrieved from other base databases , each returning data back to a command file declared buffer , and in a subsequent linked processing step (network access, providing network access) (92) data from said database queries in any preceding data retrieval steps is joined according to an object command file and stored in a buffer related to this joining object command file .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said format) containing the request for network access (processing step) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests (more responses) for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5745754A CLAIM 12 . A sub-agent service agent for fulfilling requests web browser client coupled to a network according to claim 1 ; having a method which includes a step of : responding to a recorded click on one or more object icons portrayed on a user screen and linking command files represented by said icon to link a succession of executable functions to perform as indicated by said one or more icons portrayed on said user screen and linked by said one or more responses (deny requests) to a recorded click . US5745754A CLAIM 21 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 , having a method which includes a step of : performing additional steps (91(b) , 91(c) , 91(d) , and 91(n)) of database queries to retrieve data and store in a command file object buffer data retrieved from other base databases , each returning data back to a command file declared buffer , and in a subsequent linked processing step (network access, providing network access) (92) data from said database queries in any preceding data retrieval steps is joined according to an object command file and stored in a buffer related to this joining object command file . US5745754A CLAIM 23 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; having a method which includes a step wherein in accordance with request parameters text is formatted to space text delimited by a format object command file (94) , and the formatted text results are stored in a buffer associated with said format (data packet) object command file (94) .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (said format) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5745754A CLAIM 23 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; having a method which includes a step wherein in accordance with request parameters text is formatted to space text delimited by a format object command file (94) , and the formatted text results are stored in a buffer associated with said format (data packet) object command file (94) .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (search requests) to the NAD over a device interface if the request is allowed .	US5745754A CLAIM 20 . A sub-agent service agent for fulfilling requests of a web browser client coupled to a network according to claim 1 ; wherein a multiple data retrieval command file (91(a) . . . 91(n)) initiates as a first step , multiple queries to different databases which are specified by parameters of the request to initiate multiple queries as SQL search requests (managing access) with as multiple steps (91(a) . . . 91(n)) executed by a command file server with a database gateway to select data from differing base databases located inside an intranet and on the Internet by internetwork routing to at least one other database gateway and its linked databases , and storing data selected from differing databases in a buffer declared by the command file .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5793964A Filed: 1995-06-07 Issued: 1998-08-11 Web browser system (Original Assignee) International Business Machines Corp (Current Assignee) Google LLC Richard Michael Rogers, Konrad Charles Lagarde
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (multiple network, second data) for network access (support functions) to the NAD , the NAD server including computer executable instructions (direct link) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (public access) of a network source (support functions) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent . US5793964A CLAIM 5 . A web browser system according to claim 4 , wherein said second data (data packet) base gateway is coupled to its own command file server . US5793964A CLAIM 7 . A web browser system according to claim 1 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5793964A CLAIM 11 . A web browser system according to claim 10 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and results are communicated to said web browser after passing through multiple network (data packet) s . US5793964A CLAIM 22 . A web browser system according to claim 14 , wherein said second control program agent node , besides being linked to its own application processing server has a direct link (executable instructions) , to a transaction processing server for handling transaction processing .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (support functions) to the NAD from a plurality of network clients having different operating systems .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (support functions) to the NAD is authorized comprises determining whether information in the header of a received data packet (multiple network, second data) containing the request for network access is complete , the information relating to at least one of the network source (support functions) , destination , and route of the data packet .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent . US5793964A CLAIM 5 . A web browser system according to claim 4 , wherein said second data (data packet) base gateway is coupled to its own command file server . US5793964A CLAIM 11 . A web browser system according to claim 10 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and results are communicated to said web browser after passing through multiple network (data packet) s .
US7739302B2 CLAIM 5 . A local area (public access) network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (support functions) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (multiple network, second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (support functions) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent . US5793964A CLAIM 5 . A web browser system according to claim 4 , wherein said second data (data packet) base gateway is coupled to its own command file server . US5793964A CLAIM 7 . A web browser system according to claim 1 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5793964A CLAIM 11 . A web browser system according to claim 10 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and results are communicated to said web browser after passing through multiple network (data packet) s .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (multiple network, second data) arrived via an authorized network interface (support functions) .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent . US5793964A CLAIM 5 . A web browser system according to claim 4 , wherein said second data (data packet) base gateway is coupled to its own command file server . US5793964A CLAIM 11 . A web browser system according to claim 10 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and results are communicated to said web browser after passing through multiple network (data packet) s .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (multiple network, second data) to the proper port ; and at the proper port , provide the requested network access (support functions) to the NAD .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent . US5793964A CLAIM 5 . A web browser system according to claim 4 , wherein said second data (data packet) base gateway is coupled to its own command file server . US5793964A CLAIM 11 . A web browser system according to claim 10 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and results are communicated to said web browser after passing through multiple network (data packet) s .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (support functions) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (multiple network, second data) containing the request for network access includes at least one of an IP address (public access) of a network source (support functions) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent . US5793964A CLAIM 5 . A web browser system according to claim 4 , wherein said second data (data packet) base gateway is coupled to its own command file server . US5793964A CLAIM 7 . A web browser system according to claim 1 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5793964A CLAIM 11 . A web browser system according to claim 10 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and results are communicated to said web browser after passing through multiple network (data packet) s .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (support functions) to the NAD is only available through the server .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (support functions) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (multiple network, second data) containing the request for network access (support functions) includes at least one of an IP address (public access) of a network source (support functions) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent . US5793964A CLAIM 5 . A web browser system according to claim 4 , wherein said second data (data packet) base gateway is coupled to its own command file server . US5793964A CLAIM 7 . A web browser system according to claim 1 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5793964A CLAIM 11 . A web browser system according to claim 10 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and results are communicated to said web browser after passing through multiple network (data packet) s .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (support functions) .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit to determine whether each packet contains an unauthorized IP address (public access) .	US5793964A CLAIM 7 . A web browser system according to claim 1 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (other service) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address (public access) of a network source (support functions) , an IP address of a network destination , and a route of the data packet (multiple network, second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5793964A CLAIM 1 . A web browser system , comprising : a web browser , means for associating said web browser with a homepage by a coupling or addressing with a uniform resource locator (URL or UAL) , a control program agent node located somewhere on the Internet supporting a control program agent coupled to and supporting said homepage by a coupling or addressing with a uniform resource locator , said control program agent node being coupled via a network with facilities provided within an intranet for private owner facilities and which may be protected by firewalls at the intranet boundary , said control program agent being coupled to a command file server and said command file server being coupled to a database gateway for gathering information from databases coupled to said database gateway and located on different database servers , said command file server supporting a plurality of command file objects which are programmed to perform web browser service support functions (network access, network source, network interface) at the request of a user of said web browser to access information within the intranet and to gather information located elsewhere via the Internet as a sub-agent of said control program agent . US5793964A CLAIM 5 . A web browser system according to claim 4 , wherein said second data (data packet) base gateway is coupled to its own command file server . US5793964A CLAIM 7 . A web browser system according to claim 1 , wherein a web browser initiated request is distributed via an intranet to the Intranet whereby access of data is obtained not only intranet , but also via the Internet to gather data from a database supported by a command file server located outside the intranet and coupled to said command file server with public access (local area, IP address, local area network arrangement) or access obtained after processing of variable access authorization data provided through said command file server . US5793964A CLAIM 11 . A web browser system according to claim 10 , wherein said first control program agent resides on a first web server supporting said web browser and said second control program agent resides on a second web server which is coupled via its own network to an associated command file server to perform tasks requested by said web browser and results are communicated to said web browser after passing through multiple network (data packet) s . US5793964A CLAIM 30 . A web server system according to claim 29 , further comprising , command objects for performing calculations , formatting , and other service (receiving requests) s prior to reporting to the web browser or to other locations , in a selected format a requested result report selected from a set of result reports , including a display report , facsimile report , a printer report , a report to customer installations , and a report to TV video subscribers , with account tracking .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5696898A Filed: 1995-06-06 Issued: 1997-12-09 System and method for database access control (Original Assignee) Nokia of America Corp (Current Assignee) Nokia of America Corp Brenda Sue Baker, Eric Grosse
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (network access) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5696898A CLAIM 1 . A system for selectively controlling network access (network access) to one or more resources through a firewall server , the system comprising : a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers ; a processor contained within a network proxy server and adapted to receive a request for network access to one or more particular network resources through the firewall server , said request including a user identification code , said processor being further adapted to query said relational database , and execute said request for network access to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources , said relational database and said proxy server being operable at a location remote from the firewall server . US5696898A CLAIM 8 . A method for selectively controlling network access to one or more particular resources through a firewall server , the method comprising the steps of : receiving at a network proxy server a request for access to one or more particular network resources , wherein said request includes a user identification code and at least one resource identifier , said network (NAD server) proxy serving being operable at a location remote from the firewall server ; comparing at said network proxy server said received request for access to a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers , said relational database being operable at a location remote from the firewall server ; executing , via said network proxy server , said request for network access through the firewall server to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access (network access) to the NAD from a plurality of network clients having different operating systems .	US5696898A CLAIM 1 . A system for selectively controlling network access (network access) to one or more resources through a firewall server , the system comprising : a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers ; a processor contained within a network proxy server and adapted to receive a request for network access to one or more particular network resources through the firewall server , said request including a user identification code , said processor being further adapted to query said relational database , and execute said request for network access to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources , said relational database and said proxy server being operable at a location remote from the firewall server . US5696898A CLAIM 8 . A method for selectively controlling network access to one or more particular resources through a firewall server , the method comprising the steps of : receiving at a network proxy server a request for access to one or more particular network resources , wherein said request includes a user identification code and at least one resource identifier , said network (NAD server) proxy serving being operable at a location remote from the firewall server ; comparing at said network proxy server said received request for access to a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers , said relational database being operable at a location remote from the firewall server ; executing , via said network proxy server , said request for network access through the firewall server to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (network access) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5696898A CLAIM 1 . A system for selectively controlling network access (network access) to one or more resources through a firewall server , the system comprising : a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers ; a processor contained within a network proxy server and adapted to receive a request for network access to one or more particular network resources through the firewall server , said request including a user identification code , said processor being further adapted to query said relational database , and execute said request for network access to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources , said relational database and said proxy server being operable at a location remote from the firewall server .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (network access) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5696898A CLAIM 1 . A system for selectively controlling network access (network access) to one or more resources through a firewall server , the system comprising : a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers ; a processor contained within a network proxy server and adapted to receive a request for network access to one or more particular network resources through the firewall server , said request including a user identification code , said processor being further adapted to query said relational database , and execute said request for network access to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources , said relational database and said proxy server being operable at a location remote from the firewall server .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (network access) to the NAD .	US5696898A CLAIM 1 . A system for selectively controlling network access (network access) to one or more resources through a firewall server , the system comprising : a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers ; a processor contained within a network proxy server and adapted to receive a request for network access to one or more particular network resources through the firewall server , said request including a user identification code , said processor being further adapted to query said relational database , and execute said request for network access to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources , said relational database and said proxy server being operable at a location remote from the firewall server .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (network access) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5696898A CLAIM 1 . A system for selectively controlling network access (network access) to one or more resources through a firewall server , the system comprising : a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers ; a processor contained within a network proxy server and adapted to receive a request for network access to one or more particular network resources through the firewall server , said request including a user identification code , said processor being further adapted to query said relational database , and execute said request for network access to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources , said relational database and said proxy server being operable at a location remote from the firewall server .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (network access) to the NAD is only available through the server .	US5696898A CLAIM 1 . A system for selectively controlling network access (network access) to one or more resources through a firewall server , the system comprising : a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers ; a processor contained within a network proxy server and adapted to receive a request for network access to one or more particular network resources through the firewall server , said request including a user identification code , said processor being further adapted to query said relational database , and execute said request for network access to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources , said relational database and said proxy server being operable at a location remote from the firewall server .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (network access) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5696898A CLAIM 1 . A system for selectively controlling network access (network access) to one or more resources through a firewall server , the system comprising : a relational database containing a stored listing of user identification codes and resource identifiers , wherein each of said resource identifiers corresponds to one or more resources accessible via a network , and said stored listing associates each of said user identification codes with one or more of said resource identifiers ; a processor contained within a network proxy server and adapted to receive a request for network access to one or more particular network resources through the firewall server , said request including a user identification code , said processor being further adapted to query said relational database , and execute said request for network access to said one or more particular network resources as a function of said stored listing being indicative of an association between said received user identification code and at least one resource identifier corresponding to said one or more particular network resources , said relational database and said proxy server being operable at a location remote from the firewall server .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5692030A Filed: 1995-05-31 Issued: 1997-11-25 Electronic interface for exchange of trouble administration information in telecommunications (Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc Eugene William Teglovic, Mary Marguerite Oglesby, Bruce Kettle, Susan Ann Weese
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data (data packet) format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said network (NAD server) s to initiate a subsequent repair of said problem .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients (data networks) having different operating systems .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said network (NAD server) s to initiate a subsequent repair of said problem . US5692030A CLAIM 5 . The interface according to claim 1 , wherein said third data format is compatible with a plurality of packet-switched X . 25 data networks (network clients) comprising a data link X . 75 .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data (data packet) format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said networks to initiate a subsequent repair of said problem .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (local data) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data (data packet) format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said networks to initiate a subsequent repair of said problem . US5692030A CLAIM 6 . The interface according to claim 1 , wherein said first interface further comprises means for validating said trouble information incoming and outgoing of said interface , means for re-sending said trouble information if an original transmission fails , means for verifying an identity of an agent , and means for controlling access to a multiple of local data (IP addresses) stores .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data) arrived via an authorized network interface .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data (data packet) format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said networks to initiate a subsequent repair of said problem .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data (data packet) format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said networks to initiate a subsequent repair of said problem .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data (data packet) format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said networks to initiate a subsequent repair of said problem .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data (data packet) format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said networks to initiate a subsequent repair of said problem .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (second interface, data link) .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface (application layer) for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said networks to initiate a subsequent repair of said problem . US5692030A CLAIM 5 . The interface according to claim 1 , wherein said third data format is compatible with a plurality of packet-switched X . 25 data networks comprising a data link (application layer) X . 75 .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (data networks) and other devices in a manner that is in addition to any protection afforded by a firewall .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data (data packet) format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said networks to initiate a subsequent repair of said problem . US5692030A CLAIM 5 . The interface according to claim 1 , wherein said third data format is compatible with a plurality of packet-switched X . 25 data networks (network clients) comprising a data link X . 75 .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (second interface, data link) of a network stack .	US5692030A CLAIM 1 . An interface for electronically exchanging trouble information between a long distance carrier network and a local exchange carrier network , comprising : a first trouble administration system for managing a trouble ticket created in response to a notification of a problem in a telephone service or product , responsive to said first trouble administration system , a first interface for converting data in said trouble ticket to a first data format for said first trouble administration system and for converting said trouble ticket data to a second data format , responsive to said first interface , first processing means including first programming means for converting said data in said second data format to a third data format , and transferring said data in said third data format via a communications medium ; and responsive to said first processing means , second processing means which includes second programming means to transfer said data via a second interface (application layer) for processing by a second trouble administration system , wherein said data representing said trouble ticket is processed within said networks to initiate a subsequent repair of said problem . US5692030A CLAIM 5 . The interface according to claim 1 , wherein said third data format is compatible with a plurality of packet-switched X . 25 data networks comprising a data link (application layer) X . 75 .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5742762A Filed: 1995-05-19 Issued: 1998-04-21 Network management gateway (Original Assignee) Telogy Networks Inc (Current Assignee) Telogy Networks Inc Thomas H. Scholl, William E. Witowsky
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (computer program) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5742762A CLAIM 13 . A machine readable memory medium , encoded with data representing a network management gateway computer program (network protocol programs) , that can be used to direct a computer when used by the computer , comprising : a . means for receiving a Web client request from a Web client , through a Web server , through the Internet , using a Web server CGI , the request comprising a request selected from the group comprising : configuration management , fault management , performance management , accounting management , security management , help desk , customer service and support , software distribution , product information distribution , and trouble ticket and reporting ; b . means for parsing and translating with a programmed device or a circuit device , a Web client request into at least one network management request (NMR) , electronically communicating with the means for receiving a Web client request ; c . means for processing the NMR locally to obtain information directly from a local managed information database , if the NMR is not related to a managed network , which is one of a plurality of incompatible managed networks ; d . means for forwarding the NMR to the appropriate network management proxy agent , if the NMR relates to the managed network ; e . means for processing the NMR locally to obtain information directly from the local managed information database , if the information is available from the database ; f . means for forwarding the NMR to the managed network via access protocols , if the information is not available from the database ; g . means for receiving network management information transmissions in response to NMR' ; s ; h . storing network management information received in the local managed information database ; i . means for converting network management information transmissions , in real-time , into HTML documents , electronically communicating with the means for parsing and the means for transmitting each NMR and the means for receiving network management information ; and j . means for transmitting HTML documents to the Web client , through the Web server , through the Internet , further comprising means for formatting for output .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (hard disk) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5742762A CLAIM 4 . The device in claim 2 , where : a . the local managed information database is resident on the same hardware platform as the Web server and uses a hard disk (filtering means) , a CD-ROM , or other memory device , and b . the managed network is one of a plurality of incompatible managed networks .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (hard disk) is further configured to carry out the filtering at an application layer of a network stack .	US5742762A CLAIM 4 . The device in claim 2 , where : a . the local managed information database is resident on the same hardware platform as the Web server and uses a hard disk (filtering means) , a CD-ROM , or other memory device , and b . the managed network is one of a plurality of incompatible managed networks .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5650994A Filed: 1995-05-16 Issued: 1997-07-22 Operation support system for service creation and network provisioning for video dial tone networks (Original Assignee) Verizon Services Corp (Current Assignee) Verizon Patent and Licensing Inc Kathleen Daley
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (user database) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (information source, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5650994A CLAIM 6 . A network as recited in claim 5 , wherein said control subnetwork generates an information (network destination) provider selection menu in accordance with said downloaded portion of said subscriber profile . US5650994A CLAIM 46 . A communication network comprising : a plurality of user terminals receiving and processing broadband information ; a plurality of broadband information source (network destination) s ; a backbone subnetwork providing point-to-point communication sessions for interactive multimedia communications ; a backbone subnetwork controller controlling establishment of point-to-point communication sessions through the backbone subnetwork ; a broadcast subnetwork distributing broadband information signals from at least one of the broadband information sources ; an access subnetwork providing dynamically allocated communications between one of the user terminals and the backbone subnetwork , and receiving broadcast information signals from the broadcast subnetwork and distributing the broadcast information signals to authorized ones of the user terminals ; an access subnetwork controller controlling the access subnetwork to provide the communications between the one user terminal and the backbone subnetwork and to control terminal authorizations for reception of the broadcast information signals ; a gateway interacting with the backbone subnetwork controller , the access subnetwork controller and the user terminals to control set-up of at least some of the communications through the communication network ; and an operational support system coupled to communicate with and supply provisioning data to the backbone subnetwork controller , the broadcast subnetwork , the access subnetwork controller and the gateway for provisioning services through the network and activating receipt of selected services through identified ones of the user terminals . US5650994A CLAIM 48 . A communication network as in claim 46 , wherein the operational support system comprises : a service provider database containing data relating to information services provided by the broadband information sources ; a user database (network client) data relating to the users and specific information services subscribed to be individual users .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (control signals) for accepting requests (corresponding service, information service) for network access to the NAD from a plurality of network clients (communication paths) having different operating systems .	US5650994A CLAIM 3 . A network as recited in claim 1 , wherein said operational support system generates a profile of each of said subscribers in response to corresponding service (accepting requests) requests . US5650994A CLAIM 21 . A network for transporting broadband data for subscribers including a plurality of information providers and plurality of information users each having digital entertainment terminals , comprising : a control subnetwork for controlling setup and tear-down of broadband communication paths (network clients, communication path) , said control subnetwork adapted to access a level 2 gateway to provide connection requests to said information providers ; a backbone subnetwork for providing point-to-point , two-way communication sessions for broadband interactive multimedia communications signals throughout said network , said backbone subnetwork adapted to provide said broadband communication sessions between at least one of said information users and said level 2 gateway , said backbone subnetwork comprising a virtual circuit controller for maintaining communication paths during said communication sessions ; a broadcast subnetwork for consolidating a plurality of broadcast information signals from information providers and distributing said consolidated broadcast information signals throughout a serving area of said network ; an access subnetwork receiving said consolidated broadcast information signals from said broadcast subnetwork and said broadband interactive multimedia communications signals from said backbone subnetwork for transmission to said digital entertainment terminals , and transmitting signals from said digital entertainment terminals to said backbone subnetwork , said access subnetwork comprising an access subnetwork controller controlling the access subnetwork in response to an access control message from said control subnetwork , to provide two-way communications between said at least one information user and said level 2 gateway and to control access by the digital entertainment terminals to the consolidated broadcast information signals ; and a service creation and activation system outputting network creation messages for said control subnetwork , said backbone subnetwork , said broadcast subnetwork , and said access subnetwork , said service creation and activation system generating an assignable inventory database in accordance with acknowledgements of said network creation messages , said service creation and activation system provisioning network resources from said inventory database in response to a service activation request for a subscriber . US5650994A CLAIM 48 . A communication network as in claim 46 , wherein the operational support system comprises : a service provider database containing data relating to information service (accepting requests) s provided by the broadband information sources ; a user database data relating to the users and specific information services subscribed to be individual users .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (user database) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (network address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5650994A CLAIM 17 . A network as recited in claim 16 , wherein said information user profile comprises a network address (IP addresses) , a digital entertainment terminal address , and subscription information identifying at least one of the information providers . US5650994A CLAIM 48 . A communication network as in claim 46 , wherein the operational support system comprises : a service provider database containing data relating to information services provided by the broadband information sources ; a user database (network client) data relating to the users and specific information services subscribed to be individual users .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interface) .	US5650994A CLAIM 34 . In a network serving a plurality of subscribers including information providers and information users having digital entertainment terminals , wherein the network comprises : a backbone subnetwork providing point-to-point communication sessions and having a virtual circuit controller controlling establishment of said sessions throughout the backbone subnetwork , a broadcast subnetwork distributing broadband data from information providers throughout a serving area of said network , an access subnetwork receiving said broadband data from said broadcast subnetwork and downstream signals of said sessions and distributing said received broadband data and downstream signals to said digital entertainment terminals of said information users , and receiving upstream signals from said digital entertainment terminals and supplying to said backbone subnetwork , said access subnetwork comprising an access subnetwork controller controlling said access subnetwork , a control subnetwork controlling data transport throughout said network , and an operational support system comprising an assignable inventory database ; a method comprising the steps of : (1) receiving at said operational support system a subscriber activation request ; (2) establishing a connection between the network and a subscriber at a network interface (network interface) ; (3) assigning a logical address to said connection ; (4) provisioning bandwidth on at least one digital channel from said assignable inventory database in accordance with said subscriber activation request and generating corresponding bandwidth assignment information ; (5) outputting from said operational support system an activation request , comprising said logical address and said bandwidth assignment information , to said control subnetwork ; (6) outputting from said control subnetwork connection said bandwidth assignment information to said access subnetwork controller ; (7) defining within said access subnetwork controller connection paths throughout said access subnetwork in accordance with said bandwidth assignment information and outputting connection block descriptors from said access subnetwork controller to said control subnetwork , said connection block descriptors identifying said connection paths ; (8) outputting from said operational support system broadcast provisioning data to said broadcast subnetwork controller in accordance with said subscriber activation request ; (9) returning acknowledgement messages to said operational support system ; (10) creating a subscriber profile in said operational support system in response to said acknowledgement messages ; and (11) outputting from said operational support system a subscription acknowledgement to said subscriber .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (information source, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5650994A CLAIM 6 . A network as recited in claim 5 , wherein said control subnetwork generates an information (network destination) provider selection menu in accordance with said downloaded portion of said subscriber profile . US5650994A CLAIM 46 . A communication network comprising : a plurality of user terminals receiving and processing broadband information ; a plurality of broadband information source (network destination) s ; a backbone subnetwork providing point-to-point communication sessions for interactive multimedia communications ; a backbone subnetwork controller controlling establishment of point-to-point communication sessions through the backbone subnetwork ; a broadcast subnetwork distributing broadband information signals from at least one of the broadband information sources ; an access subnetwork providing dynamically allocated communications between one of the user terminals and the backbone subnetwork , and receiving broadcast information signals from the broadcast subnetwork and distributing the broadcast information signals to authorized ones of the user terminals ; an access subnetwork controller controlling the access subnetwork to provide the communications between the one user terminal and the backbone subnetwork and to control terminal authorizations for reception of the broadcast information signals ; a gateway interacting with the backbone subnetwork controller , the access subnetwork controller and the user terminals to control set-up of at least some of the communications through the communication network ; and an operational support system coupled to communicate with and supply provisioning data to the backbone subnetwork controller , the broadcast subnetwork , the access subnetwork controller and the gateway for provisioning services through the network and activating receipt of selected services through identified ones of the user terminals .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path (communication paths) to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (information source, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5650994A CLAIM 6 . A network as recited in claim 5 , wherein said control subnetwork generates an information (network destination) provider selection menu in accordance with said downloaded portion of said subscriber profile . US5650994A CLAIM 21 . A network for transporting broadband data for subscribers including a plurality of information providers and plurality of information users each having digital entertainment terminals , comprising : a control subnetwork for controlling setup and tear-down of broadband communication paths (network clients, communication path) , said control subnetwork adapted to access a level 2 gateway to provide connection requests to said information providers ; a backbone subnetwork for providing point-to-point , two-way communication sessions for broadband interactive multimedia communications signals throughout said network , said backbone subnetwork adapted to provide said broadband communication sessions between at least one of said information users and said level 2 gateway , said backbone subnetwork comprising a virtual circuit controller for maintaining communication paths during said communication sessions ; a broadcast subnetwork for consolidating a plurality of broadcast information signals from information providers and distributing said consolidated broadcast information signals throughout a serving area of said network ; an access subnetwork receiving said consolidated broadcast information signals from said broadcast subnetwork and said broadband interactive multimedia communications signals from said backbone subnetwork for transmission to said digital entertainment terminals , and transmitting signals from said digital entertainment terminals to said backbone subnetwork , said access subnetwork comprising an access subnetwork controller controlling the access subnetwork in response to an access control message from said control subnetwork , to provide two-way communications between said at least one information user and said level 2 gateway and to control access by the digital entertainment terminals to the consolidated broadcast information signals ; and a service creation and activation system outputting network creation messages for said control subnetwork , said backbone subnetwork , said broadcast subnetwork , and said access subnetwork , said service creation and activation system generating an assignable inventory database in accordance with acknowledgements of said network creation messages , said service creation and activation system provisioning network resources from said inventory database in response to a service activation request for a subscriber . US5650994A CLAIM 34 . In a network serving a plurality of subscribers including information providers and information users having digital entertainment terminals , wherein the network comprises : a backbone subnetwork providing point-to-point communication sessions and having a virtual circuit controller controlling establishment of said sessions throughout the backbone subnetwork , a broadcast subnetwork distributing broadband data from information providers throughout a serving area of said network , an access subnetwork receiving said broadband data from said broadcast subnetwork and downstream signals of said sessions and distributing said received broadband data and downstream signals to said digital entertainment terminals of said information users , and receiving upstream signals from said digital entertainment terminals and supplying to said backbone subnetwork , said access subnetwork comprising an access subnetwork controller controlling said access subnetwork , a control subnetwork controlling data transport throughout said network , and an operational support system comprising an assignable inventory database ; a method comprising the steps of : (1) receiving at said operational support system a subscriber activation request ; (2) establishing a connection between the network and a subscriber at a network interface (network interface) ; (3) assigning a logical address to said connection ; (4) provisioning bandwidth on at least one digital channel from said assignable inventory database in accordance with said subscriber activation request and generating corresponding bandwidth assignment information ; (5) outputting from said operational support system an activation request , comprising said logical address and said bandwidth assignment information , to said control subnetwork ; (6) outputting from said control subnetwork connection said bandwidth assignment information to said access subnetwork controller ; (7) defining within said access subnetwork controller connection paths throughout said access subnetwork in accordance with said bandwidth assignment information and outputting connection block descriptors from said access subnetwork controller to said control subnetwork , said connection block descriptors identifying said connection paths ; (8) outputting from said operational support system broadcast provisioning data to said broadcast subnetwork controller in accordance with said subscriber activation request ; (9) returning acknowledgement messages to said operational support system ; (10) creating a subscriber profile in said operational support system in response to said acknowledgement messages ; and (11) outputting from said operational support system a subscription acknowledgement to said subscriber . US5650994A CLAIM 46 . A communication network comprising : a plurality of user terminals receiving and processing broadband information ; a plurality of broadband information source (network destination) s ; a backbone subnetwork providing point-to-point communication sessions for interactive multimedia communications ; a backbone subnetwork controller controlling establishment of point-to-point communication sessions through the backbone subnetwork ; a broadcast subnetwork distributing broadband information signals from at least one of the broadband information sources ; an access subnetwork providing dynamically allocated communications between one of the user terminals and the backbone subnetwork , and receiving broadcast information signals from the broadcast subnetwork and distributing the broadcast information signals to authorized ones of the user terminals ; an access subnetwork controller controlling the access subnetwork to provide the communications between the one user terminal and the backbone subnetwork and to control terminal authorizations for reception of the broadcast information signals ; a gateway interacting with the backbone subnetwork controller , the access subnetwork controller and the user terminals to control set-up of at least some of the communications through the communication network ; and an operational support system coupled to communicate with and supply provisioning data to the backbone subnetwork controller , the broadcast subnetwork , the access subnetwork controller and the gateway for provisioning services through the network and activating receipt of selected services through identified ones of the user terminals .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interface) .	US5650994A CLAIM 34 . In a network serving a plurality of subscribers including information providers and information users having digital entertainment terminals , wherein the network comprises : a backbone subnetwork providing point-to-point communication sessions and having a virtual circuit controller controlling establishment of said sessions throughout the backbone subnetwork , a broadcast subnetwork distributing broadband data from information providers throughout a serving area of said network , an access subnetwork receiving said broadband data from said broadcast subnetwork and downstream signals of said sessions and distributing said received broadband data and downstream signals to said digital entertainment terminals of said information users , and receiving upstream signals from said digital entertainment terminals and supplying to said backbone subnetwork , said access subnetwork comprising an access subnetwork controller controlling said access subnetwork , a control subnetwork controlling data transport throughout said network , and an operational support system comprising an assignable inventory database ; a method comprising the steps of : (1) receiving at said operational support system a subscriber activation request ; (2) establishing a connection between the network and a subscriber at a network interface (network interface) ; (3) assigning a logical address to said connection ; (4) provisioning bandwidth on at least one digital channel from said assignable inventory database in accordance with said subscriber activation request and generating corresponding bandwidth assignment information ; (5) outputting from said operational support system an activation request , comprising said logical address and said bandwidth assignment information , to said control subnetwork ; (6) outputting from said control subnetwork connection said bandwidth assignment information to said access subnetwork controller ; (7) defining within said access subnetwork controller connection paths throughout said access subnetwork in accordance with said bandwidth assignment information and outputting connection block descriptors from said access subnetwork controller to said control subnetwork , said connection block descriptors identifying said connection paths ; (8) outputting from said operational support system broadcast provisioning data to said broadcast subnetwork controller in accordance with said subscriber activation request ; (9) returning acknowledgement messages to said operational support system ; (10) creating a subscriber profile in said operational support system in response to said acknowledgement messages ; and (11) outputting from said operational support system a subscription acknowledgement to said subscriber .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (transmitting signal) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (information source, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (communication paths) and other devices in a manner that is in addition to any protection afforded by a firewall .	US5650994A CLAIM 6 . A network as recited in claim 5 , wherein said control subnetwork generates an information (network destination) provider selection menu in accordance with said downloaded portion of said subscriber profile . US5650994A CLAIM 21 . A network for transporting broadband data for subscribers including a plurality of information providers and plurality of information users each having digital entertainment terminals , comprising : a control subnetwork for controlling setup and tear-down of broadband communication paths (network clients, communication path) , said control subnetwork adapted to access a level 2 gateway to provide connection requests to said information providers ; a backbone subnetwork for providing point-to-point , two-way communication sessions for broadband interactive multimedia communications signals throughout said network , said backbone subnetwork adapted to provide said broadband communication sessions between at least one of said information users and said level 2 gateway , said backbone subnetwork comprising a virtual circuit controller for maintaining communication paths during said communication sessions ; a broadcast subnetwork for consolidating a plurality of broadcast information signals from information providers and distributing said consolidated broadcast information signals throughout a serving area of said network ; an access subnetwork receiving said consolidated broadcast information signals from said broadcast subnetwork and said broadband interactive multimedia communications signals from said backbone subnetwork for transmission to said digital entertainment terminals , and transmitting signal (receiving requests) s from said digital entertainment terminals to said backbone subnetwork , said access subnetwork comprising an access subnetwork controller controlling the access subnetwork in response to an access control message from said control subnetwork , to provide two-way communications between said at least one information user and said level 2 gateway and to control access by the digital entertainment terminals to the consolidated broadcast information signals ; and a service creation and activation system outputting network creation messages for said control subnetwork , said backbone subnetwork , said broadcast subnetwork , and said access subnetwork , said service creation and activation system generating an assignable inventory database in accordance with acknowledgements of said network creation messages , said service creation and activation system provisioning network resources from said inventory database in response to a service activation request for a subscriber . US5650994A CLAIM 46 . A communication network comprising : a plurality of user terminals receiving and processing broadband information ; a plurality of broadband information source (network destination) s ; a backbone subnetwork providing point-to-point communication sessions for interactive multimedia communications ; a backbone subnetwork controller controlling establishment of point-to-point communication sessions through the backbone subnetwork ; a broadcast subnetwork distributing broadband information signals from at least one of the broadband information sources ; an access subnetwork providing dynamically allocated communications between one of the user terminals and the backbone subnetwork , and receiving broadcast information signals from the broadcast subnetwork and distributing the broadcast information signals to authorized ones of the user terminals ; an access subnetwork controller controlling the access subnetwork to provide the communications between the one user terminal and the backbone subnetwork and to control terminal authorizations for reception of the broadcast information signals ; a gateway interacting with the backbone subnetwork controller , the access subnetwork controller and the user terminals to control set-up of at least some of the communications through the communication network ; and an operational support system coupled to communicate with and supply provisioning data to the backbone subnetwork controller , the broadcast subnetwork , the access subnetwork controller and the gateway for provisioning services through the network and activating receipt of selected services through identified ones of the user terminals .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (d log) of a plurality of protocols .	US5650994A CLAIM 34 . In a network serving a plurality of subscribers including information providers and information users having digital entertainment terminals , wherein the network comprises : a backbone subnetwork providing point-to-point communication sessions and having a virtual circuit controller controlling establishment of said sessions throughout the backbone subnetwork , a broadcast subnetwork distributing broadband data from information providers throughout a serving area of said network , an access subnetwork receiving said broadband data from said broadcast subnetwork and downstream signals of said sessions and distributing said received broadband data and downstream signals to said digital entertainment terminals of said information users , and receiving upstream signals from said digital entertainment terminals and supplying to said backbone subnetwork , said access subnetwork comprising an access subnetwork controller controlling said access subnetwork , a control subnetwork controlling data transport throughout said network , and an operational support system comprising an assignable inventory database ; a method comprising the steps of : (1) receiving at said operational support system a subscriber activation request ; (2) establishing a connection between the network and a subscriber at a network interface ; (3) assigning a logical address to said connection ; (4) provisioning bandwidth on at least one digital channel from said assignable inventory database in accordance with said subscriber activation request and generating corresponding bandwidth assignment information ; (5) outputting from said operational support system an activation request , comprising said log (requests comprise one) ical address and said bandwidth assignment information , to said control subnetwork ; (6) outputting from said control subnetwork connection said bandwidth assignment information to said access subnetwork controller ; (7) defining within said access subnetwork controller connection paths throughout said access subnetwork in accordance with said bandwidth assignment information and outputting connection block descriptors from said access subnetwork controller to said control subnetwork , said connection block descriptors identifying said connection paths ; (8) outputting from said operational support system broadcast provisioning data to said broadcast subnetwork controller in accordance with said subscriber activation request ; (9) returning acknowledgement messages to said operational support system ; (10) creating a subscriber profile in said operational support system in response to said acknowledgement messages ; and (11) outputting from said operational support system a subscription acknowledgement to said subscriber .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5699403A Filed: 1995-04-12 Issued: 1997-12-16 Network vulnerability management apparatus and method (Original Assignee) Nokia of America Corp (Current Assignee) Nokia of America Corp U. George Ronnen
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5699403A CLAIM 1 . A method for identifying risks associated with abnormal conditions of network elements communications network , comprising the steps of : collecting alarm message signals from a communications network ; electronically processing said alarm message signals to generate abnormal condition signals ; receiving external condition signals indicative of external conditions affecting network elements in said communications network ; generating direct and indirect risk signals based upon said abnormal condition signals , said external condition signals , and stored reference data ; summing said direct and indirect risk signals to generate a network element risk signal ; displaying said network (NAD server) element risk signal to aid in assessing risks associated with network elements experiencing abnormal conditions .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5699403A CLAIM 1 . A method for identifying risks associated with abnormal conditions of network elements communications network , comprising the steps of : collecting alarm message signals from a communications network ; electronically processing said alarm message signals to generate abnormal condition signals ; receiving external condition signals indicative of external conditions affecting network elements in said communications network ; generating direct and indirect risk signals based upon said abnormal condition signals , said external condition signals , and stored reference data ; summing said direct and indirect risk signals to generate a network element risk signal ; displaying said network (NAD server) element risk signal to aid in assessing risks associated with network elements experiencing abnormal conditions .
US7739302B2 CLAIM 3 . The network arrangement of claim 1 , wherein the computer-executable instructions comprise distributed program modules (processing module) .	US5699403A CLAIM 11 . An apparatus for identifying risks associated with abnormal conditions of network elements in a communications network comprising : a data collection and processing module (program modules) that collects alarm message signals from a communications network and processes said alarm messages to generate abnormal condition signals ; an interface module that receives external condition signals indicative of external conditions affecting network elements in said communications network ; an electronic risk processing module that generates direct and indirect risk signals based upon said abnormal condition signals , said external condition signals , and stored reference data ; and a display means that displays a network element risk signal to aid in assessing risks associated with network elements experiencing abnormal conditions , where said network element risk signal is the sum of said direct and indirect risk signals .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface (said module) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5699403A CLAIM 3 . The method of claim 2 , wherein said module (device interface) failure risks are computed by the substeps comprising : retrieving from memory , based upon said abnormal condition signals , first probability data indicative of the failure probability of a functional module of said given network element , second probability data indicative of the failure probability of said functional module' ; s mate , network element impact data , and a module impact factor ; retrieving from memory , based upon said external condition signals , probability multiplier data ; computing a module failure probability signal as the product of said first probability data , said second probability data , and said probability multiplier data ; computing said module failure risk as the product of said module failure probability signal , said network element impact data , and said module impact factor .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (said module) .	US5699403A CLAIM 3 . The method of claim 2 , wherein said module (device interface) failure risks are computed by the substeps comprising : retrieving from memory , based upon said abnormal condition signals , first probability data indicative of the failure probability of a functional module of said given network element , second probability data indicative of the failure probability of said functional module' ; s mate , network element impact data , and a module impact factor ; retrieving from memory , based upon said external condition signals , probability multiplier data ; computing a module failure probability signal as the product of said first probability data , said second probability data , and said probability multiplier data ; computing said module failure risk as the product of said module failure probability signal , said network element impact data , and said module impact factor .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (said module) comprises a SCSI interface .	US5699403A CLAIM 3 . The method of claim 2 , wherein said module (device interface) failure risks are computed by the substeps comprising : retrieving from memory , based upon said abnormal condition signals , first probability data indicative of the failure probability of a functional module of said given network element , second probability data indicative of the failure probability of said functional module' ; s mate , network element impact data , and a module impact factor ; retrieving from memory , based upon said external condition signals , probability multiplier data ; computing a module failure probability signal as the product of said first probability data , said second probability data , and said probability multiplier data ; computing said module failure risk as the product of said module failure probability signal , said network element impact data , and said module impact factor .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (said module) if the request is allowed .	US5699403A CLAIM 3 . The method of claim 2 , wherein said module (device interface) failure risks are computed by the substeps comprising : retrieving from memory , based upon said abnormal condition signals , first probability data indicative of the failure probability of a functional module of said given network element , second probability data indicative of the failure probability of said functional module' ; s mate , network element impact data , and a module impact factor ; retrieving from memory , based upon said external condition signals , probability multiplier data ; computing a module failure probability signal as the product of said first probability data , said second probability data , and said probability multiplier data ; computing said module failure risk as the product of said module failure probability signal , said network element impact data , and said module impact factor .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5555290A Filed: 1995-04-11 Issued: 1996-09-10 Long distance telephone switching system with enhanced subscriber services (Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc Clark E. McLeod, Steven J. Hogan, Kristi T. Feltz, Douglas R. Murdock, Van E. Hanson
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5555290A CLAIM 2 . A telephone switching system as claimed in claim 1 , wherein said computational means is operative to match call detail records with corresponding billing detail records based on information (network destination) contained in said respective records in order to generate said subscriber bills .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests (information service) for network access to the NAD from a plurality of network clients having different operating systems .	US5555290A CLAIM 3 . A telephone switching system as claimed in claim 1 , wherein said various types of enhanced subscriber services each are selected from the group consisting of audio news and information service (accepting requests) s , conference calling , voice messaging , message storage and forwarding , and speed dialing .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (telephone network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5555290A CLAIM 10 . For use in connection with a long distance telephone network (IP addresses) , a telephone switching system that provides conventional long distance services , at least one enhanced subscriber authorized service when requested by a caller , and call reorigination using stored billing information , comprising : call switching means for receiving calls from any telephone with which communications with said telephone switching system may be established , including calls for various types of enhanced services , original calls , and calls for which reorigination is requested ; call processing means coupled to said call switching means for receiving enhanced service request codes entered from said telephone , for receiving and validating billing information entered by callers placing original long distance calls , and for generating billing detail records containing information relating to any requested enhanced services and to said billing information ; and storage means coupled to said call processing means for storing said billing detail records ; whereby said call processing means is operative to process those calls for which reorigination is requested based on validation of the billing information in said billing detail records .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5555290A CLAIM 2 . A telephone switching system as claimed in claim 1 , wherein said computational means is operative to match call detail records with corresponding billing detail records based on information (network destination) contained in said respective records in order to generate said subscriber bills .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5555290A CLAIM 2 . A telephone switching system as claimed in claim 1 , wherein said computational means is operative to match call detail records with corresponding billing detail records based on information (network destination) contained in said respective records in order to generate said subscriber bills .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5555290A CLAIM 2 . A telephone switching system as claimed in claim 1 , wherein said computational means is operative to match call detail records with corresponding billing detail records based on information (network destination) contained in said respective records in order to generate said subscriber bills .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5699513A Filed: 1995-03-31 Issued: 1997-12-16 Method for secure network access via message intercept (Original Assignee) Motorola Solutions Inc (Current Assignee) General Dynamics C4 Systems Inc Ronald Glen Feigen, Paul Aerick Lambert
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (more application) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5699513A CLAIM 1 . A method of providing security for a network having one or more application (network client) services to which connections may be made from outside said network , said method comprising the steps of : intercepting a plurality of connection request messages each of which establishes a first connection request for an application service provided on said network ; establishing a second connection , said second connection being established with a security service ; confirming , through said second connection , said first connection request ; transmitting a message on said network after said confirming step confirms said first connection request ; establishing said second connection with a source hose having a source host address ; sending data describing ones of said intercepted connection request messages which originated from said source host address to said source host through said second connection ; and receiving selection data from said source host through said second connection , said selection data identifying a selected one of intercepted connection request messages wherein said message transmitted by said transmitting step corresponds to said selected one of intercepted connection request messages .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (more application) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5699513A CLAIM 1 . A method of providing security for a network having one or more application (network client) services to which connections may be made from outside said network , said method comprising the steps of : intercepting a plurality of connection request messages each of which establishes a first connection request for an application service provided on said network ; establishing a second connection , said second connection being established with a security service ; confirming , through said second connection , said first connection request ; transmitting a message on said network after said confirming step confirms said first connection request ; establishing said second connection with a source hose having a source host address ; sending data describing ones of said intercepted connection request messages which originated from said source host address to said source host through said second connection ; and receiving selection data from said source host through said second connection , said selection data identifying a selected one of intercepted connection request messages wherein said message transmitted by said transmitting step corresponds to said selected one of intercepted connection request messages .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (acknowledgment message) .	US5699513A CLAIM 6 . A method as claimed in claim 1 wherein said establishing step comprises the steps of : receiving a second connection request message , said second connection request message identifying a source which originated said second connection request message , and said second connection request message requesting establishment of a connection to said security service ; and sending an acknowledgment message (network interface) from said security service to said source .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (acknowledgment message) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5699513A CLAIM 6 . A method as claimed in claim 1 wherein said establishing step comprises the steps of : receiving a second connection request message , said second connection request message identifying a source which originated said second connection request message , and said second connection request message requesting establishment of a connection to said security service ; and sending an acknowledgment message (network interface) from said security service to said source .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (acknowledgment message) .	US5699513A CLAIM 6 . A method as claimed in claim 1 wherein said establishing step comprises the steps of : receiving a second connection request message , said second connection request message identifying a source which originated said second connection request message , and said second connection request message requesting establishment of a connection to said security service ; and sending an acknowledgment message (network interface) from said security service to said source .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5610915A Filed: 1995-03-17 Issued: 1997-03-11 System and method therefor of viewing call traffic of a telecommunications network (Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc Isaac Elliott, Jim Finucane, Louis Gottlieb, Daniel L. O'Reilly, Gary E. Johnson
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (specialized instruction) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5610915A CLAIM 4 . The system of claim 1 , wherein said report comprises a data file containing the call details of said calls of said subscriber ; said system further comprising : at least one computer work station whereat said subscriber communicates via said network (NAD server) with said processing server means for receiving said data file ; and wherein said subscriber can design and format a report using call detail data from said data file upon receipt of said data file . US5610915A CLAIM 31 . The method of claim 27 , wherein step (c) further comprises the step of : adding a data entry processing means to said network to enable said subscribers to enter respective specialized instruction (executable instructions) s for retrieving corresponding specialized reports of call details stored in said database means .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5610915A CLAIM 4 . The system of claim 1 , wherein said report comprises a data file containing the call details of said calls of said subscriber ; said system further comprising : at least one computer work station whereat said subscriber communicates via said network (NAD server) with said processing server means for receiving said data file ; and wherein said subscriber can design and format a report using call detail data from said data file upon receipt of said data file .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (receiving requests, order r) with each other over a same network , the NAD comprising ; a data management component (receiving requests, order r) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5610915A CLAIM 1 . In a telecommunications network , a system for reporting call detail statistics of special service calls , comprising : at least one switching means for routing said calls ; processor means for determining the call details of said calls routed through said switching means ; database means for periodically collecting and storing as records the call details from said processor means for calls of at least one particular subscriber ; processing server means communicatively connected to said database means for receiving requests (electronic communication, data management component, receiving requests) from said subscriber ; wherein in response to a request from said subscriber , said processing server means provides at predetermined intervals to said subscriber at least one report detailing statistics representative of said records of calls of said subscriber stored in said database means . US5610915A CLAIM 17 . The system of claim 10 , further comprising : data entry processing means for said subscribers to enter respective request to said processing means to order r (electronic communication, data management component, receiving requests) eports relating to traffic statistics of corresponding special service calls .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information (one communication line) identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5610915A CLAIM 9 . The system of claim 1 , wherein said database means comprises : a plurality of processors each operating same applications , said processors connected via at least one communication line (header contains information) to a distribution means to provide said report to and communicate with said subscriber ; a plurality of memory means coupled to each of said processors for storing the call details of calls of said subscriber .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface (predetermined time intervals) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5610915A CLAIM 19 . In a telecommunications network , a method of reporting call detail statistics of special service calls comprising the steps of : (a) processing the call details of said special service calls routed through a plurality of switching means ; (b) periodically collecting and storing as records in a database means the call details of special service calls for at least one subscriber ; (c) receiving at a processor server means at least one request from said one subscriber on how and when to disseminate the call details of special service calls subscribed by said one subscriber ; (d) said processing server means providing said one subscriber , per said at least one request from said one subscriber , at predetermined time intervals (device interface) at least one report of records stored in said database means of call details of special service calls of said one subscriber .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (predetermined time intervals) .	US5610915A CLAIM 19 . In a telecommunications network , a method of reporting call detail statistics of special service calls comprising the steps of : (a) processing the call details of said special service calls routed through a plurality of switching means ; (b) periodically collecting and storing as records in a database means the call details of special service calls for at least one subscriber ; (c) receiving at a processor server means at least one request from said one subscriber on how and when to disseminate the call details of special service calls subscribed by said one subscriber ; (d) said processing server means providing said one subscriber , per said at least one request from said one subscriber , at predetermined time intervals (device interface) at least one report of records stored in said database means of call details of special service calls of said one subscriber .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (predetermined time intervals) comprises a SCSI interface .	US5610915A CLAIM 19 . In a telecommunications network , a method of reporting call detail statistics of special service calls comprising the steps of : (a) processing the call details of said special service calls routed through a plurality of switching means ; (b) periodically collecting and storing as records in a database means the call details of special service calls for at least one subscriber ; (c) receiving at a processor server means at least one request from said one subscriber on how and when to disseminate the call details of special service calls subscribed by said one subscriber ; (d) said processing server means providing said one subscriber , per said at least one request from said one subscriber , at predetermined time intervals (device interface) at least one report of records stored in said database means of call details of special service calls of said one subscriber .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (one terminal) , and a video codec .	US5610915A CLAIM 5 . The system of claim 1 , further comprising : distribution means for distributing said report ; at least one terminal (storage device) electrically connected to said distribution means for retrieving for said subscriber the call details of a special service call of said subscriber for a particular time period .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (receiving requests, order r) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5610915A CLAIM 1 . In a telecommunications network , a system for reporting call detail statistics of special service calls , comprising : at least one switching means for routing said calls ; processor means for determining the call details of said calls routed through said switching means ; database means for periodically collecting and storing as records the call details from said processor means for calls of at least one particular subscriber ; processing server means communicatively connected to said database means for receiving requests (electronic communication, data management component, receiving requests) from said subscriber ; wherein in response to a request from said subscriber , said processing server means provides at predetermined intervals to said subscriber at least one report detailing statistics representative of said records of calls of said subscriber stored in said database means . US5610915A CLAIM 17 . The system of claim 10 , further comprising : data entry processing means for said subscribers to enter respective request to said processing means to order r (electronic communication, data management component, receiving requests) eports relating to traffic statistics of corresponding special service calls .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (predetermined time intervals) if the request is allowed .	US5610915A CLAIM 19 . In a telecommunications network , a method of reporting call detail statistics of special service calls comprising the steps of : (a) processing the call details of said special service calls routed through a plurality of switching means ; (b) periodically collecting and storing as records in a database means the call details of special service calls for at least one subscriber ; (c) receiving at a processor server means at least one request from said one subscriber on how and when to disseminate the call details of special service calls subscribed by said one subscriber ; (d) said processing server means providing said one subscriber , per said at least one request from said one subscriber , at predetermined time intervals (device interface) at least one report of records stored in said database means of call details of special service calls of said one subscriber .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (one terminal) , and a video codec .	US5610915A CLAIM 5 . The system of claim 1 , further comprising : distribution means for distributing said report ; at least one terminal (storage device) electrically connected to said distribution means for retrieving for said subscriber the call details of a special service call of said subscriber for a particular time period .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5649182A Filed: 1995-03-17 Issued: 1997-07-15 Apparatus and method for organizing timeline data (Original Assignee) Reitz; Carl A. (Current Assignee) RPX Corp Carl A. Reitz
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said time) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5649182A CLAIM 2 . The computer system of claim 1 wherein each of the plurality of data messages further has a user specifiable time of day of message creation associated therewith such that each of said database records includes a time of day of message creation associated therewith ; and wherein said means for entering includes means for entering a user specifiable time of day of message creation for each of said database records ; and wherein said processor is further operable to automatically organize said database records in said time (data packet, filtering means) line sequence according to the user specifiable time of day of message creation associated with each of said database records regardless of the actual time of creation of each of said database records .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said time) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5649182A CLAIM 2 . The computer system of claim 1 wherein each of the plurality of data messages further has a user specifiable time of day of message creation associated therewith such that each of said database records includes a time of day of message creation associated therewith ; and wherein said means for entering includes means for entering a user specifiable time of day of message creation for each of said database records ; and wherein said processor is further operable to automatically organize said database records in said time (data packet, filtering means) line sequence according to the user specifiable time of day of message creation associated with each of said database records regardless of the actual time of creation of each of said database records .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said time) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5649182A CLAIM 2 . The computer system of claim 1 wherein each of the plurality of data messages further has a user specifiable time of day of message creation associated therewith such that each of said database records includes a time of day of message creation associated therewith ; and wherein said means for entering includes means for entering a user specifiable time of day of message creation for each of said database records ; and wherein said processor is further operable to automatically organize said database records in said time (data packet, filtering means) line sequence according to the user specifiable time of day of message creation associated with each of said database records regardless of the actual time of creation of each of said database records .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said time) arrived via an authorized network interface (computer processor, said subset, said memory) .	US5649182A CLAIM 2 . The computer system of claim 1 wherein each of the plurality of data messages further has a user specifiable time of day of message creation associated therewith such that each of said database records includes a time of day of message creation associated therewith ; and wherein said means for entering includes means for entering a user specifiable time of day of message creation for each of said database records ; and wherein said processor is further operable to automatically organize said database records in said time (data packet, filtering means) line sequence according to the user specifiable time of day of message creation associated with each of said database records regardless of the actual time of creation of each of said database records . US5649182A CLAIM 8 . The computer system of claim 7 wherein each of said computer processor (storing instructions, network interface) s includes means for permitting variable levels of access to said database records . US5649182A CLAIM 10 . The computer system of claim 1 wherein said means for entering the plurality of data messages and associated user specifiable calendar dates of message creation into said database includes memory means external to said computer system ; and wherein said computer system includes means for interfacing with said memory (storing instructions, network interface) means to thereby receive the plurality of data messages and associated user specifiable calendar dates of message creation into said database . US5649182A CLAIM 16 . A computer system for organizing a plurality of data messages having a user specifiable calendar date of message creation and a number of filtering identifiers associated therewith , aid computer system comprising : a database for storing the data messages , associated user specifiable calendar date of message creation , and associated number of filtering identifiers , said database storing each of the data message having an associated user specifiable calendar date of message creation and associated number of filtering identifiers as a separate database record ; means for entering the plurality of data messages , the associated user specifiable calendar dates of message creation and the associated number of filtering identifiers into said database ; means for entering filtering criteria corresponding to any of the filtering identifiers associated with any of said plurality of database records ; and a processor operable to receive said filtering criteria and generate a subset of said database records having filtering identifiers in common with said filtering criteria , said subset (storing instructions, network interface) of database records being organized in a timeline sequence according to the user specifiable calendar date of message creation associated with each of said database records in said subset regardless of the actual creation date of each of said database records .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said time) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5649182A CLAIM 2 . The computer system of claim 1 wherein each of the plurality of data messages further has a user specifiable time of day of message creation associated therewith such that each of said database records includes a time of day of message creation associated therewith ; and wherein said means for entering includes means for entering a user specifiable time of day of message creation for each of said database records ; and wherein said processor is further operable to automatically organize said database records in said time (data packet, filtering means) line sequence according to the user specifiable time of day of message creation associated with each of said database records regardless of the actual time of creation of each of said database records .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5649182A CLAIM 2 . The computer system of claim 1 wherein each of the plurality of data messages further has a user specifiable time of day of message creation associated therewith such that each of said database records includes a time of day of message creation associated therewith ; and wherein said means for entering includes means for entering a user specifiable time of day of message creation for each of said database records ; and wherein said processor is further operable to automatically organize said database records in said time (data packet, filtering means) line sequence according to the user specifiable time of day of message creation associated with each of said database records regardless of the actual time of creation of each of said database records .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (computer processor, said subset, said memory) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (computer processor, said subset, said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5649182A CLAIM 2 . The computer system of claim 1 wherein each of the plurality of data messages further has a user specifiable time of day of message creation associated therewith such that each of said database records includes a time of day of message creation associated therewith ; and wherein said means for entering includes means for entering a user specifiable time of day of message creation for each of said database records ; and wherein said processor is further operable to automatically organize said database records in said time (data packet, filtering means) line sequence according to the user specifiable time of day of message creation associated with each of said database records regardless of the actual time of creation of each of said database records . US5649182A CLAIM 8 . The computer system of claim 7 wherein each of said computer processor (storing instructions, network interface) s includes means for permitting variable levels of access to said database records . US5649182A CLAIM 10 . The computer system of claim 1 wherein said means for entering the plurality of data messages and associated user specifiable calendar dates of message creation into said database includes memory means external to said computer system ; and wherein said computer system includes means for interfacing with said memory (storing instructions, network interface) means to thereby receive the plurality of data messages and associated user specifiable calendar dates of message creation into said database . US5649182A CLAIM 16 . A computer system for organizing a plurality of data messages having a user specifiable calendar date of message creation and a number of filtering identifiers associated therewith , aid computer system comprising : a database for storing the data messages , associated user specifiable calendar date of message creation , and associated number of filtering identifiers , said database storing each of the data message having an associated user specifiable calendar date of message creation and associated number of filtering identifiers as a separate database record ; means for entering the plurality of data messages , the associated user specifiable calendar dates of message creation and the associated number of filtering identifiers into said database ; means for entering filtering criteria corresponding to any of the filtering identifiers associated with any of said plurality of database records ; and a processor operable to receive said filtering criteria and generate a subset of said database records having filtering identifiers in common with said filtering criteria , said subset (storing instructions, network interface) of database records being organized in a timeline sequence according to the user specifiable calendar date of message creation associated with each of said database records in said subset regardless of the actual creation date of each of said database records .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (computer processor, said subset, said memory) .	US5649182A CLAIM 8 . The computer system of claim 7 wherein each of said computer processor (storing instructions, network interface) s includes means for permitting variable levels of access to said database records . US5649182A CLAIM 10 . The computer system of claim 1 wherein said means for entering the plurality of data messages and associated user specifiable calendar dates of message creation into said database includes memory means external to said computer system ; and wherein said computer system includes means for interfacing with said memory (storing instructions, network interface) means to thereby receive the plurality of data messages and associated user specifiable calendar dates of message creation into said database . US5649182A CLAIM 16 . A computer system for organizing a plurality of data messages having a user specifiable calendar date of message creation and a number of filtering identifiers associated therewith , aid computer system comprising : a database for storing the data messages , associated user specifiable calendar date of message creation , and associated number of filtering identifiers , said database storing each of the data message having an associated user specifiable calendar date of message creation and associated number of filtering identifiers as a separate database record ; means for entering the plurality of data messages , the associated user specifiable calendar dates of message creation and the associated number of filtering identifiers into said database ; means for entering filtering criteria corresponding to any of the filtering identifiers associated with any of said plurality of database records ; and a processor operable to receive said filtering criteria and generate a subset of said database records having filtering identifiers in common with said filtering criteria , said subset (storing instructions, network interface) of database records being organized in a timeline sequence according to the user specifiable calendar date of message creation associated with each of said database records in said subset regardless of the actual creation date of each of said database records .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device , and a video codec (media data) .	US5649182A CLAIM 3 . The computer system of claim 1 wherein said processor includes means for linking multimedia data (video codec) with any of said database records such that said multimedia data is not stored within said database record .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (said time) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said time) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5649182A CLAIM 2 . The computer system of claim 1 wherein each of the plurality of data messages further has a user specifiable time of day of message creation associated therewith such that each of said database records includes a time of day of message creation associated therewith ; and wherein said means for entering includes means for entering a user specifiable time of day of message creation for each of said database records ; and wherein said processor is further operable to automatically organize said database records in said time (data packet, filtering means) line sequence according to the user specifiable time of day of message creation associated with each of said database records regardless of the actual time of creation of each of said database records .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said time) is further configured to carry out the filtering at an application layer of a network stack .	US5649182A CLAIM 2 . The computer system of claim 1 wherein each of the plurality of data messages further has a user specifiable time of day of message creation associated therewith such that each of said database records includes a time of day of message creation associated therewith ; and wherein said means for entering includes means for entering a user specifiable time of day of message creation for each of said database records ; and wherein said processor is further operable to automatically organize said database records in said time (data packet, filtering means) line sequence according to the user specifiable time of day of message creation associated with each of said database records regardless of the actual time of creation of each of said database records .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device , and a video codec (media data) .	US5649182A CLAIM 3 . The computer system of claim 1 wherein said processor includes means for linking multimedia data (video codec) with any of said database records such that said multimedia data is not stored within said database record .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5696906A Filed: 1995-03-09 Issued: 1997-12-09 Telecommunicaion user account management system and method (Original Assignee) Continental Cablevision Inc (Current Assignee) Comcast MO Group Inc J. Michael Peters, Barry Battista, Christopher Brown
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5696906A CLAIM 1 . An apparatus comprising : a . means for storing types of data for subscriber cable television service ; the types of data further comprising : data for individual subscriber accounts for cable television service , data for equipment for provision of subscriber cable television service , data for cable television system converters , and data for dwellings serviced by subscriber cable television service ; the stored data being stored in compatible formats ; and the means for storing types of data further comprise : a programmed computer network installed in offices of cable television systems , with separate databases maintained for each office , b . means for executing data functions on such data to change such data to reflect current activity , the data functions further comprise display user functions , menu user functions , and supervisor functions , where : (i) the display user functions further comprise : alternate address functions , collection activity , dwelling , drop burial , equipment functions , financial adjustment , inquiry logging , request-for-action job , letters , memos , order entry , printing , telephone interface , reminders , subscriber information , trouble orders , utilities , pay-per-view , and work order , (ii) the menu user functions further comprise : SAM menu functions , customer service functions , miscellaneous job functions , drop burial inquiry , dispatch , converter tracking , dwelling management , billing and collection , payment processing , and work order calendar and points ; and the billing and collection functions include generation of bills , generation of disconnect notices , payment processing , and related functions , and (iii) the supervisor functions and reports further comprise : accounting functions , functions to manage users , reports , and miscellaneous functions , c . means for generating types of reports from such data , the types of reports further comprising : reports for technical personnel , reports for warehouse personnel , reports for accounting/collection personnel , reports for work order control personnel , reports for dispatchers , and reports for pay-per-view activity , and d . means for performing ancillary functions on the data , the ancillary functions further comprising : SAM reports , electronic mail (network destination) , word processing , a phone utility , a personal computer function , office automation software packages , and spread sheets .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (television service) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5696906A CLAIM 1 . An apparatus comprising : a . means for storing types of data for subscriber cable television service (IP addresses) ; the types of data further comprising : data for individual subscriber accounts for cable television service , data for equipment for provision of subscriber cable television service , data for cable television system converters , and data for dwellings serviced by subscriber cable television service ; the stored data being stored in compatible formats ; and the means for storing types of data further comprise : a programmed computer network installed in offices of cable television systems , with separate databases maintained for each office , b . means for executing data functions on such data to change such data to reflect current activity , the data functions further comprise display user functions , menu user functions , and supervisor functions , where : (i) the display user functions further comprise : alternate address functions , collection activity , dwelling , drop burial , equipment functions , financial adjustment , inquiry logging , request-for-action job , letters , memos , order entry , printing , telephone interface , reminders , subscriber information , trouble orders , utilities , pay-per-view , and work order , (ii) the menu user functions further comprise : SAM menu functions , customer service functions , miscellaneous job functions , drop burial inquiry , dispatch , converter tracking , dwelling management , billing and collection , payment processing , and work order calendar and points ; and the billing and collection functions include generation of bills , generation of disconnect notices , payment processing , and related functions , and (iii) the supervisor functions and reports further comprise : accounting functions , functions to manage users , reports , and miscellaneous functions , c . means for generating types of reports from such data , the types of reports further comprising : reports for technical personnel , reports for warehouse personnel , reports for accounting/collection personnel , reports for work order control personnel , reports for dispatchers , and reports for pay-per-view activity , and d . means for performing ancillary functions on the data , the ancillary functions further comprising : SAM reports , electronic mail , word processing , a phone utility , a personal computer function , office automation software packages , and spread sheets .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5696906A CLAIM 1 . An apparatus comprising : a . means for storing types of data for subscriber cable television service ; the types of data further comprising : data for individual subscriber accounts for cable television service , data for equipment for provision of subscriber cable television service , data for cable television system converters , and data for dwellings serviced by subscriber cable television service ; the stored data being stored in compatible formats ; and the means for storing types of data further comprise : a programmed computer network installed in offices of cable television systems , with separate databases maintained for each office , b . means for executing data functions on such data to change such data to reflect current activity , the data functions further comprise display user functions , menu user functions , and supervisor functions , where : (i) the display user functions further comprise : alternate address functions , collection activity , dwelling , drop burial , equipment functions , financial adjustment , inquiry logging , request-for-action job , letters , memos , order entry , printing , telephone interface , reminders , subscriber information , trouble orders , utilities , pay-per-view , and work order , (ii) the menu user functions further comprise : SAM menu functions , customer service functions , miscellaneous job functions , drop burial inquiry , dispatch , converter tracking , dwelling management , billing and collection , payment processing , and work order calendar and points ; and the billing and collection functions include generation of bills , generation of disconnect notices , payment processing , and related functions , and (iii) the supervisor functions and reports further comprise : accounting functions , functions to manage users , reports , and miscellaneous functions , c . means for generating types of reports from such data , the types of reports further comprising : reports for technical personnel , reports for warehouse personnel , reports for accounting/collection personnel , reports for work order control personnel , reports for dispatchers , and reports for pay-per-view activity , and d . means for performing ancillary functions on the data , the ancillary functions further comprising : SAM reports , electronic mail (network destination) , word processing , a phone utility , a personal computer function , office automation software packages , and spread sheets .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5696906A CLAIM 1 . An apparatus comprising : a . means for storing types of data for subscriber cable television service ; the types of data further comprising : data for individual subscriber accounts for cable television service , data for equipment for provision of subscriber cable television service , data for cable television system converters , and data for dwellings serviced by subscriber cable television service ; the stored data being stored in compatible formats ; and the means for storing types of data further comprise : a programmed computer network installed in offices of cable television systems , with separate databases maintained for each office , b . means for executing data functions on such data to change such data to reflect current activity , the data functions further comprise display user functions , menu user functions , and supervisor functions , where : (i) the display user functions further comprise : alternate address functions , collection activity , dwelling , drop burial , equipment functions , financial adjustment , inquiry logging , request-for-action job , letters , memos , order entry , printing , telephone interface , reminders , subscriber information , trouble orders , utilities , pay-per-view , and work order , (ii) the menu user functions further comprise : SAM menu functions , customer service functions , miscellaneous job functions , drop burial inquiry , dispatch , converter tracking , dwelling management , billing and collection , payment processing , and work order calendar and points ; and the billing and collection functions include generation of bills , generation of disconnect notices , payment processing , and related functions , and (iii) the supervisor functions and reports further comprise : accounting functions , functions to manage users , reports , and miscellaneous functions , c . means for generating types of reports from such data , the types of reports further comprising : reports for technical personnel , reports for warehouse personnel , reports for accounting/collection personnel , reports for work order control personnel , reports for dispatchers , and reports for pay-per-view activity , and d . means for performing ancillary functions on the data , the ancillary functions further comprising : SAM reports , electronic mail (network destination) , word processing , a phone utility , a personal computer function , office automation software packages , and spread sheets .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5696906A CLAIM 1 . An apparatus comprising : a . means for storing types of data for subscriber cable television service ; the types of data further comprising : data for individual subscriber accounts for cable television service , data for equipment for provision of subscriber cable television service , data for cable television system converters , and data for dwellings serviced by subscriber cable television service ; the stored data being stored in compatible formats ; and the means for storing types of data further comprise : a programmed computer network installed in offices of cable television systems , with separate databases maintained for each office , b . means for executing data functions on such data to change such data to reflect current activity , the data functions further comprise display user functions , menu user functions , and supervisor functions , where : (i) the display user functions further comprise : alternate address functions , collection activity , dwelling , drop burial , equipment functions , financial adjustment , inquiry logging , request-for-action job , letters , memos , order entry , printing , telephone interface , reminders , subscriber information , trouble orders , utilities , pay-per-view , and work order , (ii) the menu user functions further comprise : SAM menu functions , customer service functions , miscellaneous job functions , drop burial inquiry , dispatch , converter tracking , dwelling management , billing and collection , payment processing , and work order calendar and points ; and the billing and collection functions include generation of bills , generation of disconnect notices , payment processing , and related functions , and (iii) the supervisor functions and reports further comprise : accounting functions , functions to manage users , reports , and miscellaneous functions , c . means for generating types of reports from such data , the types of reports further comprising : reports for technical personnel , reports for warehouse personnel , reports for accounting/collection personnel , reports for work order control personnel , reports for dispatchers , and reports for pay-per-view activity , and d . means for performing ancillary functions on the data , the ancillary functions further comprising : SAM reports , electronic mail (network destination) , word processing , a phone utility , a personal computer function , office automation software packages , and spread sheets .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5557748A Filed: 1995-02-03 Issued: 1996-09-17 Dynamic network configuration (Original Assignee) Intel Corp (Current Assignee) Intel Corp David Norris
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (memory stores) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5557748A CLAIM 13 . A computer system that dynamically configures network parameters when coupled to a network , said computer system comprising : at least one central processing unit (CPU) ; a memory coupled to said CPU , wherein said memory stores (electronic communication) a plurality of network parameters and a plurality of network participants corresponding to at least one previous network location , said network participants identifying participants observed for said corresponding at least one previous network location ; and a dynamic network configuration coupled to said CPU for snooping on said network to observe network transactions occurring on said network , for evaluating said network transactions to determine at least one network parameter , and for configuring said computer system with said at least one network parameters so as to dynamically configured said computer system based on said network transactions observed , said dynamic network configuration for generating a current network participants list based on said network transactions to identify at least one network device , and for comparing said current network participants list with said network participants for said at least one previous network location , and for configuring said computer system with network parameter corresponding to said at least one previous network location when said current network participants compares with said network device on said network participants .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (processing unit) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (computer device, said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5557748A CLAIM 1 . A method for dynamically configurating network parameters for a computer device (storing instructions) coupled to a network , said method comprising the steps of : a) storing a plurality of network parameters and a plurality of network participants corresponding to at least one previous network location , said network participants identifying participants observed for said corresponding at least one previous network location ; b) snooping on said network to observe network transactions occurring on said network ; c) evaluating said network transactions to determine at least one network parameter , wherein the step of evaluating said network transactions comprises the step of generating a current network participants list based on said network transactions to identify at least one previous network location ; and d) configurating said computer device with said at least one network parameters so as to dynamically configure said computer device based on said network transactions observed , wherein the step of configurating said computer device comprises the step of configurating said computer device with network parameters corresponding to said at least one previous location when said current network participants compares with said network device on said network participants . US5557748A CLAIM 13 . A computer system that dynamically configures network parameters when coupled to a network , said computer system comprising : at least one central processing unit (processing unit) (CPU) ; a memory coupled to said CPU , wherein said memory (storing instructions) stores a plurality of network parameters and a plurality of network participants corresponding to at least one previous network location , said network participants identifying participants observed for said corresponding at least one previous network location ; and a dynamic network configuration coupled to said CPU for snooping on said network to observe network transactions occurring on said network , for evaluating said network transactions to determine at least one network parameter , and for configuring said computer system with said at least one network parameters so as to dynamically configured said computer system based on said network transactions observed , said dynamic network configuration for generating a current network participants list based on said network transactions to identify at least one network device , and for comparing said current network participants list with said network participants for said at least one previous network location , and for configuring said computer system with network parameter corresponding to said at least one previous network location when said current network participants compares with said network device on said network participants .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (processing unit) to determine whether each packet arrived via an authorized network interface .	US5557748A CLAIM 13 . A computer system that dynamically configures network parameters when coupled to a network , said computer system comprising : at least one central processing unit (processing unit) (CPU) ; a memory coupled to said CPU , wherein said memory stores a plurality of network parameters and a plurality of network participants corresponding to at least one previous network location , said network participants identifying participants observed for said corresponding at least one previous network location ; and a dynamic network configuration coupled to said CPU for snooping on said network to observe network transactions occurring on said network , for evaluating said network transactions to determine at least one network parameter , and for configuring said computer system with said at least one network parameters so as to dynamically configured said computer system based on said network transactions observed , said dynamic network configuration for generating a current network participants list based on said network transactions to identify at least one network device , and for comparing said current network participants list with said network participants for said at least one previous network location , and for configuring said computer system with network parameter corresponding to said at least one previous network location when said current network participants compares with said network device on said network participants .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether each packet contains an unauthorized IP address .	US5557748A CLAIM 13 . A computer system that dynamically configures network parameters when coupled to a network , said computer system comprising : at least one central processing unit (processing unit) (CPU) ; a memory coupled to said CPU , wherein said memory stores a plurality of network parameters and a plurality of network participants corresponding to at least one previous network location , said network participants identifying participants observed for said corresponding at least one previous network location ; and a dynamic network configuration coupled to said CPU for snooping on said network to observe network transactions occurring on said network , for evaluating said network transactions to determine at least one network parameter , and for configuring said computer system with said at least one network parameters so as to dynamically configured said computer system based on said network transactions observed , said dynamic network configuration for generating a current network participants list based on said network transactions to identify at least one network device , and for comparing said current network participants list with said network participants for said at least one previous network location , and for configuring said computer system with network parameter corresponding to said at least one previous network location when said current network participants compares with said network device on said network participants .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (processing unit) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US5557748A CLAIM 13 . A computer system that dynamically configures network parameters when coupled to a network , said computer system comprising : at least one central processing unit (processing unit) (CPU) ; a memory coupled to said CPU , wherein said memory stores a plurality of network parameters and a plurality of network participants corresponding to at least one previous network location , said network participants identifying participants observed for said corresponding at least one previous network location ; and a dynamic network configuration coupled to said CPU for snooping on said network to observe network transactions occurring on said network , for evaluating said network transactions to determine at least one network parameter , and for configuring said computer system with said at least one network parameters so as to dynamically configured said computer system based on said network transactions observed , said dynamic network configuration for generating a current network participants list based on said network transactions to identify at least one network device , and for comparing said current network participants list with said network participants for said at least one previous network location , and for configuring said computer system with network parameter corresponding to said at least one previous network location when said current network participants compares with said network device on said network participants .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US5557748A CLAIM 13 . A computer system that dynamically configures network parameters when coupled to a network , said computer system comprising : at least one central processing unit (processing unit) (CPU) ; a memory coupled to said CPU , wherein said memory stores a plurality of network parameters and a plurality of network participants corresponding to at least one previous network location , said network participants identifying participants observed for said corresponding at least one previous network location ; and a dynamic network configuration coupled to said CPU for snooping on said network to observe network transactions occurring on said network , for evaluating said network transactions to determine at least one network parameter , and for configuring said computer system with said at least one network parameters so as to dynamically configured said computer system based on said network transactions observed , said dynamic network configuration for generating a current network participants list based on said network transactions to identify at least one network device , and for comparing said current network participants list with said network participants for said at least one previous network location , and for configuring said computer system with network parameter corresponding to said at least one previous network location when said current network participants compares with said network device on said network participants .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5538007A Filed: 1995-01-30 Issued: 1996-07-23 Biomedical response monitor and method using identification signal (Original Assignee) Gorman; Peter G. Peter G. Gorman
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (first port) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first port (data packet) ion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 10 . A monitor for measuring and displaying a human body condition , comprising : a transmitter unit including means for enabling said unit to be worn by a person to be monitored , said transmitter unit including : sensor means for detecting a body signal , means for using said body signal to produce a first electrical signal used to determine said condition , encoder means for producing an encoded digital identification signal unique to said monitor , transmitting means for wirelessly transmitting said encoded digital identification signal and said first electrical signal to a display unit , a display unit for displaying information about said human body condition , said display unit including : receiver means for receiving said encoded digital identification signal and said first electrical signal from said transmitter unit , comparator means including means for receiving a reference signal input for comparison therewith for determining if said received identification signal and said first signal are from said transmitter unit , means for rejecting said received first electrical signal if it is not from said transmitter unit , and a display means for displaying to said person information (network destination) representative of said human body condition .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (display unit) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first portion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit (network protocol programs) , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (first port) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first port (data packet) ion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (sensor means) with each other over a same network , the NAD comprising ; a data management component (information representative) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (first port) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first port (data packet) ion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 5 . A heartbeat rate monitor , including : sensor means (electronic communication) for sensing a body signal from which heartbeat rate can be determined , a transmitting means for producing an encoded digital identification signal identifying said transmitting means , said transmitting means including means for producing a first signal used to determine a person' ; s heartbeat rate , said transmitting means containing a transmitter for wireless transmission of said identification signal and said first signal to a display means and a display means for producing a display of said person' ; s heartbeat rate , said display means including a receiver for receiving said wireless transmission of said identification signal and said first signal , means for determining if said received identification signal is from said transmitting means , means for detecting errors in the received first signal , said errors occurring during said wireless transmission from said transmitter to said receiver , means for correcting said errors and a display for displaying said heartbeat rate . US5538007A CLAIM 10 . A monitor for measuring and displaying a human body condition , comprising : a transmitter unit including means for enabling said unit to be worn by a person to be monitored , said transmitter unit including : sensor means for detecting a body signal , means for using said body signal to produce a first electrical signal used to determine said condition , encoder means for producing an encoded digital identification signal unique to said monitor , transmitting means for wirelessly transmitting said encoded digital identification signal and said first electrical signal to a display unit , a display unit for displaying information about said human body condition , said display unit including : receiver means for receiving said encoded digital identification signal and said first electrical signal from said transmitter unit , comparator means including means for receiving a reference signal input for comparison therewith for determining if said received identification signal and said first signal are from said transmitter unit , means for rejecting said received first electrical signal if it is not from said transmitter unit , and a display means for displaying to said person information representative (data management component) of said human body condition .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (first port) arrived via an authorized network interface .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first port (data packet) ion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (first port) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first port (data packet) ion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (first port) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first port (data packet) ion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 10 . A monitor for measuring and displaying a human body condition , comprising : a transmitter unit including means for enabling said unit to be worn by a person to be monitored , said transmitter unit including : sensor means for detecting a body signal , means for using said body signal to produce a first electrical signal used to determine said condition , encoder means for producing an encoded digital identification signal unique to said monitor , transmitting means for wirelessly transmitting said encoded digital identification signal and said first electrical signal to a display unit , a display unit for displaying information about said human body condition , said display unit including : receiver means for receiving said encoded digital identification signal and said first electrical signal from said transmitter unit , comparator means including means for receiving a reference signal input for comparison therewith for determining if said received identification signal and said first signal are from said transmitter unit , means for rejecting said received first electrical signal if it is not from said transmitter unit , and a display means for displaying to said person information (network destination) representative of said human body condition .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface (following steps, said signals) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (following steps, said signals) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (first port) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps (device interface, storage device, storing instructions) : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first port (data packet) ion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 10 . A monitor for measuring and displaying a human body condition , comprising : a transmitter unit including means for enabling said unit to be worn by a person to be monitored , said transmitter unit including : sensor means for detecting a body signal , means for using said body signal to produce a first electrical signal used to determine said condition , encoder means for producing an encoded digital identification signal unique to said monitor , transmitting means for wirelessly transmitting said encoded digital identification signal and said first electrical signal to a display unit , a display unit for displaying information about said human body condition , said display unit including : receiver means for receiving said encoded digital identification signal and said first electrical signal from said transmitter unit , comparator means including means for receiving a reference signal input for comparison therewith for determining if said received identification signal and said first signal are from said transmitter unit , means for rejecting said received first electrical signal if it is not from said transmitter unit , and a display means for displaying to said person information (network destination) representative of said human body condition . US5538007A CLAIM 14 . A heartbeat rate monitor , comprising : sensor means for sensing an ECG signal of heartbeat pulses , a transmitting means for using said ECG signal for producing a first signal used to determine a person' ; s heartbeat rate , said transmitting means including a transmitter for wireless transmission over a frequency range of said first signal and an identification signal to a receiver in a display means , encoding means for producing an encoded digital identification signal identifying said transmitting means , a receiver for receiving said identification signal and said first signal sent via wireless transmission from said transmitting means , means for determining if said received signals are from said transmitting means , a display means for displaying the person' ; s heartbeat rate if said signals (device interface, storage device, storing instructions) are from said transmitting means , and error detection means for detecting errors in said first signal in said display means , said errors being caused during said wireless transmission , error correction means for correcting said errors .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing device (sensor output) , the selectively generated packet containing the request for access to the directly attached device .	US5538007A CLAIM 20 . A monitor for measuring and displaying a biomedical condition including : sensor means for sensing a biomedical condition and producing an output , a transmitting means including means for producing a first encoded digital signal identifying said transmitting means and means for using said sensor output (intermediary computing device) to produce a second signal used to measure a biomedical condition , said transmitting means including a transmitter for wirelessly transmitting said first and second signals to a receiver over a first frequency , a receiver for receiving said first encoded digital identification signal and said second signal , identification means for determining if said received first identification signal is from said transmitting means , means using said second signal to determine said biomedical condition , and a display means for displaying said biomedical condition if said first signal is from said transmitting means .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (following steps, said signals) .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps (device interface, storage device, storing instructions) : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first portion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 14 . A heartbeat rate monitor , comprising : sensor means for sensing an ECG signal of heartbeat pulses , a transmitting means for using said ECG signal for producing a first signal used to determine a person' ; s heartbeat rate , said transmitting means including a transmitter for wireless transmission over a frequency range of said first signal and an identification signal to a receiver in a display means , encoding means for producing an encoded digital identification signal identifying said transmitting means , a receiver for receiving said identification signal and said first signal sent via wireless transmission from said transmitting means , means for determining if said received signals are from said transmitting means , a display means for displaying the person' ; s heartbeat rate if said signals (device interface, storage device, storing instructions) are from said transmitting means , and error detection means for detecting errors in said first signal in said display means , said errors being caused during said wireless transmission , error correction means for correcting said errors .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (following steps, said signals) comprises a SCSI interface .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps (device interface, storage device, storing instructions) : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first portion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 14 . A heartbeat rate monitor , comprising : sensor means for sensing an ECG signal of heartbeat pulses , a transmitting means for using said ECG signal for producing a first signal used to determine a person' ; s heartbeat rate , said transmitting means including a transmitter for wireless transmission over a frequency range of said first signal and an identification signal to a receiver in a display means , encoding means for producing an encoded digital identification signal identifying said transmitting means , a receiver for receiving said identification signal and said first signal sent via wireless transmission from said transmitting means , means for determining if said received signals are from said transmitting means , a display means for displaying the person' ; s heartbeat rate if said signals (device interface, storage device, storing instructions) are from said transmitting means , and error detection means for detecting errors in said first signal in said display means , said errors being caused during said wireless transmission , error correction means for correcting said errors .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (following steps, said signals) , and a video codec .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps (device interface, storage device, storing instructions) : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first portion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 14 . A heartbeat rate monitor , comprising : sensor means for sensing an ECG signal of heartbeat pulses , a transmitting means for using said ECG signal for producing a first signal used to determine a person' ; s heartbeat rate , said transmitting means including a transmitter for wireless transmission over a frequency range of said first signal and an identification signal to a receiver in a display means , encoding means for producing an encoded digital identification signal identifying said transmitting means , a receiver for receiving said identification signal and said first signal sent via wireless transmission from said transmitting means , means for determining if said received signals are from said transmitting means , a display means for displaying the person' ; s heartbeat rate if said signals (device interface, storage device, storing instructions) are from said transmitting means , and error detection means for detecting errors in said first signal in said display means , said errors being caused during said wireless transmission , error correction means for correcting said errors .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (transmitting unit) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet (first port) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first port (data packet) ion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 10 . A monitor for measuring and displaying a human body condition , comprising : a transmitter unit including means for enabling said unit to be worn by a person to be monitored , said transmitter unit including : sensor means for detecting a body signal , means for using said body signal to produce a first electrical signal used to determine said condition , encoder means for producing an encoded digital identification signal unique to said monitor , transmitting means for wirelessly transmitting said encoded digital identification signal and said first electrical signal to a display unit , a display unit for displaying information about said human body condition , said display unit including : receiver means for receiving said encoded digital identification signal and said first electrical signal from said transmitter unit , comparator means including means for receiving a reference signal input for comparison therewith for determining if said received identification signal and said first signal are from said transmitter unit , means for rejecting said received first electrical signal if it is not from said transmitter unit , and a display means for displaying to said person information (network destination) representative of said human body condition . US5538007A CLAIM 29 . A heartbeat monitor , comprising : a sensor for obtaining an ECG signal , means for producing a data signal from said ECG signal , said data signal being used to determine heartbeat rate , a transmitting unit (managing means, receiving requests) for wireless transmission to a receiver , means for producing an identification signal associated with said transmitting unit , said transmitting unit including a transmitter for wirelessly transmitting said identification signal and said data signal over a first frequency to said receiver , identification means using said received identification signal for determining if said data signal is from said transmitter , means for providing a signal representing heartbeat rate to a display means , and display means for displaying heartbeat rate if said data signal is from said transmitter .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (following steps, said signals) if the request is allowed .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps (device interface, storage device, storing instructions) : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first portion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 14 . A heartbeat rate monitor , comprising : sensor means for sensing an ECG signal of heartbeat pulses , a transmitting means for using said ECG signal for producing a first signal used to determine a person' ; s heartbeat rate , said transmitting means including a transmitter for wireless transmission over a frequency range of said first signal and an identification signal to a receiver in a display means , encoding means for producing an encoded digital identification signal identifying said transmitting means , a receiver for receiving said identification signal and said first signal sent via wireless transmission from said transmitting means , means for determining if said received signals are from said transmitting means , a display means for displaying the person' ; s heartbeat rate if said signals (device interface, storage device, storing instructions) are from said transmitting means , and error detection means for detecting errors in said first signal in said display means , said errors being caused during said wireless transmission , error correction means for correcting said errors .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (transmitting unit) is further configured to manage access over a SCSI interface .	US5538007A CLAIM 29 . A heartbeat monitor , comprising : a sensor for obtaining an ECG signal , means for producing a data signal from said ECG signal , said data signal being used to determine heartbeat rate , a transmitting unit (managing means, receiving requests) for wireless transmission to a receiver , means for producing an identification signal associated with said transmitting unit , said transmitting unit including a transmitter for wirelessly transmitting said identification signal and said data signal over a first frequency to said receiver , identification means using said received identification signal for determining if said data signal is from said transmitter , means for providing a signal representing heartbeat rate to a display means , and display means for displaying heartbeat rate if said data signal is from said transmitter .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (following steps, said signals) , and a video codec .	US5538007A CLAIM 1 . A method for monitoring the heartbeat of a person , comprising the following steps (device interface, storage device, storing instructions) : obtaining an ECG signal of heartbeat pulses from said person , determining the heartbeat rate of said person from said ECG signal , producing a signal having an encoded digital identification first portion and a second portion used to determine the heartbeat rate of said person , wirelessly transmitting said first identification portion and said second portion of said signal to a display unit , comparing said transmitted encoded first identification portion with a reference signal to determine if there is a match to said identification portion , producing an electrical signal representing said heartbeat rate , transmitting said electrical signal representing said heartbeat rate to a display viewable by said person only if said encoded identification portion successfully matches said reference signal , and displaying said person' ; s heartbeat rate if there is a match between said first identification portion and said reference signal . US5538007A CLAIM 14 . A heartbeat rate monitor , comprising : sensor means for sensing an ECG signal of heartbeat pulses , a transmitting means for using said ECG signal for producing a first signal used to determine a person' ; s heartbeat rate , said transmitting means including a transmitter for wireless transmission over a frequency range of said first signal and an identification signal to a receiver in a display means , encoding means for producing an encoded digital identification signal identifying said transmitting means , a receiver for receiving said identification signal and said first signal sent via wireless transmission from said transmitting means , means for determining if said received signals are from said transmitting means , a display means for displaying the person' ; s heartbeat rate if said signals (device interface, storage device, storing instructions) are from said transmitting means , and error detection means for detecting errors in said first signal in said display means , said errors being caused during said wireless transmission , error correction means for correcting said errors .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5724581A Filed: 1994-12-14 Issued: 1998-03-03 Data base management system for recovering from an abnormal condition (Original Assignee) Fujitsu Ltd (Current Assignee) Fujitsu Ltd Fumihiko Kozakura
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (point a) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (main storage) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5724581A CLAIM 1 . A data base management system comprising : a secondary storage unit having data base storing means for storing data divided into physical pages , each physical page corresponding one-to-one to a logical page ; a current page table for managing position information (network destination) about a latest physical page storing latest updated data and a shadow physical page storing the data before a latest update in each of the logical pages ; a current page table management table for pointing to a shadow page table which is a copy of the current page table at a checkpoint , and a latest page table which is the current page table as updated after the checkpoint ; blank physical page management means for managing unused physical pages in the secondary storage unit ; first updating means which accesses said current page table management table when data in a logical page is updated by a transaction , said first updating means referring to management information about said blank physical page management means when a shadow page table does not exist corresponding to the page table containing the position information about the physical page corresponding to the logical page and obtaining an unused physical page , thereafter said first updating means copying the data in the latest updated page table to the physical page and enters the copied data in said current page table management table as the latest page table for the logical page and a page table before the latest update as the shadow page table , said first updating means updating said blank physical page management means to indicate the obtained physical page as being used , and checks the position information about the physical page corresponding to the logical page in said current page table according to the management information in said current page table management table , and refers to the management information in said blank physical page management means if the shadow physical page corresponding to the logical page does not exist according to the position information thereafter obtaining a presently unused physical page from said data base storing means and entering the unused physical page in said current page table as the latest physical page of the logical page ; second updating means for writing the updated data of the logical page to the latest physical page corresponding to the logical page to be updated which is entered in said current page table by referring to said current page table updated by said first updating means , and changing the position information pointing to the shadow page corresponding to the logical page in said current page table such that the information points to the updated physical page ; and third updating means for updating said blank physical page management means to indicate that the shadow physical page is unused . US5724581A CLAIM 8 . The data base management table according to claim 1 , further comprising : a backup page table , provided in the secondary storage unit , for storing the data in said current page table at the checkpoint ; a backup page table management table , used for recovery of data base and provided in the secondary storage unit , for storing the data in a page table in which the position information about the physical page in the secondary storage unit for storing the data , which are to recover from a failure , in the corresponding logical page ; and checkpoint processing means for changing the data in said current page table management table in the main storage (executable instructions, computer executable instructions) unit such that only a present latest page table can be effectuated , copying the updated data to said backup page table management table in the secondary storage unit , and copying the data in said current page table in the main storage unit to said backup page table in the secondary storage unit . US5724581A CLAIM 19 . The data base management system according to claim 16 , further comprising : first control means for reading said backup page table management table from the secondary storage unit when a system failure has arisen , and copying the data in said backup page table management table to said current page table management table ; a second control means for reading said backup page table from the secondary storage unit when a system failure has arisen , changing the data in aid backup page table such that the position information about the logical page pointing to both the shadow physical page and the latest physical page as a corresponding physical page can refer only to the shadow physical page , and copying obtained data in the page table to said current page table ; and third control means for restoring the data base in said data base storage means to a state in which transactions being processed at a checkpoint a (NAD server) nd having been completed before an occurrence of the system failure , and transactions processed after the checkpoint and having been completed before the occurrence of the system failure are completed after redoing the transaction according to said current page table management table generated by said first control means , said current page table generated by said second control means , and the log information stored in said log file .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (point a) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5724581A CLAIM 19 . The data base management system according to claim 16 , further comprising : first control means for reading said backup page table management table from the secondary storage unit when a system failure has arisen , and copying the data in said backup page table management table to said current page table management table ; a second control means for reading said backup page table from the secondary storage unit when a system failure has arisen , changing the data in aid backup page table such that the position information about the logical page pointing to both the shadow physical page and the latest physical page as a corresponding physical page can refer only to the shadow physical page , and copying obtained data in the page table to said current page table ; and third control means for restoring the data base in said data base storage means to a state in which transactions being processed at a checkpoint a (NAD server) nd having been completed before an occurrence of the system failure , and transactions processed after the checkpoint and having been completed before the occurrence of the system failure are completed after redoing the transaction according to said current page table management table generated by said first control means , said current page table generated by said second control means , and the log information stored in said log file .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5724581A CLAIM 1 . A data base management system comprising : a secondary storage unit having data base storing means for storing data divided into physical pages , each physical page corresponding one-to-one to a logical page ; a current page table for managing position information (network destination) about a latest physical page storing latest updated data and a shadow physical page storing the data before a latest update in each of the logical pages ; a current page table management table for pointing to a shadow page table which is a copy of the current page table at a checkpoint , and a latest page table which is the current page table as updated after the checkpoint ; blank physical page management means for managing unused physical pages in the secondary storage unit ; first updating means which accesses said current page table management table when data in a logical page is updated by a transaction , said first updating means referring to management information about said blank physical page management means when a shadow page table does not exist corresponding to the page table containing the position information about the physical page corresponding to the logical page and obtaining an unused physical page , thereafter said first updating means copying the data in the latest updated page table to the physical page and enters the copied data in said current page table management table as the latest page table for the logical page and a page table before the latest update as the shadow page table , said first updating means updating said blank physical page management means to indicate the obtained physical page as being used , and checks the position information about the physical page corresponding to the logical page in said current page table according to the management information in said current page table management table , and refers to the management information in said blank physical page management means if the shadow physical page corresponding to the logical page does not exist according to the position information thereafter obtaining a presently unused physical page from said data base storing means and entering the unused physical page in said current page table as the latest physical page of the logical page ; second updating means for writing the updated data of the logical page to the latest physical page corresponding to the logical page to be updated which is entered in said current page table by referring to said current page table updated by said first updating means , and changing the position information pointing to the shadow page corresponding to the logical page in said current page table such that the information points to the updated physical page ; and third updating means for updating said blank physical page management means to indicate that the shadow physical page is unused .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (obtained data) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5724581A CLAIM 1 . A data base management system comprising : a secondary storage unit having data base storing means for storing data divided into physical pages , each physical page corresponding one-to-one to a logical page ; a current page table for managing position information (network destination) about a latest physical page storing latest updated data and a shadow physical page storing the data before a latest update in each of the logical pages ; a current page table management table for pointing to a shadow page table which is a copy of the current page table at a checkpoint , and a latest page table which is the current page table as updated after the checkpoint ; blank physical page management means for managing unused physical pages in the secondary storage unit ; first updating means which accesses said current page table management table when data in a logical page is updated by a transaction , said first updating means referring to management information about said blank physical page management means when a shadow page table does not exist corresponding to the page table containing the position information about the physical page corresponding to the logical page and obtaining an unused physical page , thereafter said first updating means copying the data in the latest updated page table to the physical page and enters the copied data in said current page table management table as the latest page table for the logical page and a page table before the latest update as the shadow page table , said first updating means updating said blank physical page management means to indicate the obtained physical page as being used , and checks the position information about the physical page corresponding to the logical page in said current page table according to the management information in said current page table management table , and refers to the management information in said blank physical page management means if the shadow physical page corresponding to the logical page does not exist according to the position information thereafter obtaining a presently unused physical page from said data base storing means and entering the unused physical page in said current page table as the latest physical page of the logical page ; second updating means for writing the updated data of the logical page to the latest physical page corresponding to the logical page to be updated which is entered in said current page table by referring to said current page table updated by said first updating means , and changing the position information pointing to the shadow page corresponding to the logical page in said current page table such that the information points to the updated physical page ; and third updating means for updating said blank physical page management means to indicate that the shadow physical page is unused . US5724581A CLAIM 19 . The data base management system according to claim 16 , further comprising : first control means for reading said backup page table management table from the secondary storage unit when a system failure has arisen , and copying the data in said backup page table management table to said current page table management table ; a second control means for reading said backup page table from the secondary storage unit when a system failure has arisen , changing the data in aid backup page table such that the position information about the logical page pointing to both the shadow physical page and the latest physical page as a corresponding physical page can refer only to the shadow physical page , and copying obtained data (processing unit) in the page table to said current page table ; and third control means for restoring the data base in said data base storage means to a state in which transactions being processed at a checkpoint and having been completed before an occurrence of the system failure , and transactions processed after the checkpoint and having been completed before the occurrence of the system failure are completed after redoing the transaction according to said current page table management table generated by said first control means , said current page table generated by said second control means , and the log information stored in said log file .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (obtained data) to determine whether each packet arrived via an authorized network interface .	US5724581A CLAIM 19 . The data base management system according to claim 16 , further comprising : first control means for reading said backup page table management table from the secondary storage unit when a system failure has arisen , and copying the data in said backup page table management table to said current page table management table ; a second control means for reading said backup page table from the secondary storage unit when a system failure has arisen , changing the data in aid backup page table such that the position information about the logical page pointing to both the shadow physical page and the latest physical page as a corresponding physical page can refer only to the shadow physical page , and copying obtained data (processing unit) in the page table to said current page table ; and third control means for restoring the data base in said data base storage means to a state in which transactions being processed at a checkpoint and having been completed before an occurrence of the system failure , and transactions processed after the checkpoint and having been completed before the occurrence of the system failure are completed after redoing the transaction according to said current page table management table generated by said first control means , said current page table generated by said second control means , and the log information stored in said log file .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (obtained data) to determine whether each packet contains an unauthorized IP address .	US5724581A CLAIM 19 . The data base management system according to claim 16 , further comprising : first control means for reading said backup page table management table from the secondary storage unit when a system failure has arisen , and copying the data in said backup page table management table to said current page table management table ; a second control means for reading said backup page table from the secondary storage unit when a system failure has arisen , changing the data in aid backup page table such that the position information about the logical page pointing to both the shadow physical page and the latest physical page as a corresponding physical page can refer only to the shadow physical page , and copying obtained data (processing unit) in the page table to said current page table ; and third control means for restoring the data base in said data base storage means to a state in which transactions being processed at a checkpoint and having been completed before an occurrence of the system failure , and transactions processed after the checkpoint and having been completed before the occurrence of the system failure are completed after redoing the transaction according to said current page table management table generated by said first control means , said current page table generated by said second control means , and the log information stored in said log file .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (obtained data) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US5724581A CLAIM 19 . The data base management system according to claim 16 , further comprising : first control means for reading said backup page table management table from the secondary storage unit when a system failure has arisen , and copying the data in said backup page table management table to said current page table management table ; a second control means for reading said backup page table from the secondary storage unit when a system failure has arisen , changing the data in aid backup page table such that the position information about the logical page pointing to both the shadow physical page and the latest physical page as a corresponding physical page can refer only to the shadow physical page , and copying obtained data (processing unit) in the page table to said current page table ; and third control means for restoring the data base in said data base storage means to a state in which transactions being processed at a checkpoint and having been completed before an occurrence of the system failure , and transactions processed after the checkpoint and having been completed before the occurrence of the system failure are completed after redoing the transaction according to said current page table management table generated by said first control means , said current page table generated by said second control means , and the log information stored in said log file .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (obtained data) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US5724581A CLAIM 19 . The data base management system according to claim 16 , further comprising : first control means for reading said backup page table management table from the secondary storage unit when a system failure has arisen , and copying the data in said backup page table management table to said current page table management table ; a second control means for reading said backup page table from the secondary storage unit when a system failure has arisen , changing the data in aid backup page table such that the position information about the logical page pointing to both the shadow physical page and the latest physical page as a corresponding physical page can refer only to the shadow physical page , and copying obtained data (processing unit) in the page table to said current page table ; and third control means for restoring the data base in said data base storage means to a state in which transactions being processed at a checkpoint and having been completed before an occurrence of the system failure , and transactions processed after the checkpoint and having been completed before the occurrence of the system failure are completed after redoing the transaction according to said current page table management table generated by said first control means , said current page table generated by said second control means , and the log information stored in said log file .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (when data) .	US5724581A CLAIM 1 . A data base management system comprising : a secondary storage unit having data base storing means for storing data divided into physical pages , each physical page corresponding one-to-one to a logical page ; a current page table for managing position information about a latest physical page storing latest updated data and a shadow physical page storing the data before a latest update in each of the logical pages ; a current page table management table for pointing to a shadow page table which is a copy of the current page table at a checkpoint , and a latest page table which is the current page table as updated after the checkpoint ; blank physical page management means for managing unused physical pages in the secondary storage unit ; first updating means which accesses said current page table management table when data (SCSI interface) in a logical page is updated by a transaction , said first updating means referring to management information about said blank physical page management means when a shadow page table does not exist corresponding to the page table containing the position information about the physical page corresponding to the logical page and obtaining an unused physical page , thereafter said first updating means copying the data in the latest updated page table to the physical page and enters the copied data in said current page table management table as the latest page table for the logical page and a page table before the latest update as the shadow page table , said first updating means updating said blank physical page management means to indicate the obtained physical page as being used , and checks the position information about the physical page corresponding to the logical page in said current page table according to the management information in said current page table management table , and refers to the management information in said blank physical page management means if the shadow physical page corresponding to the logical page does not exist according to the position information thereafter obtaining a presently unused physical page from said data base storing means and entering the unused physical page in said current page table as the latest physical page of the logical page ; second updating means for writing the updated data of the logical page to the latest physical page corresponding to the logical page to be updated which is entered in said current page table by referring to said current page table updated by said first updating means , and changing the position information pointing to the shadow page corresponding to the logical page in said current page table such that the information points to the updated physical page ; and third updating means for updating said blank physical page management means to indicate that the shadow physical page is unused .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5724581A CLAIM 1 . A data base management system comprising : a secondary storage unit having data base storing means for storing data divided into physical pages , each physical page corresponding one-to-one to a logical page ; a current page table for managing position information (network destination) about a latest physical page storing latest updated data and a shadow physical page storing the data before a latest update in each of the logical pages ; a current page table management table for pointing to a shadow page table which is a copy of the current page table at a checkpoint , and a latest page table which is the current page table as updated after the checkpoint ; blank physical page management means for managing unused physical pages in the secondary storage unit ; first updating means which accesses said current page table management table when data in a logical page is updated by a transaction , said first updating means referring to management information about said blank physical page management means when a shadow page table does not exist corresponding to the page table containing the position information about the physical page corresponding to the logical page and obtaining an unused physical page , thereafter said first updating means copying the data in the latest updated page table to the physical page and enters the copied data in said current page table management table as the latest page table for the logical page and a page table before the latest update as the shadow page table , said first updating means updating said blank physical page management means to indicate the obtained physical page as being used , and checks the position information about the physical page corresponding to the logical page in said current page table according to the management information in said current page table management table , and refers to the management information in said blank physical page management means if the shadow physical page corresponding to the logical page does not exist according to the position information thereafter obtaining a presently unused physical page from said data base storing means and entering the unused physical page in said current page table as the latest physical page of the logical page ; second updating means for writing the updated data of the logical page to the latest physical page corresponding to the logical page to be updated which is entered in said current page table by referring to said current page table updated by said first updating means , and changing the position information pointing to the shadow page corresponding to the logical page in said current page table such that the information points to the updated physical page ; and third updating means for updating said blank physical page management means to indicate that the shadow physical page is unused .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (d log) of a plurality of protocols .	US5724581A CLAIM 16 . The data base management system according to claim 8 , further comprising : a log file for recording log information of each transaction in the secondary storage unit ; and log (requests comprise one) recording means for writing the log information of the transaction in the log file .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5550984A Filed: 1994-12-07 Issued: 1996-08-27 Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information (Original Assignee) Panasonic Corp of North America (Current Assignee) Panasonic Corp of North America Edward J. Gelb
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (IP address) of a network source , an IP address of a network destination (original source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5550984A CLAIM 1 . A security system for preventing unauthorized communications between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP communications , while permitting application level communication services between computers connected to said first and said second networks , comprising : a first network motherboard and a second network motherboard , said first and second network motherboards each having a network interface adapter for communication with said first and said second networks of computers , and for establishing a distinct subnetwork mask , respectively ; each of said network motherboards further having a transfer adapter for communication with said transfer adapter of said other network motherboard , said transfer adapters being identical and matched , each of said network motherboards having network operating software to assign a source address for IP protcol communication in accordance with a susbnetwork mask established for one of said network motherboards which is different from the subnetwork mask established for the other of said network motherboards , said network operating software further including protocol conversion software to translate communications received by each said network interface adapter from said first or said second networks of computers , repectively , in IP protocol format to non-IP protocol format for transmission between the transfer adapters of said first and said second network motherboards , whereby upper level layer protocol information and originating source and destination address information are removed from said communication and routing services communications from said first and second computer networks are prevented from being passed between said network interface adapter and said transfer adapter of each said network motherboard , and thence preventing unauthorized communications between computers connected to said first and said second computer networks ; and at least one of said network motherboards having application programming interface (API) shim software for providing application level communication services to the computers connected to said at least one network motherboard notwithstanding the removal of said original source (network destination) and destination address information , and the preventing of said routing services communications . US5550984A CLAIM 8 . The security system of claim 7 wherein each of said network motherboards independently establishes a distinct transport layer protocol TCP/IP address (IP address) .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address, address information, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5550984A CLAIM 1 . A security system for preventing unauthorized communications between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP communications , while permitting application level communication services between computers connected to said first and said second networks , comprising : a first network motherboard and a second network motherboard , said first and second network motherboards each having a network interface adapter for communication with said first and said second networks of computers , and for establishing a distinct subnetwork mask , respectively ; each of said network motherboards further having a transfer adapter for communication with said transfer adapter of said other network motherboard , said transfer adapters being identical and matched , each of said network motherboards having network operating software to assign a source address (IP addresses) for IP protcol communication in accordance with a susbnetwork mask established for one of said network motherboards which is different from the subnetwork mask established for the other of said network motherboards , said network operating software further including protocol conversion software to translate communications received by each said network interface adapter from said first or said second networks of computers , repectively , in IP protocol format to non-IP protocol format for transmission between the transfer adapters of said first and said second network motherboards , whereby upper level layer protocol information and originating source and destination address (IP addresses) information are removed from said communication and routing services communications from said first and second computer networks are prevented from being passed between said network interface adapter and said transfer adapter of each said network motherboard , and thence preventing unauthorized communications between computers connected to said first and said second computer networks ; and at least one of said network motherboards having application programming interface (API) shim software for providing application level communication services to the computers connected to said at least one network motherboard notwithstanding the removal of said original source and destination address information , and the preventing of said routing services communications .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interface) .	US5550984A CLAIM 1 . A security system for preventing unauthorized communications between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP communications , while permitting application level communication services between computers connected to said first and said second networks , comprising : a first network motherboard and a second network motherboard , said first and second network motherboards each having a network interface (network interface) adapter for communication with said first and said second networks of computers , and for establishing a distinct subnetwork mask , respectively ; each of said network motherboards further having a transfer adapter for communication with said transfer adapter of said other network motherboard , said transfer adapters being identical and matched , each of said network motherboards having network operating software to assign a source address for IP protcol communication in accordance with a susbnetwork mask established for one of said network motherboards which is different from the subnetwork mask established for the other of said network motherboards , said network operating software further including protocol conversion software to translate communications received by each said network interface adapter from said first or said second networks of computers , repectively , in IP protocol format to non-IP protocol format for transmission between the transfer adapters of said first and said second network motherboards , whereby upper level layer protocol information and originating source and destination address information are removed from said communication and routing services communications from said first and second computer networks are prevented from being passed between said network interface adapter and said transfer adapter of each said network motherboard , and thence preventing unauthorized communications between computers connected to said first and said second computer networks ; and at least one of said network motherboards having application programming interface (API) shim software for providing application level communication services to the computers connected to said at least one network motherboard notwithstanding the removal of said original source and destination address information , and the preventing of said routing services communications .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address (IP address) of a network source , an IP address of a network destination (original source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5550984A CLAIM 1 . A security system for preventing unauthorized communications between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP communications , while permitting application level communication services between computers connected to said first and said second networks , comprising : a first network motherboard and a second network motherboard , said first and second network motherboards each having a network interface adapter for communication with said first and said second networks of computers , and for establishing a distinct subnetwork mask , respectively ; each of said network motherboards further having a transfer adapter for communication with said transfer adapter of said other network motherboard , said transfer adapters being identical and matched , each of said network motherboards having network operating software to assign a source address for IP protcol communication in accordance with a susbnetwork mask established for one of said network motherboards which is different from the subnetwork mask established for the other of said network motherboards , said network operating software further including protocol conversion software to translate communications received by each said network interface adapter from said first or said second networks of computers , repectively , in IP protocol format to non-IP protocol format for transmission between the transfer adapters of said first and said second network motherboards , whereby upper level layer protocol information and originating source and destination address information are removed from said communication and routing services communications from said first and second computer networks are prevented from being passed between said network interface adapter and said transfer adapter of each said network motherboard , and thence preventing unauthorized communications between computers connected to said first and said second computer networks ; and at least one of said network motherboards having application programming interface (API) shim software for providing application level communication services to the computers connected to said at least one network motherboard notwithstanding the removal of said original source (network destination) and destination address information , and the preventing of said routing services communications . US5550984A CLAIM 8 . The security system of claim 7 wherein each of said network motherboards independently establishes a distinct transport layer protocol TCP/IP address (IP address) .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (IP address) of a network source , an IP address of a network destination (original source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5550984A CLAIM 1 . A security system for preventing unauthorized communications between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP communications , while permitting application level communication services between computers connected to said first and said second networks , comprising : a first network motherboard and a second network motherboard , said first and second network motherboards each having a network interface (network interface) adapter for communication with said first and said second networks of computers , and for establishing a distinct subnetwork mask , respectively ; each of said network motherboards further having a transfer adapter for communication with said transfer adapter of said other network motherboard , said transfer adapters being identical and matched , each of said network motherboards having network operating software to assign a source address for IP protcol communication in accordance with a susbnetwork mask established for one of said network motherboards which is different from the subnetwork mask established for the other of said network motherboards , said network operating software further including protocol conversion software to translate communications received by each said network interface adapter from said first or said second networks of computers , repectively , in IP protocol format to non-IP protocol format for transmission between the transfer adapters of said first and said second network motherboards , whereby upper level layer protocol information and originating source and destination address information are removed from said communication and routing services communications from said first and second computer networks are prevented from being passed between said network interface adapter and said transfer adapter of each said network motherboard , and thence preventing unauthorized communications between computers connected to said first and said second computer networks ; and at least one of said network motherboards having application programming interface (API) shim software for providing application level communication services to the computers connected to said at least one network motherboard notwithstanding the removal of said original source (network destination) and destination address information , and the preventing of said routing services communications . US5550984A CLAIM 8 . The security system of claim 7 wherein each of said network motherboards independently establishes a distinct transport layer protocol TCP/IP address (IP address) .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interface) .	US5550984A CLAIM 1 . A security system for preventing unauthorized communications between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP communications , while permitting application level communication services between computers connected to said first and said second networks , comprising : a first network motherboard and a second network motherboard , said first and second network motherboards each having a network interface (network interface) adapter for communication with said first and said second networks of computers , and for establishing a distinct subnetwork mask , respectively ; each of said network motherboards further having a transfer adapter for communication with said transfer adapter of said other network motherboard , said transfer adapters being identical and matched , each of said network motherboards having network operating software to assign a source address for IP protcol communication in accordance with a susbnetwork mask established for one of said network motherboards which is different from the subnetwork mask established for the other of said network motherboards , said network operating software further including protocol conversion software to translate communications received by each said network interface adapter from said first or said second networks of computers , repectively , in IP protocol format to non-IP protocol format for transmission between the transfer adapters of said first and said second network motherboards , whereby upper level layer protocol information and originating source and destination address information are removed from said communication and routing services communications from said first and second computer networks are prevented from being passed between said network interface adapter and said transfer adapter of each said network motherboard , and thence preventing unauthorized communications between computers connected to said first and said second computer networks ; and at least one of said network motherboards having application programming interface (API) shim software for providing application level communication services to the computers connected to said at least one network motherboard notwithstanding the removal of said original source and destination address information , and the preventing of said routing services communications .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit to determine whether each packet contains an unauthorized IP address (IP address) .	US5550984A CLAIM 8 . The security system of claim 7 wherein each of said network motherboards independently establishes a distinct transport layer protocol TCP/IP address (IP address) .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (up information) device , the selectively generated packet containing the request for access to the directly attached device .	US5550984A CLAIM 5 . The security system of claim 1 wherein each of said network motherboards includes a magnetic storage device and means for periodically backing up information (intermediary computing) from each said magnetic storage device to each other said magnetic storage device .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (storage devices) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address (IP address) of a network source , an IP address of a network destination (original source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5550984A CLAIM 1 . A security system for preventing unauthorized communications between a first network of computers interconnected for Internet Protocol (IP) communications and a second network of computers interconnected for IP communications , while permitting application level communication services between computers connected to said first and said second networks , comprising : a first network motherboard and a second network motherboard , said first and second network motherboards each having a network interface adapter for communication with said first and said second networks of computers , and for establishing a distinct subnetwork mask , respectively ; each of said network motherboards further having a transfer adapter for communication with said transfer adapter of said other network motherboard , said transfer adapters being identical and matched , each of said network motherboards having network operating software to assign a source address for IP protcol communication in accordance with a susbnetwork mask established for one of said network motherboards which is different from the subnetwork mask established for the other of said network motherboards , said network operating software further including protocol conversion software to translate communications received by each said network interface adapter from said first or said second networks of computers , repectively , in IP protocol format to non-IP protocol format for transmission between the transfer adapters of said first and said second network motherboards , whereby upper level layer protocol information and originating source and destination address information are removed from said communication and routing services communications from said first and second computer networks are prevented from being passed between said network interface adapter and said transfer adapter of each said network motherboard , and thence preventing unauthorized communications between computers connected to said first and said second computer networks ; and at least one of said network motherboards having application programming interface (API) shim software for providing application level communication services to the computers connected to said at least one network motherboard notwithstanding the removal of said original source (network destination) and destination address information , and the preventing of said routing services communications . US5550984A CLAIM 6 . The security system of claim 5 wherein said magnetic storage devices (receiving requests) are of equal capacity . US5550984A CLAIM 8 . The security system of claim 7 wherein each of said network motherboards independently establishes a distinct transport layer protocol TCP/IP address (IP address) .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5689645A Filed: 1994-12-01 Issued: 1997-11-18 Persistence specification system and method for producing persistent and transient submaps in a management station for a data communication network (Original Assignee) HP Inc (Current Assignee) Hewlett Packard Development Co LP Robert Dwight Schettler, William Girard McCollom, David M. Haimson
US7739302B2 CLAIM 1 . A network arrangement (processing time) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5689645A CLAIM 6 . A persistence specification system for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , while memory requirements and processing time (network arrangement, network protocol programs) are minimized , comprising : a topology database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation an persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprise a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input : said persistence specification mechanism being configured to advise said integrating application of said persistent objects ; and said integrating application being configured to provide supplemental display information to said graphical user interface based upon said persistent objects . US5689645A CLAIM 13 . A computer readable medium having a program for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , comprising : a topology database for storing topology data pertaining to devices and device interconnections of said network (NAD server) ; a map database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation and a persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprises a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input ; said persistent specification mechanism being configured to provide supplemental information to said graphical user interface based upon said persistent objects .
US7739302B2 CLAIM 2 . The network arrangement (processing time) of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs (processing time) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5689645A CLAIM 6 . A persistence specification system for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , while memory requirements and processing time (network arrangement, network protocol programs) are minimized , comprising : a topology database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation an persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprise a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input : said persistence specification mechanism being configured to advise said integrating application of said persistent objects ; and said integrating application being configured to provide supplemental display information to said graphical user interface based upon said persistent objects . US5689645A CLAIM 13 . A computer readable medium having a program for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , comprising : a topology database for storing topology data pertaining to devices and device interconnections of said network (NAD server) ; a map database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation and a persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprises a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input ; said persistent specification mechanism being configured to provide supplemental information to said graphical user interface based upon said persistent objects .
US7739302B2 CLAIM 3 . The network arrangement (processing time) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5689645A CLAIM 6 . A persistence specification system for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , while memory requirements and processing time (network arrangement, network protocol programs) are minimized , comprising : a topology database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation an persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprise a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input : said persistence specification mechanism being configured to advise said integrating application of said persistent objects ; and said integrating application being configured to provide supplemental display information to said graphical user interface based upon said persistent objects .
US7739302B2 CLAIM 4 . The network arrangement (processing time) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5689645A CLAIM 6 . A persistence specification system for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , while memory requirements and processing time (network arrangement, network protocol programs) are minimized , comprising : a topology database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation an persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprise a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input : said persistence specification mechanism being configured to advise said integrating application of said persistent objects ; and said integrating application being configured to provide supplemental display information to said graphical user interface based upon said persistent objects .
US7739302B2 CLAIM 5 . A local area network arrangement (processing time) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5689645A CLAIM 6 . A persistence specification system for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , while memory requirements and processing time (network arrangement, network protocol programs) are minimized , comprising : a topology database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation an persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprise a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input : said persistence specification mechanism being configured to advise said integrating application of said persistent objects ; and said integrating application being configured to provide supplemental display information to said graphical user interface based upon said persistent objects .
US7739302B2 CLAIM 6 . The network arrangement (processing time) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface .	US5689645A CLAIM 6 . A persistence specification system for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , while memory requirements and processing time (network arrangement, network protocol programs) are minimized , comprising : a topology database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation an persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprise a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input : said persistence specification mechanism being configured to advise said integrating application of said persistent objects ; and said integrating application being configured to provide supplemental display information to said graphical user interface based upon said persistent objects .
US7739302B2 CLAIM 7 . The network arrangement (processing time) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5689645A CLAIM 6 . A persistence specification system for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , while memory requirements and processing time (network arrangement, network protocol programs) are minimized , comprising : a topology database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation an persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprise a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input : said persistence specification mechanism being configured to advise said integrating application of said persistent objects ; and said integrating application being configured to provide supplemental display information to said graphical user interface based upon said persistent objects .
US7739302B2 CLAIM 8 . The network arrangement (processing time) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5689645A CLAIM 6 . A persistence specification system for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , while memory requirements and processing time (network arrangement, network protocol programs) are minimized , comprising : a topology database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation an persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprise a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input : said persistence specification mechanism being configured to advise said integrating application of said persistent objects ; and said integrating application being configured to provide supplemental display information to said graphical user interface based upon said persistent objects .
US7739302B2 CLAIM 9 . The network arrangement (processing time) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5689645A CLAIM 6 . A persistence specification system for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , while memory requirements and processing time (network arrangement, network protocol programs) are minimized , comprising : a topology database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation an persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprise a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input : said persistence specification mechanism being configured to advise said integrating application of said persistent objects ; and said integrating application being configured to provide supplemental display information to said graphical user interface based upon said persistent objects .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path (computer readable medium) to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5689645A CLAIM 13 . A computer readable medium (communication path) having a program for enhancing intercommunication between an integrating application and a graphical user interface so that more information concerning a network is provided to a user , comprising : a topology database for storing topology data pertaining to devices and device interconnections of said network ; a map database for storing a plurality of submaps of map data for a graphical user interface , said submaps for driving a display ; a translator configured to convert said topology data from said topology database to map data for said map database , said translator configured to generate submaps from said map data for said graphical user interface for driving said display ; a persistence specification mechanism associated with said translator , said persistence specification mechanism configured to evaluate objects within said map data and configured to specify each object as persistent and , alternatively , as transient , based upon said object evaluation and a persistence input pertaining to said objects , said persistence mechanism configured to evaluate each said submap and configured to specify a submap as persistent and , alternatively , as transient , based upon said submap evaluation , said submap being specified as persistent when said submap comprises a persistent object , said submap being specified as transient when said submap comprises no persistent object ; and said translator configured to generate and continuously maintain said persistent submaps within said map database , said translator configured to generate and temporarily maintain said transient submaps upon receiving a user prompt for a temporary time period corresponding with said user prompt ; said integrating application in communication with said persistence specification mechanism for generating said persistence input ; said persistent specification mechanism being configured to provide supplemental information to said graphical user interface based upon said persistent objects .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5551025A Filed: 1994-11-30 Issued: 1996-08-27 Relational database system for storing different types of data (Original Assignee) MCI Communications Corp (Current Assignee) Verizon Patent and Licensing Inc Daniel L. O'Reilly, Matthew J. Brazier
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5551025A CLAIM 3 . The method of claim 1 , further comprising the steps of : retrieving reference data collected by said traffic data collection system ; grouping the reference data into respective sets of customer data required for generating reports to be provided to subscribers of said network (NAD server) ; and storing the respective sets of customer data into corresponding files in said slower storage means .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5551025A CLAIM 3 . The method of claim 1 , further comprising the steps of : retrieving reference data collected by said traffic data collection system ; grouping the reference data into respective sets of customer data required for generating reports to be provided to subscribers of said network (NAD server) ; and storing the respective sets of customer data into corresponding files in said slower storage means .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (predefined time period) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (address data) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5551025A CLAIM 1 . In a telecommunications network , a method of storing data , comprising the steps of : (a) retrieving from a traffic data collection system statistics data collected by said traffic data collection system ; (b) grouping the statistics data into different types of statistics data ; (c) routing each of the different types of statistics data to its own file storage in a fast response storage means ; (d) retrieving from each said file storage in said fast response storage means at predetermined periodic time periods respective stored sets of said different types of statistics data ; and (e) storing each said stored set of respective said different types of statistics data to a slower response storage means at a predefined time period (data management component) for longer term storage . US5551025A CLAIM 4 . The method of claim 1 , wherein said traffic data collection system collects reference data from said network , said reference data including customer phone number data , report data , delivery address data (IP addresses) for reports , ncode mapping data , and country and state mapping data , said method further comprising the step of : storing said reference data into respective storage files corresponding to at least said phone number data , report data , delivery address data , ncode mapping data , and country and state mapping data .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access (slower response) to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5551025A CLAIM 1 . In a telecommunications network , a method of storing data , comprising the steps of : (a) retrieving from a traffic data collection system statistics data collected by said traffic data collection system ; (b) grouping the statistics data into different types of statistics data ; (c) routing each of the different types of statistics data to its own file storage in a fast response storage means ; (d) retrieving from each said file storage in said fast response storage means at predetermined periodic time periods respective stored sets of said different types of statistics data ; and (e) storing each said stored set of respective said different types of statistics data to a slower response (providing network access) storage means at a predefined time period for longer term storage .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5778377A Filed: 1994-11-04 Issued: 1998-07-07 Table driven graphical user interface (Original Assignee) International Business Machines Corp (Current Assignee) Lenovo Singapore Pte Ltd James Warden Marlin, Raymond Lowell Knudson, Thomas Michael Ruehle, Anthony Franke Stuart, Edward Thomas Hughes, III
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (corresponding data element) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5778377A CLAIM 1 . A table driven graphical user interface (GUI) method for producing a display at a local node on a network , said display being defined at said local node by a user of the GUI generating a report definition comprising row blocks and column blocks , said table driven GUI method providing for machine-implemented steps comprising : providing for the utilization of a Desktop Management Interface (DMI) at a node on said network (NAD server) with an object-oriented database wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attributes selected for display ; providing for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said GUI ; providing for requesting data from said object-oriented database through said DMI to find a first component therein which matches with a report row definition , establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for requesting data from said database through said DMI to find a next component therein and if it matches with a report row definition , adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for continuing to request data from said database until all report row definitions are processed ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of the first row instance in said row instance array with the report column definitions of components , groups and attributes to add elements for said display in accordance with said report definitions ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of a next row instance in said row instance array with report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and providing for continuing to search said database until all column definitions in said report definition have been processed . US5778377A CLAIM 14 . The system of claim 13 further including means for periodically polling said column definitions in said parse table and requesting matches from said database , means for comparing data requested from said database with corresponding data element (IP address) s in said view table and , if changed , means for replacing said corresponding data elements .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs (id attribute) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5778377A CLAIM 1 . A table driven graphical user interface (GUI) method for producing a display at a local node on a network , said display being defined at said local node by a user of the GUI generating a report definition comprising row blocks and column blocks , said table driven GUI method providing for machine-implemented steps comprising : providing for the utilization of a Desktop Management Interface (DMI) at a node on said network (NAD server) with an object-oriented database wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attribute (network protocol programs) s selected for display ; providing for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said GUI ; providing for requesting data from said object-oriented database through said DMI to find a first component therein which matches with a report row definition , establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for requesting data from said database through said DMI to find a next component therein and if it matches with a report row definition , adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for continuing to request data from said database until all report row definitions are processed ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of the first row instance in said row instance array with the report column definitions of components , groups and attributes to add elements for said display in accordance with said report definitions ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of a next row instance in said row instance array with report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and providing for continuing to search said database until all column definitions in said report definition have been processed .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address (corresponding data element) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5778377A CLAIM 14 . The system of claim 13 further including means for periodically polling said column definitions in said parse table and requesting matches from said database , means for comparing data requested from said database with corresponding data element (IP address) s in said view table and , if changed , means for replacing said corresponding data elements .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (first row) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (requested data) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (corresponding data element) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5778377A CLAIM 1 . A table driven graphical user interface (GUI) method for producing a display at a local node on a network , said display being defined at said local node by a user of the GUI generating a report definition comprising row blocks and column blocks , said table driven GUI method providing for machine-implemented steps comprising : providing for the utilization of a Desktop Management Interface (DMI) at a node on said network with an object-oriented database wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attributes selected for display ; providing for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said GUI ; providing for requesting data from said object-oriented database through said DMI to find a first component therein which matches with a report row definition , establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for requesting data from said database through said DMI to find a next component therein and if it matches with a report row definition , adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for continuing to request data from said database until all report row definitions are processed ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of the first row (processing unit) instance in said row instance array with the report column definitions of components , groups and attributes to add elements for said display in accordance with said report definitions ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of a next row instance in said row instance array with report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and providing for continuing to search said database until all column definitions in said report definition have been processed . US5778377A CLAIM 4 . The method of claim 1 further including the step of providing for the updating of data in said view table through the GUI performed steps of : allocating an appropriately sized buffer ; initializing request parameters ; invoking said DMI with said requests ; receiving requested data (storing instructions) in said buffer ; and comparing received data in said buffer with data in said view table and , if changed , updating said view table . US5778377A CLAIM 14 . The system of claim 13 further including means for periodically polling said column definitions in said parse table and requesting matches from said database , means for comparing data requested from said database with corresponding data element (IP address) s in said view table and , if changed , means for replacing said corresponding data elements .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (first row) to determine whether each packet arrived via an authorized network interface .	US5778377A CLAIM 1 . A table driven graphical user interface (GUI) method for producing a display at a local node on a network , said display being defined at said local node by a user of the GUI generating a report definition comprising row blocks and column blocks , said table driven GUI method providing for machine-implemented steps comprising : providing for the utilization of a Desktop Management Interface (DMI) at a node on said network with an object-oriented database wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attributes selected for display ; providing for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said GUI ; providing for requesting data from said object-oriented database through said DMI to find a first component therein which matches with a report row definition , establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for requesting data from said database through said DMI to find a next component therein and if it matches with a report row definition , adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for continuing to request data from said database until all report row definitions are processed ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of the first row (processing unit) instance in said row instance array with the report column definitions of components , groups and attributes to add elements for said display in accordance with said report definitions ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of a next row instance in said row instance array with report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and providing for continuing to search said database until all column definitions in said report definition have been processed .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (first row) to determine whether each packet contains an unauthorized IP address (corresponding data element) .	US5778377A CLAIM 1 . A table driven graphical user interface (GUI) method for producing a display at a local node on a network , said display being defined at said local node by a user of the GUI generating a report definition comprising row blocks and column blocks , said table driven GUI method providing for machine-implemented steps comprising : providing for the utilization of a Desktop Management Interface (DMI) at a node on said network with an object-oriented database wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attributes selected for display ; providing for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said GUI ; providing for requesting data from said object-oriented database through said DMI to find a first component therein which matches with a report row definition , establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for requesting data from said database through said DMI to find a next component therein and if it matches with a report row definition , adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for continuing to request data from said database until all report row definitions are processed ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of the first row (processing unit) instance in said row instance array with the report column definitions of components , groups and attributes to add elements for said display in accordance with said report definitions ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of a next row instance in said row instance array with report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and providing for continuing to search said database until all column definitions in said report definition have been processed . US5778377A CLAIM 14 . The system of claim 13 further including means for periodically polling said column definitions in said parse table and requesting matches from said database , means for comparing data requested from said database with corresponding data element (IP address) s in said view table and , if changed , means for replacing said corresponding data elements .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (first row) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US5778377A CLAIM 1 . A table driven graphical user interface (GUI) method for producing a display at a local node on a network , said display being defined at said local node by a user of the GUI generating a report definition comprising row blocks and column blocks , said table driven GUI method providing for machine-implemented steps comprising : providing for the utilization of a Desktop Management Interface (DMI) at a node on said network with an object-oriented database wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attributes selected for display ; providing for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said GUI ; providing for requesting data from said object-oriented database through said DMI to find a first component therein which matches with a report row definition , establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for requesting data from said database through said DMI to find a next component therein and if it matches with a report row definition , adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for continuing to request data from said database until all report row definitions are processed ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of the first row (processing unit) instance in said row instance array with the report column definitions of components , groups and attributes to add elements for said display in accordance with said report definitions ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of a next row instance in said row instance array with report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and providing for continuing to search said database until all column definitions in said report definition have been processed .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (first row) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US5778377A CLAIM 1 . A table driven graphical user interface (GUI) method for producing a display at a local node on a network , said display being defined at said local node by a user of the GUI generating a report definition comprising row blocks and column blocks , said table driven GUI method providing for machine-implemented steps comprising : providing for the utilization of a Desktop Management Interface (DMI) at a node on said network with an object-oriented database wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attributes selected for display ; providing for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said GUI ; providing for requesting data from said object-oriented database through said DMI to find a first component therein which matches with a report row definition , establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for requesting data from said database through said DMI to find a next component therein and if it matches with a report row definition , adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for continuing to request data from said database until all report row definitions are processed ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of the first row (processing unit) instance in said row instance array with the report column definitions of components , groups and attributes to add elements for said display in accordance with said report definitions ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of a next row instance in said row instance array with report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and providing for continuing to search said database until all column definitions in said report definition have been processed .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (said column) .	US5778377A CLAIM 9 . A table driven graphical user interface system for producing a display at a local node on a network , said display being defined at said local node by the user of the GUI in a report definition comprised of row blocks and column blocks , said system comprising : a Desktop Management Interface (DMI) and an object-oriented database at a node on said network wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attributes for display ; means for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said Desktop Management Interface system ; means for requesting data through said DMI from said object-oriented database to find a first component therein and means for comparing said first component with a report row definition , if a match is found , means for establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes in accordance with said report definition ; means for requesting data through said DMI from said database to find a next component therein and means for matching said next component with a report row definition , and if a match is found , means for adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes in accordance with said report definition ; means for continuing to search data from said database until all report row definitions have been processed ; means for requesting data through said DMI from said database to find elements for said view table , and comparing the attributes of said first row instance with said column (network protocols) definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; means for requesting data through said DMI from said database to find elements for said view table by matching the attributes of a next row instance in said row instance array with said report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and means for continuing to search said database until all column definitions have been processed .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (said column) is TCP/IP .	US5778377A CLAIM 9 . A table driven graphical user interface system for producing a display at a local node on a network , said display being defined at said local node by the user of the GUI in a report definition comprised of row blocks and column blocks , said system comprising : a Desktop Management Interface (DMI) and an object-oriented database at a node on said network wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attributes for display ; means for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said Desktop Management Interface system ; means for requesting data through said DMI from said object-oriented database to find a first component therein and means for comparing said first component with a report row definition , if a match is found , means for establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes in accordance with said report definition ; means for requesting data through said DMI from said database to find a next component therein and means for matching said next component with a report row definition , and if a match is found , means for adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes in accordance with said report definition ; means for continuing to search data from said database until all report row definitions have been processed ; means for requesting data through said DMI from said database to find elements for said view table , and comparing the attributes of said first row instance with said column (network protocols) definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; means for requesting data through said DMI from said database to find elements for said view table by matching the attributes of a next row instance in said row instance array with said report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and means for continuing to search said database until all column definitions have been processed .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data request) .	US5778377A CLAIM 14 . The system of claim 13 further including means for periodically polling said column definitions in said parse table and requesting matches from said database , means for comparing data request (SCSI interface) ed from said database with corresponding data elements in said view table and , if changed , means for replacing said corresponding data elements .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (request data) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address (corresponding data element) of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5778377A CLAIM 1 . A table driven graphical user interface (GUI) method for producing a display at a local node on a network , said display being defined at said local node by a user of the GUI generating a report definition comprising row blocks and column blocks , said table driven GUI method providing for machine-implemented steps comprising : providing for the utilization of a Desktop Management Interface (DMI) at a node on said network with an object-oriented database wherein objects are organized according to DMI standards with components in an object class , manageable attributes that have values associated with each component , and groups organizing similar attributes of the component , said row blocks and column blocks specifying those of said components , said groups and said attributes selected for display ; providing for parsing said report definition into report row definitions and report column definitions to build a parse table for driving said GUI ; providing for requesting data from said object-oriented database through said DMI to find a first component therein which matches with a report row definition , establishing a row instance array for a view table by getting row instances for said first component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for requesting data from said database through said DMI to find a next component therein and if it matches with a report row definition , adding row instances to said row instance array by getting row instances for said next component including matches of groups and attributes to add row instances for said display in accordance with said report definition ; providing for continuing to request data (receiving requests) from said database until all report row definitions are processed ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of the first row instance in said row instance array with the report column definitions of components , groups and attributes to add elements for said display in accordance with said report definitions ; providing for requesting data from said database through said DMI to find elements for said view table by matching the attributes of a next row instance in said row instance array with report column definitions including matches of components , groups and attributes to add elements for said display in accordance with said report definitions ; and providing for continuing to search said database until all column definitions in said report definition have been processed . US5778377A CLAIM 14 . The system of claim 13 further including means for periodically polling said column definitions in said parse table and requesting matches from said database , means for comparing data requested from said database with corresponding data element (IP address) s in said view table and , if changed , means for replacing said corresponding data elements .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (data request) .	US5778377A CLAIM 14 . The system of claim 13 further including means for periodically polling said column definitions in said parse table and requesting matches from said database , means for comparing data request (SCSI interface) ed from said database with corresponding data elements in said view table and , if changed , means for replacing said corresponding data elements .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5586269A Filed: 1994-11-02 Issued: 1996-12-17 Communication control device and method for automatically determining a self-address (Original Assignee) Panasonic Corp; Koninklijke Philips NV (Current Assignee) Panasonic Corp ; Koninklijke Philips NV Seiichi Kubo
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5586269A CLAIM 1 . A communication control device for an information (network destination) transmission system in which a plurality of communication control devices are used , comprising : a first storage means for storing all of a plurality of candidate values which are adoptable as a self-address of said communication control device ; a process means for selecting one of said candidate values which is unused by another device in the system as the self-address of said communication control device ; and a second storage means for initially storing an initial value to indicate that the self-address of said communication control device has not been selected , and for subsequently storing the selected candidate value , wherein said process means comprises : a judgment means for judging whether said initial value is stored in said second storage means ; a transmission means for sending to said information transmission system at least one signal in which each of said candidate values is set to a destination address in accordance with a pre-ordered sequence , one candidate value at a time , when said judgment means judges that said initial value is stored in said second storage means ; and a decision means for selecting a candidate value to be the self-address of said communication control device , if no response is obtained from said information transmission system .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating (nonvolatile memory) systems .	US5586269A CLAIM 1 . A communication control device for an information transmission system in which a plurality of communication control devices are used , comprising : a first storage means for storing all of a plurality of candidate values which are adoptable as a self-address of said communication control device ; a process means for selecting one of said candidate values which is unused by another device in the system as the self-address of said communication control device ; and a second storage means for initially storing an initial value to indicate that the self-address of said communication control device has not been selected , and for subsequently storing the selected candidate value , wherein said process means comprises : a judgment means (network clients having different operating systems) for judging whether said initial value is stored in said second storage means ; a transmission means for sending to said information transmission system at least one signal in which each of said candidate values is set to a destination address in accordance with a pre-ordered sequence , one candidate value at a time , when said judgment means judges that said initial value is stored in said second storage means ; and a decision means for selecting a candidate value to be the self-address of said communication control device , if no response is obtained from said information transmission system . US5586269A CLAIM 3 . A communication control device according to claim 1 wherein said second storage means is a nonvolatile memory (different operating, managing access) in which information is writable and readable .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5586269A CLAIM 1 . A communication control device for an information transmission system in which a plurality of communication control devices are used , comprising : a first storage means for storing all of a plurality of candidate values which are adoptable as a self-address of said communication control device ; a process means for selecting one of said candidate values which is unused by another device in the system as the self-address of said communication control device ; and a second storage means for initially storing an initial value to indicate that the self-address of said communication control device has not been selected , and for subsequently storing the selected candidate value , wherein said process means comprises : a judgment means for judging whether said initial value is stored in said second storage means ; a transmission means for sending to said information transmission system at least one signal in which each of said candidate values is set to a destination address (IP addresses) in accordance with a pre-ordered sequence , one candidate value at a time , when said judgment means judges that said initial value is stored in said second storage means ; and a decision means for selecting a candidate value to be the self-address of said communication control device , if no response is obtained from said information transmission system .
US7739302B2 CLAIM 10 . A system for managing access (nonvolatile memory) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5586269A CLAIM 1 . A communication control device for an information (network destination) transmission system in which a plurality of communication control devices are used , comprising : a first storage means for storing all of a plurality of candidate values which are adoptable as a self-address of said communication control device ; a process means for selecting one of said candidate values which is unused by another device in the system as the self-address of said communication control device ; and a second storage means for initially storing an initial value to indicate that the self-address of said communication control device has not been selected , and for subsequently storing the selected candidate value , wherein said process means comprises : a judgment means for judging whether said initial value is stored in said second storage means ; a transmission means for sending to said information transmission system at least one signal in which each of said candidate values is set to a destination address in accordance with a pre-ordered sequence , one candidate value at a time , when said judgment means judges that said initial value is stored in said second storage means ; and a decision means for selecting a candidate value to be the self-address of said communication control device , if no response is obtained from said information transmission system . US5586269A CLAIM 3 . A communication control device according to claim 1 wherein said second storage means is a nonvolatile memory (different operating, managing access) in which information is writable and readable .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5586269A CLAIM 1 . A communication control device for an information (network destination) transmission system in which a plurality of communication control devices are used , comprising : a first storage means for storing all of a plurality of candidate values which are adoptable as a self-address of said communication control device ; a process means for selecting one of said candidate values which is unused by another device in the system as the self-address of said communication control device ; and a second storage means for initially storing an initial value to indicate that the self-address of said communication control device has not been selected , and for subsequently storing the selected candidate value , wherein said process means comprises : a judgment means for judging whether said initial value is stored in said second storage means ; a transmission means for sending to said information transmission system at least one signal in which each of said candidate values is set to a destination address in accordance with a pre-ordered sequence , one candidate value at a time , when said judgment means judges that said initial value is stored in said second storage means ; and a decision means for selecting a candidate value to be the self-address of said communication control device , if no response is obtained from said information transmission system .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means (control device) for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5586269A CLAIM 1 . A communication control device (filtering comprises means) for an information (network destination) transmission system in which a plurality of communication control devices are used , comprising : a first storage means for storing all of a plurality of candidate values which are adoptable as a self-address of said communication control device ; a process means for selecting one of said candidate values which is unused by another device in the system as the self-address of said communication control device ; and a second storage means for initially storing an initial value to indicate that the self-address of said communication control device has not been selected , and for subsequently storing the selected candidate value , wherein said process means comprises : a judgment means for judging whether said initial value is stored in said second storage means ; a transmission means for sending to said information transmission system at least one signal in which each of said candidate values is set to a destination address in accordance with a pre-ordered sequence , one candidate value at a time , when said judgment means judges that said initial value is stored in said second storage means ; and a decision means for selecting a candidate value to be the self-address of said communication control device , if no response is obtained from said information transmission system .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (nonvolatile memory) to the NAD over a device interface if the request is allowed .	US5586269A CLAIM 3 . A communication control device according to claim 1 wherein said second storage means is a nonvolatile memory (different operating, managing access) in which information is writable and readable .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5526257A Filed: 1994-10-31 Issued: 1996-06-11 Product evaluation system (Original Assignee) Finlay Fine Jewelry Corp (Current Assignee) Finlay Fine Jewelry Corp Sam Lerner
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data structure) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5526257A CLAIM 19 . A memory storing data for access by a product evaluation application program being executed on a data processing system , the product evaluation application program evaluating a comparative level of success of products , comprising : a first data structure stored in said memory , said first data structure including first information resident in a database used by said application program and including : class specific data objects indicating a first broadest classification of the products with respect to design ; category specific data objects indicating a second classification of the products , wherein a plurality of categories correspond to a class , establishing a first hierarchy between the category and class specific data objects ; and style specific data objects indicating a third classification of the products , wherein a plurality of styles correspond to a category , establishing a second hierarchy between the category and style specific data objects ; a second data structure (data packet) stored in said memory , said second data structure including second information resident in the database used by said application program and including : company specific data objects indicating a fourth broadest classification of the products with respect to entity ; vendor and group specific data objects indicating a fifth classification of the products , wherein a plurality of vendors and groups correspond to a company , establishing a third hierarchy between the company and the vendor and group specific data objects ; branch specific data objects indicating a sixth classification of the products , wherein a plurality of branches correspond to a group , establishing a fourth hierarchy between the vendor and group specific data objects and the branch specific data objects , wherein said data processing system executes the product evaluation application program evaluating a comparative level of success of products by accessing said memory storing the data including the first and second data structures , and generating an evaluation result .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (second data structure) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5526257A CLAIM 19 . A memory storing data for access by a product evaluation application program being executed on a data processing system , the product evaluation application program evaluating a comparative level of success of products , comprising : a first data structure stored in said memory , said first data structure including first information resident in a database used by said application program and including : class specific data objects indicating a first broadest classification of the products with respect to design ; category specific data objects indicating a second classification of the products , wherein a plurality of categories correspond to a class , establishing a first hierarchy between the category and class specific data objects ; and style specific data objects indicating a third classification of the products , wherein a plurality of styles correspond to a category , establishing a second hierarchy between the category and style specific data objects ; a second data structure (data packet) stored in said memory , said second data structure including second information resident in the database used by said application program and including : company specific data objects indicating a fourth broadest classification of the products with respect to entity ; vendor and group specific data objects indicating a fifth classification of the products , wherein a plurality of vendors and groups correspond to a company , establishing a third hierarchy between the company and the vendor and group specific data objects ; branch specific data objects indicating a sixth classification of the products , wherein a plurality of branches correspond to a group , establishing a fourth hierarchy between the vendor and group specific data objects and the branch specific data objects , wherein said data processing system executes the product evaluation application program evaluating a comparative level of success of products by accessing said memory storing the data including the first and second data structures , and generating an evaluation result .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data structure) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5526257A CLAIM 19 . A memory storing data for access by a product evaluation application program being executed on a data processing system , the product evaluation application program evaluating a comparative level of success of products , comprising : a first data structure stored in said memory , said first data structure including first information resident in a database used by said application program and including : class specific data objects indicating a first broadest classification of the products with respect to design ; category specific data objects indicating a second classification of the products , wherein a plurality of categories correspond to a class , establishing a first hierarchy between the category and class specific data objects ; and style specific data objects indicating a third classification of the products , wherein a plurality of styles correspond to a category , establishing a second hierarchy between the category and style specific data objects ; a second data structure (data packet) stored in said memory , said second data structure including second information resident in the database used by said application program and including : company specific data objects indicating a fourth broadest classification of the products with respect to entity ; vendor and group specific data objects indicating a fifth classification of the products , wherein a plurality of vendors and groups correspond to a company , establishing a third hierarchy between the company and the vendor and group specific data objects ; branch specific data objects indicating a sixth classification of the products , wherein a plurality of branches correspond to a group , establishing a fourth hierarchy between the vendor and group specific data objects and the branch specific data objects , wherein said data processing system executes the product evaluation application program evaluating a comparative level of success of products by accessing said memory storing the data including the first and second data structures , and generating an evaluation result .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data structure) arrived via an authorized network interface .	US5526257A CLAIM 19 . A memory storing data for access by a product evaluation application program being executed on a data processing system , the product evaluation application program evaluating a comparative level of success of products , comprising : a first data structure stored in said memory , said first data structure including first information resident in a database used by said application program and including : class specific data objects indicating a first broadest classification of the products with respect to design ; category specific data objects indicating a second classification of the products , wherein a plurality of categories correspond to a class , establishing a first hierarchy between the category and class specific data objects ; and style specific data objects indicating a third classification of the products , wherein a plurality of styles correspond to a category , establishing a second hierarchy between the category and style specific data objects ; a second data structure (data packet) stored in said memory , said second data structure including second information resident in the database used by said application program and including : company specific data objects indicating a fourth broadest classification of the products with respect to entity ; vendor and group specific data objects indicating a fifth classification of the products , wherein a plurality of vendors and groups correspond to a company , establishing a third hierarchy between the company and the vendor and group specific data objects ; branch specific data objects indicating a sixth classification of the products , wherein a plurality of branches correspond to a group , establishing a fourth hierarchy between the vendor and group specific data objects and the branch specific data objects , wherein said data processing system executes the product evaluation application program evaluating a comparative level of success of products by accessing said memory storing the data including the first and second data structures , and generating an evaluation result .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data structure) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5526257A CLAIM 19 . A memory storing data for access by a product evaluation application program being executed on a data processing system , the product evaluation application program evaluating a comparative level of success of products , comprising : a first data structure stored in said memory , said first data structure including first information resident in a database used by said application program and including : class specific data objects indicating a first broadest classification of the products with respect to design ; category specific data objects indicating a second classification of the products , wherein a plurality of categories correspond to a class , establishing a first hierarchy between the category and class specific data objects ; and style specific data objects indicating a third classification of the products , wherein a plurality of styles correspond to a category , establishing a second hierarchy between the category and style specific data objects ; a second data structure (data packet) stored in said memory , said second data structure including second information resident in the database used by said application program and including : company specific data objects indicating a fourth broadest classification of the products with respect to entity ; vendor and group specific data objects indicating a fifth classification of the products , wherein a plurality of vendors and groups correspond to a company , establishing a third hierarchy between the company and the vendor and group specific data objects ; branch specific data objects indicating a sixth classification of the products , wherein a plurality of branches correspond to a group , establishing a fourth hierarchy between the vendor and group specific data objects and the branch specific data objects , wherein said data processing system executes the product evaluation application program evaluating a comparative level of success of products by accessing said memory storing the data including the first and second data structures , and generating an evaluation result .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data structure) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5526257A CLAIM 19 . A memory storing data for access by a product evaluation application program being executed on a data processing system , the product evaluation application program evaluating a comparative level of success of products , comprising : a first data structure stored in said memory , said first data structure including first information resident in a database used by said application program and including : class specific data objects indicating a first broadest classification of the products with respect to design ; category specific data objects indicating a second classification of the products , wherein a plurality of categories correspond to a class , establishing a first hierarchy between the category and class specific data objects ; and style specific data objects indicating a third classification of the products , wherein a plurality of styles correspond to a category , establishing a second hierarchy between the category and style specific data objects ; a second data structure (data packet) stored in said memory , said second data structure including second information resident in the database used by said application program and including : company specific data objects indicating a fourth broadest classification of the products with respect to entity ; vendor and group specific data objects indicating a fifth classification of the products , wherein a plurality of vendors and groups correspond to a company , establishing a third hierarchy between the company and the vendor and group specific data objects ; branch specific data objects indicating a sixth classification of the products , wherein a plurality of branches correspond to a group , establishing a fourth hierarchy between the vendor and group specific data objects and the branch specific data objects , wherein said data processing system executes the product evaluation application program evaluating a comparative level of success of products by accessing said memory storing the data including the first and second data structures , and generating an evaluation result .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface (specific category, following steps) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data structure) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5526257A CLAIM 13 . A computer implemented product evaluation system as recited in claim 6 , wherein the class of the product includes a broad span of the products , the category of the product includes a specific set of products within the class , and the style of the product includes a particular design of the product within a specific category (device interface, storage device) . US5526257A CLAIM 18 . An interactive computer implemented method for evaluating a comparative level of success of a product , interactively with a user , comprising the steps of : (a) requesting the user to select one of category and vendor for evaluating the product ; (b) responsive to the user selecting the category in said requesting step (a) , performing the following steps (device interface, storage device) : (b1) displaying first evaluation data relating to the performance of the product with respect to the category ; (b2) prioritizing the first evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (b3) requesting the user to select at least one of class , internal style , vendor style , and vendor for further evaluating the product with respect to category ; (b4) displaying second evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and vendor and with respect to the category ; (b5) prioritizing the second evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c) responsive to the user selecting the vendor in said requesting step (a) , performing the following steps : (c1) displaying third evaluation data relating to the performance of the product with respect to the vendor ; (c2) prioritizing the third evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c3) requesting the user to select at least one of class , internal style , vendor style , and category for further evaluating the product with respect to vendor ; (c4) displaying fourth evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and category and with respect to the vendor ; (c5) prioritizing the fourth evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units . US5526257A CLAIM 19 . A memory storing data for access by a product evaluation application program being executed on a data processing system , the product evaluation application program evaluating a comparative level of success of products , comprising : a first data structure stored in said memory (storing instructions) , said first data structure including first information resident in a database used by said application program and including : class specific data objects indicating a first broadest classification of the products with respect to design ; category specific data objects indicating a second classification of the products , wherein a plurality of categories correspond to a class , establishing a first hierarchy between the category and class specific data objects ; and style specific data objects indicating a third classification of the products , wherein a plurality of styles correspond to a category , establishing a second hierarchy between the category and style specific data objects ; a second data structure (data packet) stored in said memory , said second data structure including second information resident in the database used by said application program and including : company specific data objects indicating a fourth broadest classification of the products with respect to entity ; vendor and group specific data objects indicating a fifth classification of the products , wherein a plurality of vendors and groups correspond to a company , establishing a third hierarchy between the company and the vendor and group specific data objects ; branch specific data objects indicating a sixth classification of the products , wherein a plurality of branches correspond to a group , establishing a fourth hierarchy between the vendor and group specific data objects and the branch specific data objects , wherein said data processing system executes the product evaluation application program evaluating a comparative level of success of products by accessing said memory storing the data including the first and second data structures , and generating an evaluation result .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (specific category, following steps) .	US5526257A CLAIM 13 . A computer implemented product evaluation system as recited in claim 6 , wherein the class of the product includes a broad span of the products , the category of the product includes a specific set of products within the class , and the style of the product includes a particular design of the product within a specific category (device interface, storage device) . US5526257A CLAIM 18 . An interactive computer implemented method for evaluating a comparative level of success of a product , interactively with a user , comprising the steps of : (a) requesting the user to select one of category and vendor for evaluating the product ; (b) responsive to the user selecting the category in said requesting step (a) , performing the following steps (device interface, storage device) : (b1) displaying first evaluation data relating to the performance of the product with respect to the category ; (b2) prioritizing the first evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (b3) requesting the user to select at least one of class , internal style , vendor style , and vendor for further evaluating the product with respect to category ; (b4) displaying second evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and vendor and with respect to the category ; (b5) prioritizing the second evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c) responsive to the user selecting the vendor in said requesting step (a) , performing the following steps : (c1) displaying third evaluation data relating to the performance of the product with respect to the vendor ; (c2) prioritizing the third evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c3) requesting the user to select at least one of class , internal style , vendor style , and category for further evaluating the product with respect to vendor ; (c4) displaying fourth evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and category and with respect to the vendor ; (c5) prioritizing the fourth evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (specific category, following steps) comprises a SCSI interface .	US5526257A CLAIM 13 . A computer implemented product evaluation system as recited in claim 6 , wherein the class of the product includes a broad span of the products , the category of the product includes a specific set of products within the class , and the style of the product includes a particular design of the product within a specific category (device interface, storage device) . US5526257A CLAIM 18 . An interactive computer implemented method for evaluating a comparative level of success of a product , interactively with a user , comprising the steps of : (a) requesting the user to select one of category and vendor for evaluating the product ; (b) responsive to the user selecting the category in said requesting step (a) , performing the following steps (device interface, storage device) : (b1) displaying first evaluation data relating to the performance of the product with respect to the category ; (b2) prioritizing the first evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (b3) requesting the user to select at least one of class , internal style , vendor style , and vendor for further evaluating the product with respect to category ; (b4) displaying second evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and vendor and with respect to the category ; (b5) prioritizing the second evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c) responsive to the user selecting the vendor in said requesting step (a) , performing the following steps : (c1) displaying third evaluation data relating to the performance of the product with respect to the vendor ; (c2) prioritizing the third evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c3) requesting the user to select at least one of class , internal style , vendor style , and category for further evaluating the product with respect to vendor ; (c4) displaying fourth evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and category and with respect to the vendor ; (c5) prioritizing the fourth evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (specific category, following steps) , and a video codec .	US5526257A CLAIM 13 . A computer implemented product evaluation system as recited in claim 6 , wherein the class of the product includes a broad span of the products , the category of the product includes a specific set of products within the class , and the style of the product includes a particular design of the product within a specific category (device interface, storage device) . US5526257A CLAIM 18 . An interactive computer implemented method for evaluating a comparative level of success of a product , interactively with a user , comprising the steps of : (a) requesting the user to select one of category and vendor for evaluating the product ; (b) responsive to the user selecting the category in said requesting step (a) , performing the following steps (device interface, storage device) : (b1) displaying first evaluation data relating to the performance of the product with respect to the category ; (b2) prioritizing the first evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (b3) requesting the user to select at least one of class , internal style , vendor style , and vendor for further evaluating the product with respect to category ; (b4) displaying second evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and vendor and with respect to the category ; (b5) prioritizing the second evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c) responsive to the user selecting the vendor in said requesting step (a) , performing the following steps : (c1) displaying third evaluation data relating to the performance of the product with respect to the vendor ; (c2) prioritizing the third evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c3) requesting the user to select at least one of class , internal style , vendor style , and category for further evaluating the product with respect to vendor ; (c4) displaying fourth evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and category and with respect to the vendor ; (c5) prioritizing the fourth evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (second data structure) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5526257A CLAIM 19 . A memory storing data for access by a product evaluation application program being executed on a data processing system , the product evaluation application program evaluating a comparative level of success of products , comprising : a first data structure stored in said memory , said first data structure including first information resident in a database used by said application program and including : class specific data objects indicating a first broadest classification of the products with respect to design ; category specific data objects indicating a second classification of the products , wherein a plurality of categories correspond to a class , establishing a first hierarchy between the category and class specific data objects ; and style specific data objects indicating a third classification of the products , wherein a plurality of styles correspond to a category , establishing a second hierarchy between the category and style specific data objects ; a second data structure (data packet) stored in said memory , said second data structure including second information resident in the database used by said application program and including : company specific data objects indicating a fourth broadest classification of the products with respect to entity ; vendor and group specific data objects indicating a fifth classification of the products , wherein a plurality of vendors and groups correspond to a company , establishing a third hierarchy between the company and the vendor and group specific data objects ; branch specific data objects indicating a sixth classification of the products , wherein a plurality of branches correspond to a group , establishing a fourth hierarchy between the vendor and group specific data objects and the branch specific data objects , wherein said data processing system executes the product evaluation application program evaluating a comparative level of success of products by accessing said memory storing the data including the first and second data structures , and generating an evaluation result .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (specific category, following steps) if the request is allowed .	US5526257A CLAIM 13 . A computer implemented product evaluation system as recited in claim 6 , wherein the class of the product includes a broad span of the products , the category of the product includes a specific set of products within the class , and the style of the product includes a particular design of the product within a specific category (device interface, storage device) . US5526257A CLAIM 18 . An interactive computer implemented method for evaluating a comparative level of success of a product , interactively with a user , comprising the steps of : (a) requesting the user to select one of category and vendor for evaluating the product ; (b) responsive to the user selecting the category in said requesting step (a) , performing the following steps (device interface, storage device) : (b1) displaying first evaluation data relating to the performance of the product with respect to the category ; (b2) prioritizing the first evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (b3) requesting the user to select at least one of class , internal style , vendor style , and vendor for further evaluating the product with respect to category ; (b4) displaying second evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and vendor and with respect to the category ; (b5) prioritizing the second evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c) responsive to the user selecting the vendor in said requesting step (a) , performing the following steps : (c1) displaying third evaluation data relating to the performance of the product with respect to the vendor ; (c2) prioritizing the third evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c3) requesting the user to select at least one of class , internal style , vendor style , and category for further evaluating the product with respect to vendor ; (c4) displaying fourth evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and category and with respect to the vendor ; (c5) prioritizing the fourth evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (specific category, following steps) , and a video codec .	US5526257A CLAIM 13 . A computer implemented product evaluation system as recited in claim 6 , wherein the class of the product includes a broad span of the products , the category of the product includes a specific set of products within the class , and the style of the product includes a particular design of the product within a specific category (device interface, storage device) . US5526257A CLAIM 18 . An interactive computer implemented method for evaluating a comparative level of success of a product , interactively with a user , comprising the steps of : (a) requesting the user to select one of category and vendor for evaluating the product ; (b) responsive to the user selecting the category in said requesting step (a) , performing the following steps (device interface, storage device) : (b1) displaying first evaluation data relating to the performance of the product with respect to the category ; (b2) prioritizing the first evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (b3) requesting the user to select at least one of class , internal style , vendor style , and vendor for further evaluating the product with respect to category ; (b4) displaying second evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and vendor and with respect to the category ; (b5) prioritizing the second evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c) responsive to the user selecting the vendor in said requesting step (a) , performing the following steps : (c1) displaying third evaluation data relating to the performance of the product with respect to the vendor ; (c2) prioritizing the third evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units ; (c3) requesting the user to select at least one of class , internal style , vendor style , and category for further evaluating the product with respect to vendor ; (c4) displaying fourth evaluation data relating to the performance of the product with respect to the at least one of class , internal style , vendor style , and category and with respect to the vendor ; (c5) prioritizing the fourth evaluation data responsive to user selection with respect to at least one of product retail price , product cost , and product units .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5530744A Filed: 1994-09-20 Issued: 1996-06-25 Method and system for dynamic customized call routing (Original Assignee) AT&T Corp (Current Assignee) AT&T Corp Salomi T. Charalambous, Sanja Durinovic-Johri, Yonatan A. Levy
US7739302B2 CLAIM 1 . A network arrangement (data links) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (point a) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said time, second data) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links (network arrangement) linking the offices and the customer routing point , second data (filtering means, data packet) links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 20 . The method according to claim 15 , wherein the step of generating said automatic call distributor status prediction includes computing a function of a service rate , a rate of calls arriving at the automatic call distributor not handled by the customer routing point , the number of agents available , the number of calls in progress , and said time (filtering means, data packet) corresponding to the arbitrary time of call receipt . US5530744A CLAIM 23 . The system according to claim 21 , further comprising a data collection point connected to said customer routing point a (NAD server) nd to each of said automatic call distributors , said data collection point repetitively acquiring data from each of said plurality of automatic call distributors relating to call load , and repetitively transmitting said status information to the customer routing point .
US7739302B2 CLAIM 2 . The network arrangement (data links) of claim 1 , wherein the NAD server (point a) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links (network arrangement) linking the offices and the customer routing point , second data links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 23 . The system according to claim 21 , further comprising a data collection point connected to said customer routing point a (NAD server) nd to each of said automatic call distributors , said data collection point repetitively acquiring data from each of said plurality of automatic call distributors relating to call load , and repetitively transmitting said status information to the customer routing point .
US7739302B2 CLAIM 3 . The network arrangement (data links) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links (network arrangement) linking the offices and the customer routing point , second data links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction .
US7739302B2 CLAIM 4 . The network arrangement (data links) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said time, second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links (network arrangement) linking the offices and the customer routing point , second data (filtering means, data packet) links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 20 . The method according to claim 15 , wherein the step of generating said automatic call distributor status prediction includes computing a function of a service rate , a rate of calls arriving at the automatic call distributor not handled by the customer routing point , the number of agents available , the number of calls in progress , and said time (filtering means, data packet) corresponding to the arbitrary time of call receipt .
US7739302B2 CLAIM 5 . A local area network arrangement (data links) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (work implement) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said time, second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (includes time) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5530744A CLAIM 1 . A method of selecting a destination automatic call distributor from a plurality of automatic call distributors for a call routed over a telecommunications network , each automatic call distributor associated with a number of agents , said method comprising the telecommunications network implement (data management component) ed steps of : receiving said call at an arbitrary time ; transmitting a signal according to information associated with said call to a customer routing point , said customer routing point receiving information related to automatic call distributor status from a data collection point , said data collection point receiving automatic call distributor information from each of said automatic call distributors , said customer routing point selecting said destination automatic call distributor from among said plurality of automatic call distributors based on the customer routing point generating a status prediction for at least one of the automatic call distributors , said status prediction dependent on the information related to automatic call distributor status and on the arbitrary time of the call ; receiving a routing label signal indicating said selected destination automatic call distributor from said customer routing point ; connecting said call to said selected destination automatic call distributor according to said routing label signal . US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links (network arrangement) linking the offices and the customer routing point , second data (filtering means, data packet) links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 20 . The method according to claim 15 , wherein the step of generating said automatic call distributor status prediction includes computing a function of a service rate , a rate of calls arriving at the automatic call distributor not handled by the customer routing point , the number of agents available , the number of calls in progress , and said time (filtering means, data packet) corresponding to the arbitrary time of call receipt . US5530744A CLAIM 24 . The system according to claim 21 , wherein said status information includes time (IP addresses) data indicating when the measured call load status was acquired for each of the automatic call distributors .
US7739302B2 CLAIM 6 . The network arrangement (data links) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said time, second data) arrived via an authorized network interface .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links (network arrangement) linking the offices and the customer routing point , second data (filtering means, data packet) links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 20 . The method according to claim 15 , wherein the step of generating said automatic call distributor status prediction includes computing a function of a service rate , a rate of calls arriving at the automatic call distributor not handled by the customer routing point , the number of agents available , the number of calls in progress , and said time (filtering means, data packet) corresponding to the arbitrary time of call receipt .
US7739302B2 CLAIM 7 . The network arrangement (data links) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links (network arrangement) linking the offices and the customer routing point , second data links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction .
US7739302B2 CLAIM 8 . The network arrangement (data links) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links (network arrangement) linking the offices and the customer routing point , second data links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction .
US7739302B2 CLAIM 9 . The network arrangement (data links) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said time, second data) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links (network arrangement) linking the offices and the customer routing point , second data (filtering means, data packet) links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 20 . The method according to claim 15 , wherein the step of generating said automatic call distributor status prediction includes computing a function of a service rate , a rate of calls arriving at the automatic call distributor not handled by the customer routing point , the number of agents available , the number of calls in progress , and said time (filtering means, data packet) corresponding to the arbitrary time of call receipt .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said time, second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links linking the offices and the customer routing point , second data (filtering means, data packet) links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 20 . The method according to claim 15 , wherein the step of generating said automatic call distributor status prediction includes computing a function of a service rate , a rate of calls arriving at the automatic call distributor not handled by the customer routing point , the number of agents available , the number of calls in progress , and said time (filtering means, data packet) corresponding to the arbitrary time of call receipt .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said time, second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links linking the offices and the customer routing point , second data (filtering means, data packet) links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 20 . The method according to claim 15 , wherein the step of generating said automatic call distributor status prediction includes computing a function of a service rate , a rate of calls arriving at the automatic call distributor not handled by the customer routing point , the number of agents available , the number of calls in progress , and said time (filtering means, data packet) corresponding to the arbitrary time of call receipt .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (said time, second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said time, second data) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links linking the offices and the customer routing point , second data (filtering means, data packet) links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 20 . The method according to claim 15 , wherein the step of generating said automatic call distributor status prediction includes computing a function of a service rate , a rate of calls arriving at the automatic call distributor not handled by the customer routing point , the number of agents available , the number of calls in progress , and said time (filtering means, data packet) corresponding to the arbitrary time of call receipt .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said time, second data) is further configured to carry out the filtering at an application layer of a network stack .	US5530744A CLAIM 11 . A method of selecting a destination automatic call distributor from a group of automatic call distributors in a system comprising a plurality of switching offices , a customer routing point , a data collection point , first data links linking the offices and the customer routing point , second data (filtering means, data packet) links linking each of the automatic call distributors to the data collection point , and a third data link linking the data collection point to the customer routing point , the method comprising the steps of : at each automatic call distributor , accumulating data representative of the automatic call distributor call load status ; and repetitively transmitting the accumulated data to the data collection point ; at the data collection point , repetitively transmitting a status signal representative of the accumulated data to the customer routing point ; at a switching office , transmitting a query message containing a number identifying the automatic call distributor group to the customer muting point in response to receipt of a call directed to the automatic call distributor group at an arbitrary call time ; at the customer routing point , in response to the query message , generating an automatic call distributor status prediction for the arbitrary call time , said automatic call distributor status prediction based on said status signal and on the arbitrary call time ; and transmitting a routing signal identifying the destination automatic call distributor to the switching office according to the automatic call distributor status prediction . US5530744A CLAIM 20 . The method according to claim 15 , wherein the step of generating said automatic call distributor status prediction includes computing a function of a service rate , a rate of calls arriving at the automatic call distributor not handled by the customer routing point , the number of agents available , the number of calls in progress , and said time (filtering means, data packet) corresponding to the arbitrary time of call receipt .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5742905A Filed: 1994-09-19 Issued: 1998-04-21 Personal communications internetworking (Original Assignee) Telcordia Technologies Inc (Current Assignee) Access Co Ltd David Matthew Pepe, Lisa B. Blitzer, James Joseph Brockman, William Cruz, Dwight Omar Hakim, Michael Kramer, Dawn Diane Petr, Josefa Ramaroson, Gerardo Ramirez, Yang-Wei Wang, Robert G. White
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5742905A CLAIM 5 . A method for providing personal communication services to a called subscriber who can receive any of an electronic mail (network destination) , facsimile , and a voice mail message under a single address regardless of the format of the message from a calling subscriber who can send messages in more than one format and on either a wireless or a wireline network , said method comprising the steps of : storing in a service provider database common to a plurality of subscribers and connected to both the wireless and wireline networks and responsive to inputs from the subscribers a called subscriber profile for each of said subscribers , said profile containing message routing commands for each called subscriber depending on the format of the message ; receiving any of an electronic mail , a facsimile , and a voice mail message addressed to a particular called subscriber at said particular called subscriber' ; s single address from a calling subscriber on either of the wireless and wireline networks ; determining from the stored called subscriber profile the message routing commands for routing the received message to the particular called subscriber dependent on the format of the message ; responsive to a message routing command , converting the received message from the received format to a different format ; and routing the received message in said different format to any of a wireless or a wireless network according to the message routing commands in the called subscriber profile . US5742905A CLAIM 9 . A method for personal communications comprising the steps of : storing a subscriber profile containing message routing commands for a subscriber : receiving any of an electronic mail , a facsimile , and a voice mail message addressed to the subscriber from either of a wireless and a wireline network ; consulting the subscriber file for instructions for routing the received message ; and routing the received message to any of a wireless or wireline network according to the instructions in the subscriber profile ; and wherein said step of receiving a voice mail message addressed to the subscriber further includes the steps of : receiving from an originating voice mail system an incoming voice mail message call at a network , said voice mail message call including identification information (network destination) ; extracting the identification information from the message to determine the origin of the voice mail message ; consulting a profile contained in the network to determine routing instructions , said routing instructions including one of : (i) routing the incoming call to a preselected telephone number ; and (ii) sending a notification to the subscriber of the incoming call via a medium other than a telephone call ; routing the received voice mail message according to the routing instructions in the profile ; said step of consulting further comprising determining if the identification of the originator indicates that the originator is also the subscriber ; if the originator is the subscriber , said step of routing further comprises the steps of : (i) not forwarding the voice mail message ; and (ii) extracting header information from the identification information and transmitting a notification to the subscriber containing the header information ; and if the originator is not the subscriber , said step of routing further comprises the steps of : (i) if the message exceeds predetermined length , rejecting the message ; and (ii) if the message is less than or equal to the predetermined length , accepting and routing the message .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests (media format) for network access to the NAD from a plurality of network clients having different operating systems .	US5742905A CLAIM 6 . A personal communication internetwork for sending and receiving wireless and wireline messages between subscribers in different formats , each subscriber having a single address to which all incoming messages are addressed regardless of the format of the message , said incoming messages including at least a plurality of telephone , pager , facsimile , voice mail , and electronic text communications , said internetwork including : means connected to receive and transmit messages in more than one format from a calling party over wireless and wireline communication networks ; means common to the subscribers and connected to said wireless and wireline networks for storing for each subscriber a profile responsive to inputs received from each of the subscribers and configured to store routing commands including communication forwarding options for said each subscriber depending on the format of the message from the calling party ; and a communication router connected to receive the received messages from the wireless and wireline networks and being responsive to the profile in said storing means for transmitting the received messages over the wireless and wireline networks according to the stored forwarding options , said communication router including a media format (accepting requests) translation device configured to translate a received communication into a different communication medium for transmission .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (telephone network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5742905A CLAIM 1 . A personal communication internetwork for sending and receiving wireless and wireline messages , said internetwork comprising (1) a server , including : (a) a message transfer agent interfaced with at least one wireline data network ; (b) a wireless data network protocol handler connected to the message transfer agent and interfacing with at least one wireless data network ; (c) a mobility controller , including i . a subscriber profile cache ; ii . a message router responsive to message routing parameters in the subscriber profile ; iii . an interface connected to exchange message routing parameters between the subscriber profile and the at least one wireless network ; iv . an interface connected to exchange message routing parameters between the subscriber profile and a personal communication control point ; and v . an interface with at least one of a telephone network (IP addresses) , an alphanumeric pager network , and a voice peripheral ; and a personal communication control point connected to the server , including : (a) a first interface connected to exchange message routing parameter signals with the server ; (b) a second interface connected to exchange generic data message routing parameter signals with the server ; (c) a subscriber profile connected to receive and maintain message routing parameters ; and (d) a call processor connected between the subscriber profile and the first and second interfaces .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network interface) .	US5742905A CLAIM 3 . The personal communication internetwork of claim 1 , further including a personal digital assistant having a wireless data network interface (network interface) connected to exchange message routing parameters and an application designed to communicate with the interface to receive , update , and transmit the message routing parameters .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5742905A CLAIM 5 . A method for providing personal communication services to a called subscriber who can receive any of an electronic mail (network destination) , facsimile , and a voice mail message under a single address regardless of the format of the message from a calling subscriber who can send messages in more than one format and on either a wireless or a wireline network , said method comprising the steps of : storing in a service provider database common to a plurality of subscribers and connected to both the wireless and wireline networks and responsive to inputs from the subscribers a called subscriber profile for each of said subscribers , said profile containing message routing commands for each called subscriber depending on the format of the message ; receiving any of an electronic mail , a facsimile , and a voice mail message addressed to a particular called subscriber at said particular called subscriber' ; s single address from a calling subscriber on either of the wireless and wireline networks ; determining from the stored called subscriber profile the message routing commands for routing the received message to the particular called subscriber dependent on the format of the message ; responsive to a message routing command , converting the received message from the received format to a different format ; and routing the received message in said different format to any of a wireless or a wireless network according to the message routing commands in the called subscriber profile . US5742905A CLAIM 9 . A method for personal communications comprising the steps of : storing a subscriber profile containing message routing commands for a subscriber : receiving any of an electronic mail , a facsimile , and a voice mail message addressed to the subscriber from either of a wireless and a wireline network ; consulting the subscriber file for instructions for routing the received message ; and routing the received message to any of a wireless or wireline network according to the instructions in the subscriber profile ; and wherein said step of receiving a voice mail message addressed to the subscriber further includes the steps of : receiving from an originating voice mail system an incoming voice mail message call at a network , said voice mail message call including identification information (network destination) ; extracting the identification information from the message to determine the origin of the voice mail message ; consulting a profile contained in the network to determine routing instructions , said routing instructions including one of : (i) routing the incoming call to a preselected telephone number ; and (ii) sending a notification to the subscriber of the incoming call via a medium other than a telephone call ; routing the received voice mail message according to the routing instructions in the profile ; said step of consulting further comprising determining if the identification of the originator indicates that the originator is also the subscriber ; if the originator is the subscriber , said step of routing further comprises the steps of : (i) not forwarding the voice mail message ; and (ii) extracting header information from the identification information and transmitting a notification to the subscriber containing the header information ; and if the originator is not the subscriber , said step of routing further comprises the steps of : (i) if the message exceeds predetermined length , rejecting the message ; and (ii) if the message is less than or equal to the predetermined length , accepting and routing the message .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network interface) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5742905A CLAIM 3 . The personal communication internetwork of claim 1 , further including a personal digital assistant having a wireless data network interface (network interface) connected to exchange message routing parameters and an application designed to communicate with the interface to receive , update , and transmit the message routing parameters . US5742905A CLAIM 5 . A method for providing personal communication services to a called subscriber who can receive any of an electronic mail (network destination) , facsimile , and a voice mail message under a single address regardless of the format of the message from a calling subscriber who can send messages in more than one format and on either a wireless or a wireline network , said method comprising the steps of : storing in a service provider database common to a plurality of subscribers and connected to both the wireless and wireline networks and responsive to inputs from the subscribers a called subscriber profile for each of said subscribers , said profile containing message routing commands for each called subscriber depending on the format of the message ; receiving any of an electronic mail , a facsimile , and a voice mail message addressed to a particular called subscriber at said particular called subscriber' ; s single address from a calling subscriber on either of the wireless and wireline networks ; determining from the stored called subscriber profile the message routing commands for routing the received message to the particular called subscriber dependent on the format of the message ; responsive to a message routing command , converting the received message from the received format to a different format ; and routing the received message in said different format to any of a wireless or a wireless network according to the message routing commands in the called subscriber profile . US5742905A CLAIM 9 . A method for personal communications comprising the steps of : storing a subscriber profile containing message routing commands for a subscriber : receiving any of an electronic mail , a facsimile , and a voice mail message addressed to the subscriber from either of a wireless and a wireline network ; consulting the subscriber file for instructions for routing the received message ; and routing the received message to any of a wireless or wireline network according to the instructions in the subscriber profile ; and wherein said step of receiving a voice mail message addressed to the subscriber further includes the steps of : receiving from an originating voice mail system an incoming voice mail message call at a network , said voice mail message call including identification information (network destination) ; extracting the identification information from the message to determine the origin of the voice mail message ; consulting a profile contained in the network to determine routing instructions , said routing instructions including one of : (i) routing the incoming call to a preselected telephone number ; and (ii) sending a notification to the subscriber of the incoming call via a medium other than a telephone call ; routing the received voice mail message according to the routing instructions in the profile ; said step of consulting further comprising determining if the identification of the originator indicates that the originator is also the subscriber ; if the originator is the subscriber , said step of routing further comprises the steps of : (i) not forwarding the voice mail message ; and (ii) extracting header information from the identification information and transmitting a notification to the subscriber containing the header information ; and if the originator is not the subscriber , said step of routing further comprises the steps of : (i) if the message exceeds predetermined length , rejecting the message ; and (ii) if the message is less than or equal to the predetermined length , accepting and routing the message .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (network interface) .	US5742905A CLAIM 3 . The personal communication internetwork of claim 1 , further including a personal digital assistant having a wireless data network interface (network interface) connected to exchange message routing parameters and an application designed to communicate with the interface to receive , update , and transmit the message routing parameters .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (second interface) .	US5742905A CLAIM 1 . A personal communication internetwork for sending and receiving wireless and wireline messages , said internetwork comprising (1) a server , including : (a) a message transfer agent interfaced with at least one wireline data network ; (b) a wireless data network protocol handler connected to the message transfer agent and interfacing with at least one wireless data network ; (c) a mobility controller , including i . a subscriber profile cache ; ii . a message router responsive to message routing parameters in the subscriber profile ; iii . an interface connected to exchange message routing parameters between the subscriber profile and the at least one wireless network ; iv . an interface connected to exchange message routing parameters between the subscriber profile and a personal communication control point ; and v . an interface with at least one of a telephone network , an alphanumeric pager network , and a voice peripheral ; and a personal communication control point connected to the server , including : (a) a first interface connected to exchange message routing parameter signals with the server ; (b) a second interface (application layer) connected to exchange generic data message routing parameter signals with the server ; (c) a subscriber profile connected to receive and maintain message routing parameters ; and (d) a call processor connected between the subscriber profile and the first and second interfaces .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (electronic mail, n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5742905A CLAIM 5 . A method for providing personal communication services to a called subscriber who can receive any of an electronic mail (network destination) , facsimile , and a voice mail message under a single address regardless of the format of the message from a calling subscriber who can send messages in more than one format and on either a wireless or a wireline network , said method comprising the steps of : storing in a service provider database common to a plurality of subscribers and connected to both the wireless and wireline networks and responsive to inputs from the subscribers a called subscriber profile for each of said subscribers , said profile containing message routing commands for each called subscriber depending on the format of the message ; receiving any of an electronic mail , a facsimile , and a voice mail message addressed to a particular called subscriber at said particular called subscriber' ; s single address from a calling subscriber on either of the wireless and wireline networks ; determining from the stored called subscriber profile the message routing commands for routing the received message to the particular called subscriber dependent on the format of the message ; responsive to a message routing command , converting the received message from the received format to a different format ; and routing the received message in said different format to any of a wireless or a wireless network according to the message routing commands in the called subscriber profile . US5742905A CLAIM 9 . A method for personal communications comprising the steps of : storing a subscriber profile containing message routing commands for a subscriber : receiving any of an electronic mail , a facsimile , and a voice mail message addressed to the subscriber from either of a wireless and a wireline network ; consulting the subscriber file for instructions for routing the received message ; and routing the received message to any of a wireless or wireline network according to the instructions in the subscriber profile ; and wherein said step of receiving a voice mail message addressed to the subscriber further includes the steps of : receiving from an originating voice mail system an incoming voice mail message call at a network , said voice mail message call including identification information (network destination) ; extracting the identification information from the message to determine the origin of the voice mail message ; consulting a profile contained in the network to determine routing instructions , said routing instructions including one of : (i) routing the incoming call to a preselected telephone number ; and (ii) sending a notification to the subscriber of the incoming call via a medium other than a telephone call ; routing the received voice mail message according to the routing instructions in the profile ; said step of consulting further comprising determining if the identification of the originator indicates that the originator is also the subscriber ; if the originator is the subscriber , said step of routing further comprises the steps of : (i) not forwarding the voice mail message ; and (ii) extracting header information from the identification information and transmitting a notification to the subscriber containing the header information ; and if the originator is not the subscriber , said step of routing further comprises the steps of : (i) if the message exceeds predetermined length , rejecting the message ; and (ii) if the message is less than or equal to the predetermined length , accepting and routing the message .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (second interface) of a network stack .	US5742905A CLAIM 1 . A personal communication internetwork for sending and receiving wireless and wireline messages , said internetwork comprising (1) a server , including : (a) a message transfer agent interfaced with at least one wireline data network ; (b) a wireless data network protocol handler connected to the message transfer agent and interfacing with at least one wireless data network ; (c) a mobility controller , including i . a subscriber profile cache ; ii . a message router responsive to message routing parameters in the subscriber profile ; iii . an interface connected to exchange message routing parameters between the subscriber profile and the at least one wireless network ; iv . an interface connected to exchange message routing parameters between the subscriber profile and a personal communication control point ; and v . an interface with at least one of a telephone network , an alphanumeric pager network , and a voice peripheral ; and a personal communication control point connected to the server , including : (a) a first interface connected to exchange message routing parameter signals with the server ; (b) a second interface (application layer) connected to exchange generic data message routing parameter signals with the server ; (c) a subscriber profile connected to receive and maintain message routing parameters ; and (d) a call processor connected between the subscriber profile and the first and second interfaces .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5548646A Filed: 1994-09-15 Issued: 1996-08-20 System for signatureless transmission and reception of data packets between computer networks (Original Assignee) Sun Microsystems Inc (Current Assignee) Sun Microsystems Inc Ashar Aziz, Geoffrey Mulligan, Martin Patterson, Glenn Scott
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (security data) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (third memory) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5548646A CLAIM 6 . A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network , including : a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network , the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism ; a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network , the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets ; said first host computer including a third processor and a third memory (network source) including instructions for transmitting a first said data packet from said first host to said second host ; a table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network , respectively ; instructions stored in said first memory for intercepting said first data packet before departure from said first network , determining whether said correlation is present in said table , and if so , then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism , generating a new address header and appending said new address header to said first data packet , thereby generating a modified first data packet , and transmitting said modified data packet on to the second host computer ; instructions stored in said second memory for intercepting said first data packet upon arrival at said second network , determining whether said correlation is present in said table , and if so , then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism , and transmitting the first data packet to the second host computer . US5548646A CLAIM 14 . A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network and having a first processor and a first memory , via an internetwork to a second host computer on a second computer network and having a second processor and a second memory , the system including : security data (executable instructions, computer executable instructions) stored said first and memories indicating that data packets meeting at least one predetermined criterion are to be encrypted ; a predetermined encryption/decryption mechanism stored in said first and second memories ; a decryption key stored in said second memory ; instructions stored in said first memory for determining whether to encrypt data packets , by determining whether said predetermined criterion is met by said data packet ; instructions stored in said first memory for executing encryption according to said predetermined encryption/decryption mechanism of at least a first said data packet , when said criterion is met , for generating a new address header for said first data packet and for appending an encapsulation header to said first data packet and transmitting said first data packet to said second host , said encapsulation header including at least said new address header ; instructions stored in said second memory for receiving said first data packet , determining whether it has been encrypted by reference to said security data , and if so then determining which encryption/decryption mechanism was used for encryption , and decrypting said data packet by use of said decryption key .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source (third memory) , destination , and route of the data packet .	US5548646A CLAIM 6 . A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network , including : a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network , the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism ; a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network , the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets ; said first host computer including a third processor and a third memory (network source) including instructions for transmitting a first said data packet from said first host to said second host ; a table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network , respectively ; instructions stored in said first memory for intercepting said first data packet before departure from said first network , determining whether said correlation is present in said table , and if so , then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism , generating a new address header and appending said new address header to said first data packet , thereby generating a modified first data packet , and transmitting said modified data packet on to the second host computer ; instructions stored in said second memory for intercepting said first data packet upon arrival at said second network , determining whether said correlation is present in said table , and if so , then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism , and transmitting the first data packet to the second host computer .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address, network address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (third memory) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5548646A CLAIM 1 . A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network , the first and second computer networks including , respectively , first and second bridge computers , each of said first and second host computers and first and second bridge computers including a processor and a memory for storing instructions for execution by the processor , each of said first and second bridge computers further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them , the method being carded out by means of the instructions stored in said respective memories and including the steps of : (1) generating , by the first host computer , a first data packet for transmission to the second host computer , a portion of the data packet including information representing an internetwork address (IP addresses) of the first host computer and an internetwork address of the second host computer ; (2) in the first bridge computer , intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required , and if not , proceeding to step 5 , and if so , proceeding to step 3 ; (3) encrypting the first data packet in the first bridge computer ; (4) in the first bridge computer , generating and appending to the first data packet an enapsulation header , including : (a) key management information identifying the predetermined encryption method , and (b) a new address header representing the source and destination for the data packet , thereby generating a modified data packet ; (5) transmitting the data packet from the first bridge computer via the internetwork to the second computer network ; (6) intercepting the data packet at the second bridge computer ; (7) in the second bridge computer , reading the encapsulation header , and determining therefrom whether the data packet was encrypted , and if not , proceeding to step 10 , and if so , proceeding to step 8 ; (8) in the second bridge computer , determining which encryption mechanism was used to encrypt the first data packet ; (9) decrypting the first data packet by the second bridge computer ; (10) transmitting the first data packet from the second bridge computer to the second host computer ; and (11) receiving the unencrypted data packet at the second host computer . US5548646A CLAIM 6 . A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network , including : a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network , the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism ; a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network , the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets ; said first host computer including a third processor and a third memory (network source) including instructions for transmitting a first said data packet from said first host to said second host ; a table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network , respectively ; instructions stored in said first memory for intercepting said first data packet before departure from said first network , determining whether said correlation is present in said table , and if so , then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism , generating a new address header and appending said new address header to said first data packet , thereby generating a modified first data packet , and transmitting said modified data packet on to the second host computer ; instructions stored in said second memory for intercepting said first data packet upon arrival at said second network , determining whether said correlation is present in said table , and if so , then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism , and transmitting the first data packet to the second host computer . US5548646A CLAIM 15 . The system of claim 14 , wherein : said security data comprises correlation data stored in each of said first and second memories identifying at least one of said first host computer and said first network correlated with at least one of said second host computer and said second network ; the system further including instructions stored in said first memory for determining whether to encrypt data packets by inspecting for a match between source and destination address (IP addresses) es of said data packets with said correlation data .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (third memory) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5548646A CLAIM 6 . A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network , including : a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network , the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism ; a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network , the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets ; said first host computer including a third processor and a third memory (network source) including instructions for transmitting a first said data packet from said first host to said second host ; a table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network , respectively ; instructions stored in said first memory for intercepting said first data packet before departure from said first network , determining whether said correlation is present in said table , and if so , then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism , generating a new address header and appending said new address header to said first data packet , thereby generating a modified first data packet , and transmitting said modified data packet on to the second host computer ; instructions stored in said second memory for intercepting said first data packet upon arrival at said second network , determining whether said correlation is present in said table , and if so , then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism , and transmitting the first data packet to the second host computer .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (storing instructions, said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (third memory) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5548646A CLAIM 1 . A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network , the first and second computer networks including , respectively , first and second bridge computers , each of said first and second host computers and first and second bridge computers including a processor and a memory for storing instructions (storing instructions) for execution by the processor , each of said first and second bridge computers further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them , the method being carded out by means of the instructions stored in said respective memories and including the steps of : (1) generating , by the first host computer , a first data packet for transmission to the second host computer , a portion of the data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer ; (2) in the first bridge computer , intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required , and if not , proceeding to step 5 , and if so , proceeding to step 3 ; (3) encrypting the first data packet in the first bridge computer ; (4) in the first bridge computer , generating and appending to the first data packet an enapsulation header , including : (a) key management information identifying the predetermined encryption method , and (b) a new address header representing the source and destination for the data packet , thereby generating a modified data packet ; (5) transmitting the data packet from the first bridge computer via the internetwork to the second computer network ; (6) intercepting the data packet at the second bridge computer ; (7) in the second bridge computer , reading the encapsulation header , and determining therefrom whether the data packet was encrypted , and if not , proceeding to step 10 , and if so , proceeding to step 8 ; (8) in the second bridge computer , determining which encryption mechanism was used to encrypt the first data packet ; (9) decrypting the first data packet by the second bridge computer ; (10) transmitting the first data packet from the second bridge computer to the second host computer ; and (11) receiving the unencrypted data packet at the second host computer . US5548646A CLAIM 6 . A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network , including : a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network , the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism ; a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network , the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets ; said first host computer including a third processor and a third memory (network source) including instructions for transmitting a first said data packet from said first host to said second host ; a table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network , respectively ; instructions stored in said first memory for intercepting said first data packet before departure from said first network , determining whether said correlation is present in said table , and if so , then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism , generating a new address header and appending said new address header to said first data packet , thereby generating a modified first data packet , and transmitting said modified data packet on to the second host computer ; instructions stored in said second memory for intercepting said first data packet upon arrival at said second network , determining whether said correlation is present in said table , and if so , then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism , and transmitting the first data packet to the second host computer . US5548646A CLAIM 11 . A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network , the first and second computer networks , each of said first and second host computers including a processor and a memory for storing instructions for execution by the processor , each said memory (storing instructions) storing at least one predetermined encryption/decryption mechanism and a source/destination table identifying a predetermined plurality of sources and destinations requiring security for packets transmitted between them , the method being carded out by means of the instructions stored in said respective memories and including the steps of : (1) generating , by the first host computer , a first data packet for transmission to the second host computer , a portion of the data packet including information representing an internetwork address of a source of the packet and an internetwork address of a destination of the packet ; (2) in the first host computer , determining whether the source and destination of the first data packet are among the predetermined plurality of sources and destinations identified in said source/destination table for which security is required , and if not , proceeding to step 5 , and if so , proceeding to step 3 ; (3) encrypting the first data packet in the first host computer ; (4) in the first host computer , generating and appending to the first data packet an enapsulation header , including : (a) key management information identifying the predetermined encryption method , and (b) a new address header identifying the source and destination for the data packet , thereby generating a modified data packet ; (5) transmitting the data packet from the first host computer via the internetwork to the second computer network ; (6) in the second host computer , reading the encapsulation header , and determining therefrom whether the data packet was encrypted , and if not , ending the method , and if so , proceeding to step 7 ; (7) in the second host computer , determining which encryption mechanism was used to encrypt the first data packet ; and (8) decrypting the first data packet by the second host computer .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source (third memory) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5548646A CLAIM 6 . A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network , including : a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network , the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism ; a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network , the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets ; said first host computer including a third processor and a third memory (network source) including instructions for transmitting a first said data packet from said first host to said second host ; a table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network , respectively ; instructions stored in said first memory for intercepting said first data packet before departure from said first network , determining whether said correlation is present in said table , and if so , then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism , generating a new address header and appending said new address header to said first data packet , thereby generating a modified first data packet , and transmitting said modified data packet on to the second host computer ; instructions stored in said second memory for intercepting said first data packet upon arrival at said second network , determining whether said correlation is present in said table , and if so , then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism , and transmitting the first data packet to the second host computer .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5481720A Filed: 1994-09-14 Issued: 1996-01-02 Flexible interface to authentication services in a distributed data processing environment (Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp Larry K. Loucks, Todd A. Smith
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5481720A CLAIM 1 . A system for authenticating a requestor process at a first node , of a service process running at a second node in a distributed data processing system , comprising : a first machine at said first node ; a second machine at a second node ; and communication means interconnecting said first and said second machines ; said first machine executing an operating system ; said requestor process , and a first authentication agent program defining a corresponding first authentication policy independently of said operating system ; said first machine further including means for constructing authentication information (network destination) and a first authentication acknowledgement supporting said first authentication policy ; said second machine further executing an operating system ; said service process , and a second authentication agent program defining a corresponding second authentication policy independently of said operating system ; said second machine further including means for receiving and processing said authentication information communication from said first machine to said second machine over said communication means ; means for acquiring and transmitting a second authentication acknowledgement on said communication means from said second machine to said first machine ; and wherein said first machine further includes means for comparing said first authentication acknowledgement and said second received authentication acknowledgement for determining a second authentication of said service process .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access (service process) to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5481720A CLAIM 1 . A system for authenticating a requestor process at a first node , of a service process (providing network access) running at a second node in a distributed data processing system , comprising : a first machine at said first node ; a second machine at a second node ; and communication means interconnecting said first and said second machines ; said first machine executing an operating system ; said requestor process , and a first authentication agent program defining a corresponding first authentication policy independently of said operating system ; said first machine further including means for constructing authentication information (network destination) and a first authentication acknowledgement supporting said first authentication policy ; said second machine further executing an operating system ; said service process , and a second authentication agent program defining a corresponding second authentication policy independently of said operating system ; said second machine further including means for receiving and processing said authentication information communication from said first machine to said second machine over said communication means ; means for acquiring and transmitting a second authentication acknowledgement on said communication means from said second machine to said first machine ; and wherein said first machine further includes means for comparing said first authentication acknowledgement and said second received authentication acknowledgement for determining a second authentication of said service process .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5481720A CLAIM 1 . A system for authenticating a requestor process at a first node , of a service process running at a second node in a distributed data processing system , comprising : a first machine at said first node ; a second machine at a second node ; and communication means interconnecting said first and said second machines ; said first machine executing an operating system ; said requestor process , and a first authentication agent program defining a corresponding first authentication policy independently of said operating system ; said first machine further including means for constructing authentication information (network destination) and a first authentication acknowledgement supporting said first authentication policy ; said second machine further executing an operating system ; said service process , and a second authentication agent program defining a corresponding second authentication policy independently of said operating system ; said second machine further including means for receiving and processing said authentication information communication from said first machine to said second machine over said communication means ; means for acquiring and transmitting a second authentication acknowledgement on said communication means from said second machine to said first machine ; and wherein said first machine further includes means for comparing said first authentication acknowledgement and said second received authentication acknowledgement for determining a second authentication of said service process .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5481720A CLAIM 1 . A system for authenticating a requestor process at a first node , of a service process running at a second node in a distributed data processing system , comprising : a first machine at said first node ; a second machine at a second node ; and communication means interconnecting said first and said second machines ; said first machine executing an operating system ; said requestor process , and a first authentication agent program defining a corresponding first authentication policy independently of said operating system ; said first machine further including means for constructing authentication information (network destination) and a first authentication acknowledgement supporting said first authentication policy ; said second machine further executing an operating system ; said service process , and a second authentication agent program defining a corresponding second authentication policy independently of said operating system ; said second machine further including means for receiving and processing said authentication information communication from said first machine to said second machine over said communication means ; means for acquiring and transmitting a second authentication acknowledgement on said communication means from said second machine to said first machine ; and wherein said first machine further includes means for comparing said first authentication acknowledgement and said second received authentication acknowledgement for determining a second authentication of said service process .

US5621889A

Filed: 1994-06-08 Issued: 1997-04-15

Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility

(Original Assignee) Alcatel SA (Current Assignee) Alcatel SA

Jean-Marc Lermuzeaux, Thierry Emery, Patrice Gonthier

US7739302B2
CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ;

a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (policy check) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ;

and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .

US5621889A
CLAIM 7 . A facility as claimed in claim 5 , wherein the modules for analyzing behavior comprise a profile checker responsible for checking compliance of behavior as determined by observation with an archived profile , an attack identifier responsible for looking for similarity between determined behavior and known attack scenarios , and two policy check (computer executable instructions) ers , one being a security checker suitable for determining failure to comply with security rules stored in a security policy data base in order to trigger indicating of an intrusion to the suspicion and reaction manager in the event of non-compliance , and the other one being a behavior policy checker suitable for determining non-compliance with behavior rules stored in a behavior policy data base in order to trigger , as appropriate , the indication of an anomaly or of an intrusion to the suspicion and reaction manager .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5694546A Filed: 1994-05-31 Issued: 1997-12-02 System for automatic unattended electronic information transport between a server and a client by a vendor provided transport software with a manifest list (Original Assignee) Reisman; Richard R. (Current Assignee) Tmi Solutions LLC ; Intellectual Ventures I LLC Richard R. Reisman
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests (distribution server) for network access to the NAD from a plurality of network clients having different operating systems .	US5694546A CLAIM 20 . A distribution server (accepting requests) according to claim 19 in combination with a link to a remote vendor , whereby said users can transport objects to or from said vendor via said distribution server .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (telephone network, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5694546A CLAIM 22 . An information transport component according to claim 1 wherein said communications network is a telephone network (IP addresses) , said user protocols include a telephone number for accessing said remote object source and specifications for a telephone modem or other telephone interface device , said real time communication being made via a user telephone modem .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (communications module) .	US5694546A CLAIM 11 . An information transport component according to claim 1 wherein said user communications module (network interface) is self-configuring and includes a workstation surveyor providing workstation configuration parameters .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (communications module) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5694546A CLAIM 11 . An information transport component according to claim 1 wherein said user communications module (network interface) is self-configuring and includes a workstation surveyor providing workstation configuration parameters .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (communications module) .	US5694546A CLAIM 11 . An information transport component according to claim 1 wherein said user communications module (network interface) is self-configuring and includes a workstation surveyor providing workstation configuration parameters .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing device (steps b) , the selectively generated packet containing the request for access to the directly attached device .	US5694546A CLAIM 32 . A method according to claim 29 further comprising additional steps of providing application file specifications , location or relocation of an object file or files , indexing , reindexing , index creation or use of hypertext or other product integration function that are required to enable said user to utilize said fetched object harmoniously with said original information product , said steps b (intermediary computing device) eing performed automatically in unattended manner without user intervention .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (communication protocol) .	US5694546A CLAIM 19 . An electronic information product distribution remote server for use in transporting information objects to multiple transport components according to claim 1 located at said object source and being supplied with said source communication protocol (network protocols) s .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (communication protocol) is TCP/IP .	US5694546A CLAIM 19 . An electronic information product distribution remote server for use in transporting information objects to multiple transport components according to claim 1 located at said object source and being supplied with said source communication protocol (network protocols) s .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5636216A Filed: 1994-04-08 Issued: 1997-06-03 Method for translating internet protocol addresses to other distributed network addressing schemes (Original Assignee) Metricom Inc (Current Assignee) Google LLC Richard H. Fox, Brett D. Galloway
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (consulting step) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5636216A CLAIM 7 . In a data communication system comprising a plurality of interconnected networks , a method for forwarding a packet from a first node connected to an originating network to a second node connected to a destination network , said method comprising the steps of : using the second node to contact a third node , said third node being connected to said destination network ; thereafter establishing a communication link between said second node and said third node ; thereafter transmitting from the second node to the third node over said communication link a self-registration message comprising an IP address of said second node and a network specific local address of said second node , said network specific local address being usable to forward a packet to said second node over said destination network ; thereafter extracting , at said third node , said IP address and said network specific local address of said second node from said self-registration message ; storing in a memory device at said third node a record comprising said IP address of said second node and said network specific local address of said second node obtained in said extracting step ; inserting , at said first node , said IP address of said second node in a header of said packet ; thereafter forwarding said packet from said first node to said third node using a method specified by the Internet Protocol ; extracting at said third node , said IP address from said packet ; thereafter identifying said record at said third node using said IP address extracted from said packet ; consulting said record identified in said identifying step to obtain said network specific local address of said second node ; inserting at said third node said network specific local address of said second node obtained in said consulting step (network client) in a header of said packet ; and thereafter forwarding said packet from said third node to said second node over said destination network .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems (inquiry message) .	US5636216A CLAIM 11 . In a data communication system comprising a plurality of interconnected networks , a method for translating an Internet Protocol (IP) address to a network specific local address usable for forwarding a packet over a local network the method comprising the steps of : storing in a memory device at a first node a record comprising an IP address of a second node connected to said local network and a network specific local address of said second node usable for forwarding a packet over said local network to said second node , wherein said first node is inaccessible via said local network and accessible via said plurality of interconnected networks ; thereafter accepting , at a third node , said IP address of said second node as a translation input ; formulating an inquiry message (different operating systems) at said third node connected to said local network and to said plurality of interconnected networks , said inquiry message comprising said IP address of said second node ; forwarding said inquiry message from said third node to said first node over said plurality of interconnected networks ; extracting at said first node said IP address of said second node from said inquiry message ; identifying said record at said first node using said IP address extracted from said inquiry message ; consulting , at said first node , said record identified in said identifying step , to obtain said network specific local address of said second node ; formulating a reply message at said first node , said reply message comprising said network specific local address of said second node obtained in said consulting step ; forwarding said reply message over said internet to said third node ; and extracting at said third node said network specific local address of said second node from said reply message .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (consulting step) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5636216A CLAIM 7 . In a data communication system comprising a plurality of interconnected networks , a method for forwarding a packet from a first node connected to an originating network to a second node connected to a destination network , said method comprising the steps of : using the second node to contact a third node , said third node being connected to said destination network ; thereafter establishing a communication link between said second node and said third node ; thereafter transmitting from the second node to the third node over said communication link a self-registration message comprising an IP address of said second node and a network specific local address of said second node , said network specific local address being usable to forward a packet to said second node over said destination network ; thereafter extracting , at said third node , said IP address and said network specific local address of said second node from said self-registration message ; storing in a memory device at said third node a record comprising said IP address of said second node and said network specific local address of said second node obtained in said extracting step ; inserting , at said first node , said IP address of said second node in a header of said packet ; thereafter forwarding said packet from said first node to said third node using a method specified by the Internet Protocol ; extracting at said third node , said IP address from said packet ; thereafter identifying said record at said third node using said IP address extracted from said packet ; consulting said record identified in said identifying step to obtain said network specific local address of said second node ; inserting at said third node said network specific local address of said second node obtained in said consulting step (network client) in a header of said packet ; and thereafter forwarding said packet from said third node to said second node over said destination network .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5533108A Filed: 1994-03-18 Issued: 1996-07-02 Method and system for routing phone calls based on voice and data transport capability (Original Assignee) AT&T Corp (Current Assignee) AT&T Corp Rosemary H. Harris, Richard F. Bruno
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5533108A CLAIM 1 . A method for routing a phone call from a caller through a public switched telephone network to a destination number selected by a network subscriber based on voice and data transport capability , wherein the phone call is one of either a voice or data call and wherein the destination number is one of a plurality of destination numbers selected by the subscriber identified by a common telephone number , comprising associating with a phone call a plurality of discriminators common to both voice and data calls and an additional data rate discriminator for a data call corresponding to the data rate used by the calling party , accessing a first database in response to receiving the common telephone number from the calling party to obtain a routing number , selecting a second data (data packet) base based on the routing number , accessing the second database for obtaining a destination number selected by the subscriber for a voice call based on the common discriminators and a separate destination number selected by the subscriber for a data call , wherein the separate destination number selected by the subscriber for a data call is based on the common discriminators and the data rate used by the caller , and completing the phone call by directing the phone call to the destination number selected by the subscriber .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5533108A CLAIM 1 . A method for routing a phone call from a caller through a public switched telephone network to a destination number selected by a network subscriber based on voice and data transport capability , wherein the phone call is one of either a voice or data call and wherein the destination number is one of a plurality of destination numbers selected by the subscriber identified by a common telephone number , comprising associating with a phone call a plurality of discriminators common to both voice and data calls and an additional data rate discriminator for a data call corresponding to the data rate used by the calling party , accessing a first database in response to receiving the common telephone number from the calling party to obtain a routing number , selecting a second data (data packet) base based on the routing number , accessing the second database for obtaining a destination number selected by the subscriber for a voice call based on the common discriminators and a separate destination number selected by the subscriber for a data call , wherein the separate destination number selected by the subscriber for a data call is based on the common discriminators and the data rate used by the caller , and completing the phone call by directing the phone call to the destination number selected by the subscriber .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (public switched telephone network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5533108A CLAIM 1 . A method for routing a phone call from a caller through a public switched telephone network (IP addresses) to a destination number selected by a network subscriber based on voice and data transport capability , wherein the phone call is one of either a voice or data call and wherein the destination number is one of a plurality of destination numbers selected by the subscriber identified by a common telephone number , comprising associating with a phone call a plurality of discriminators common to both voice and data calls and an additional data rate discriminator for a data call corresponding to the data rate used by the calling party , accessing a first database in response to receiving the common telephone number from the calling party to obtain a routing number , selecting a second data (data packet) base based on the routing number , accessing the second database for obtaining a destination number selected by the subscriber for a voice call based on the common discriminators and a separate destination number selected by the subscriber for a data call , wherein the separate destination number selected by the subscriber for a data call is based on the common discriminators and the data rate used by the caller , and completing the phone call by directing the phone call to the destination number selected by the subscriber .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data) arrived via an authorized network interface .	US5533108A CLAIM 1 . A method for routing a phone call from a caller through a public switched telephone network to a destination number selected by a network subscriber based on voice and data transport capability , wherein the phone call is one of either a voice or data call and wherein the destination number is one of a plurality of destination numbers selected by the subscriber identified by a common telephone number , comprising associating with a phone call a plurality of discriminators common to both voice and data calls and an additional data rate discriminator for a data call corresponding to the data rate used by the calling party , accessing a first database in response to receiving the common telephone number from the calling party to obtain a routing number , selecting a second data (data packet) base based on the routing number , accessing the second database for obtaining a destination number selected by the subscriber for a voice call based on the common discriminators and a separate destination number selected by the subscriber for a data call , wherein the separate destination number selected by the subscriber for a data call is based on the common discriminators and the data rate used by the caller , and completing the phone call by directing the phone call to the destination number selected by the subscriber .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5533108A CLAIM 1 . A method for routing a phone call from a caller through a public switched telephone network to a destination number selected by a network subscriber based on voice and data transport capability , wherein the phone call is one of either a voice or data call and wherein the destination number is one of a plurality of destination numbers selected by the subscriber identified by a common telephone number , comprising associating with a phone call a plurality of discriminators common to both voice and data calls and an additional data rate discriminator for a data call corresponding to the data rate used by the calling party , accessing a first database in response to receiving the common telephone number from the calling party to obtain a routing number , selecting a second data (data packet) base based on the routing number , accessing the second database for obtaining a destination number selected by the subscriber for a voice call based on the common discriminators and a separate destination number selected by the subscriber for a data call , wherein the separate destination number selected by the subscriber for a data call is based on the common discriminators and the data rate used by the caller , and completing the phone call by directing the phone call to the destination number selected by the subscriber .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5533108A CLAIM 1 . A method for routing a phone call from a caller through a public switched telephone network to a destination number selected by a network subscriber based on voice and data transport capability , wherein the phone call is one of either a voice or data call and wherein the destination number is one of a plurality of destination numbers selected by the subscriber identified by a common telephone number , comprising associating with a phone call a plurality of discriminators common to both voice and data calls and an additional data rate discriminator for a data call corresponding to the data rate used by the calling party , accessing a first database in response to receiving the common telephone number from the calling party to obtain a routing number , selecting a second data (data packet) base based on the routing number , accessing the second database for obtaining a destination number selected by the subscriber for a voice call based on the common discriminators and a separate destination number selected by the subscriber for a data call , wherein the separate destination number selected by the subscriber for a data call is based on the common discriminators and the data rate used by the caller , and completing the phone call by directing the phone call to the destination number selected by the subscriber .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (requested data) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5533108A CLAIM 1 . A method for routing a phone call from a caller through a public switched telephone network to a destination number selected by a network subscriber based on voice and data transport capability , wherein the phone call is one of either a voice or data call and wherein the destination number is one of a plurality of destination numbers selected by the subscriber identified by a common telephone number , comprising associating with a phone call a plurality of discriminators common to both voice and data calls and an additional data rate discriminator for a data call corresponding to the data rate used by the calling party , accessing a first database in response to receiving the common telephone number from the calling party to obtain a routing number , selecting a second data (data packet) base based on the routing number , accessing the second database for obtaining a destination number selected by the subscriber for a voice call based on the common discriminators and a separate destination number selected by the subscriber for a data call , wherein the separate destination number selected by the subscriber for a data call is based on the common discriminators and the data rate used by the caller , and completing the phone call by directing the phone call to the destination number selected by the subscriber . US5533108A CLAIM 4 . The method according to claim 1 including the step of querying the accessed second database to determine if the common telephone number is provisioned for the requested data (storing instructions) rate capability and terminating the call if the number has no such data rate provision .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (TS data) .	US5533108A CLAIM 2 . The method according to claim 1 wherein said common telephone number is an INWATS telephone number and said first database is an INWATS data (SCSI interface, managing means) base .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5533108A CLAIM 1 . A method for routing a phone call from a caller through a public switched telephone network to a destination number selected by a network subscriber based on voice and data transport capability , wherein the phone call is one of either a voice or data call and wherein the destination number is one of a plurality of destination numbers selected by the subscriber identified by a common telephone number , comprising associating with a phone call a plurality of discriminators common to both voice and data calls and an additional data rate discriminator for a data call corresponding to the data rate used by the calling party , accessing a first database in response to receiving the common telephone number from the calling party to obtain a routing number , selecting a second data (data packet) base based on the routing number , accessing the second database for obtaining a destination number selected by the subscriber for a voice call based on the common discriminators and a separate destination number selected by the subscriber for a data call , wherein the separate destination number selected by the subscriber for a data call is based on the common discriminators and the data rate used by the caller , and completing the phone call by directing the phone call to the destination number selected by the subscriber .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (TS data) is further configured to manage access over a SCSI interface (TS data) .	US5533108A CLAIM 2 . The method according to claim 1 wherein said common telephone number is an INWATS telephone number and said first database is an INWATS data (SCSI interface, managing means) base .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5517622A Filed: 1994-03-09 Issued: 1996-05-14 Method and apparatus for pacing communications in a distributed heterogeneous network (Original Assignee) Galileo International Partnership (Current Assignee) Galileo International LLC Mario J. Ivanoff, Mary Z. Skaates
US7739302B2 CLAIM 1 . A network arrangement (respective plurality) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5517622A CLAIM 1 . An apparatus for pacing data communications transmitted between communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , comprising : a plurality of adjacent communications managers including an origin communications manager residing on an origin hardware platform a destination communications manager residing on a destination hardware platform and at least one intermediate communications manager residing on an intermediate hardware platform between said origin and destination communications managers , at least one of said communications managers having a hardware operating platform different from hardware operating platforms of all other communications managers ; means , within each prior adjacent communications manager of said plurality of adjacent communications managers , for appending a pacing request to information packets being transmitted from said origin communications manager to said destination communications manager ; a network protocol stack interface , within each prior adjacent communications manager , for configuring each of said information packets according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network (NAD server) protocol stacks between adjacent communications managers being different from one another ; means for transmitting said information packets from said prior adjacent communications manager to said next adjacent communications manager ; means , within said next adjacent communications manager , for assessing availability of local resources ; means , within said next adjacent communications manager , for receiving said information packets from said prior adjacent communications manager ; means , within said next adjacent communications manager , for assessing pacing requests in each received information packet ; means , within said next adjacent communications manager and responsive to said pacing requests , for formulating pacing responses indicative of a desired increase or decrease of transmission of information packets from said prior adjacent communications manager to said next adjacent communications manager in accordance with said assessment of local resources within said next adjacent communications manager ; a network protocol stack interface , within each next adjacent communications manager , for configuring said pacing response in accordance with said convention of said network protocol stack between said prior adjacent communications manager and said next adjacent communications manager ; and means for transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager . US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality (network arrangement) of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .
US7739302B2 CLAIM 2 . The network arrangement (respective plurality) of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5517622A CLAIM 1 . An apparatus for pacing data communications transmitted between communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , comprising : a plurality of adjacent communications managers including an origin communications manager residing on an origin hardware platform a destination communications manager residing on a destination hardware platform and at least one intermediate communications manager residing on an intermediate hardware platform between said origin and destination communications managers , at least one of said communications managers having a hardware operating platform different from hardware operating platforms of all other communications managers ; means , within each prior adjacent communications manager of said plurality of adjacent communications managers , for appending a pacing request to information packets being transmitted from said origin communications manager to said destination communications manager ; a network protocol stack interface , within each prior adjacent communications manager , for configuring each of said information packets according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network (NAD server) protocol stacks between adjacent communications managers being different from one another ; means for transmitting said information packets from said prior adjacent communications manager to said next adjacent communications manager ; means , within said next adjacent communications manager , for assessing availability of local resources ; means , within said next adjacent communications manager , for receiving said information packets from said prior adjacent communications manager ; means , within said next adjacent communications manager , for assessing pacing requests in each received information packet ; means , within said next adjacent communications manager and responsive to said pacing requests , for formulating pacing responses indicative of a desired increase or decrease of transmission of information packets from said prior adjacent communications manager to said next adjacent communications manager in accordance with said assessment of local resources within said next adjacent communications manager ; a network protocol stack interface , within each next adjacent communications manager , for configuring said pacing response in accordance with said convention of said network protocol stack between said prior adjacent communications manager and said next adjacent communications manager ; and means for transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager . US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality (network arrangement) of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .
US7739302B2 CLAIM 3 . The network arrangement (respective plurality) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality (network arrangement) of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .
US7739302B2 CLAIM 4 . The network arrangement (respective plurality) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality (network arrangement) of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .
US7739302B2 CLAIM 5 . A local area network arrangement (respective plurality) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality (network arrangement) of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .
US7739302B2 CLAIM 6 . The network arrangement (respective plurality) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (network protocol stack) .	US5517622A CLAIM 1 . An apparatus for pacing data communications transmitted between communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , comprising : a plurality of adjacent communications managers including an origin communications manager residing on an origin hardware platform a destination communications manager residing on a destination hardware platform and at least one intermediate communications manager residing on an intermediate hardware platform between said origin and destination communications managers , at least one of said communications managers having a hardware operating platform different from hardware operating platforms of all other communications managers ; means , within each prior adjacent communications manager of said plurality of adjacent communications managers , for appending a pacing request to information packets being transmitted from said origin communications manager to said destination communications manager ; a network protocol stack (network interface) interface , within each prior adjacent communications manager , for configuring each of said information packets according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; means for transmitting said information packets from said prior adjacent communications manager to said next adjacent communications manager ; means , within said next adjacent communications manager , for assessing availability of local resources ; means , within said next adjacent communications manager , for receiving said information packets from said prior adjacent communications manager ; means , within said next adjacent communications manager , for assessing pacing requests in each received information packet ; means , within said next adjacent communications manager and responsive to said pacing requests , for formulating pacing responses indicative of a desired increase or decrease of transmission of information packets from said prior adjacent communications manager to said next adjacent communications manager in accordance with said assessment of local resources within said next adjacent communications manager ; a network protocol stack interface , within each next adjacent communications manager , for configuring said pacing response in accordance with said convention of said network protocol stack between said prior adjacent communications manager and said next adjacent communications manager ; and means for transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager . US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality (network arrangement) of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .
US7739302B2 CLAIM 7 . The network arrangement (respective plurality) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality (network arrangement) of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .
US7739302B2 CLAIM 8 . The network arrangement (respective plurality) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality (network arrangement) of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .
US7739302B2 CLAIM 9 . The network arrangement (respective plurality) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality (network arrangement) of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (network protocol stack) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5517622A CLAIM 4 . A method of pacing data communications transmitted between adjacent communications managers residing on a plurality of hardware platforms of a distributed heterogeneous communications network , each communications manager being connected to a respective plurality of end users , comprising : creating information units within an origin communications manager residing on an origin hardware platform , each information unit including indicia of a destination communications manager residing on a destination hardware platform , said origin communications manager , said destination communications manager and at least one intermediate communications manager residing on an intermediate hardware platform constituting a chain of adjacent communications managers ; within each prior adjacent communications manager of said chain of adjacent communications managers , appending a pacing request to each information unit indicative of an amount of information to be transmitted to a next adjacent communications manager of said chain of adjacent communications managers ; within each prior adjacent communications manager , configuring each of said information units according to a convention of a network protocol stack (network interface) between said prior adjacent communications manager and said next adjacent communications manager , at least two of said network protocol stacks between adjacent communications managers being different from one another ; transmitting said information units from said prior adjacent communications manager to said next adjacent communications manager in accordance with said convention of said network protocol stack ; assessing availability of local resources within each said next adjacent communications manager ; receiving said information units from said prior adjacent communications manager in said next adjacent communications manager ; assessing , within said next adjacent communications manager , pacing requests appended to each received information unit ; within said next adjacent communications manager , forming pacing responses in accordance with said pacing requests , each pacing response being indicative of a required increase or decrease of transmission of information units from said prior adjacent communications manager to said adjacent communications manager , in accordance with said assessment of local resources within said next adjacent communications manager ; within said next adjacent communications manager , configuring said pacing responses according to said convention of said network protocol stack ; and transmitting said pacing responses from said next adjacent communications manager to said prior adjacent communications manager .

GB2287619A

Filed: 1994-03-03 Issued: 1995-09-20

Security device for data communications networks

(Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp

Paul Gover, Mary Visser

US7739302B2
CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ;

a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (security data) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ;

and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .

GB2287619A
CLAIM 5 . A security device as claimed in claims 3 and 4 wherein the programmable means include a control file , wherein security data (executable instructions, computer executable instructions) are stored , to implement the security functions according to the security policy .

US7739302B2
CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (different security) of a plurality of protocols .

GB2287619A
CLAIM 6 . A security device as claimed in claim 5 comprising means enabling an user to edit the control file to modify the security data , to implement the security functions according to a different security (requests comprise one) policy .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5483596A Filed: 1994-01-24 Issued: 1996-01-09 Apparatus and method for controlling access to and interconnection of computer system resources (Original Assignee) Paralon Tech Inc (Current Assignee) PARALON TECHNOLOGIES Inc ; Paralon Tech Inc Peter D. Rosenow, Roger M. Trafton
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5483596A CLAIM 27 . A method for authorizing access to and encrypting data transferred between first and second computer system resources , comprising : connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources ; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers ; detaching the first and second access controllers ; attaching the first and second access controllers to respective ones of the first and second computer system resources ; connecting the first and second access controllers through a second data (data packet) communication medium ; exchanging data between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources ; establishing a session encryption key ; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (communication media) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems (authorizing access) .	US5483596A CLAIM 27 . A method for authorizing access (network clients having different operating systems) to and encrypting data transferred between first and second computer system resources , comprising : connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources ; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers ; detaching the first and second access controllers ; attaching the first and second access controllers to respective ones of the first and second computer system resources ; connecting the first and second access controllers through a second data communication medium ; exchanging data between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources ; establishing a session encryption key ; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources . US5483596A CLAIM 33 . The method of claim 32 in which the first , second , and third data communication media (network protocol programs) are selected from a group consisting of : a modem , a network , a radio frequency , transmission , a SCSI bus , an IEEE-488 bus , a computer bus , an RS-232 interconnection , a cellular radio , a CATV cable , an optical fiber , a switched network , and electrical wiring .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5483596A CLAIM 27 . A method for authorizing access to and encrypting data transferred between first and second computer system resources , comprising : connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources ; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers ; detaching the first and second access controllers ; attaching the first and second access controllers to respective ones of the first and second computer system resources ; connecting the first and second access controllers through a second data (data packet) communication medium ; exchanging data between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources ; establishing a session encryption key ; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (exchanging data) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5483596A CLAIM 27 . A method for authorizing access to and encrypting data transferred between first and second computer system resources , comprising : connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources ; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers ; detaching the first and second access controllers ; attaching the first and second access controllers to respective ones of the first and second computer system resources ; connecting the first and second access controllers through a second data (data packet) communication medium ; exchanging data (electronic communication) between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources ; establishing a session encryption key ; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data) arrived via an authorized network interface .	US5483596A CLAIM 27 . A method for authorizing access to and encrypting data transferred between first and second computer system resources , comprising : connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources ; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers ; detaching the first and second access controllers ; attaching the first and second access controllers to respective ones of the first and second computer system resources ; connecting the first and second access controllers through a second data (data packet) communication medium ; exchanging data between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources ; establishing a session encryption key ; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5483596A CLAIM 27 . A method for authorizing access to and encrypting data transferred between first and second computer system resources , comprising : connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources ; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers ; detaching the first and second access controllers ; attaching the first and second access controllers to respective ones of the first and second computer system resources ; connecting the first and second access controllers through a second data (data packet) communication medium ; exchanging data between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources ; establishing a session encryption key ; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5483596A CLAIM 27 . A method for authorizing access to and encrypting data transferred between first and second computer system resources , comprising : connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources ; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers ; detaching the first and second access controllers ; attaching the first and second access controllers to respective ones of the first and second computer system resources ; connecting the first and second access controllers through a second data (data packet) communication medium ; exchanging data between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources ; establishing a session encryption key ; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path (communication path) to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5483596A CLAIM 6 . The system of claim 1 further including a communication path (communication path) way that interconnects at least one of the access controllers to a central access control system that communicates access control code information to the access controllers through the communication pathway . US5483596A CLAIM 27 . A method for authorizing access to and encrypting data transferred between first and second computer system resources , comprising : connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources ; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers ; detaching the first and second access controllers ; attaching the first and second access controllers to respective ones of the first and second computer system resources ; connecting the first and second access controllers through a second data (data packet) communication medium ; exchanging data between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources ; establishing a session encryption key ; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5483596A CLAIM 27 . A method for authorizing access to and encrypting data transferred between first and second computer system resources , comprising : connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources ; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers ; detaching the first and second access controllers ; attaching the first and second access controllers to respective ones of the first and second computer system resources ; connecting the first and second access controllers through a second data (data packet) communication medium ; exchanging data between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources ; establishing a session encryption key ; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5412654A Filed: 1994-01-10 Issued: 1995-05-02 Highly dynamic destination-sequenced destination vector routing for mobile computers (Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp Charles E. Perkins
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (work layer) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (work layer) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5412654A CLAIM 7 . The method of routing recited in claim 1 further comprising the step of tracking network layer (network client, network access, providing network access) protocol availability data on a per destination basis .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (work layer) to the NAD from a plurality of network clients having different operating systems .	US5412654A CLAIM 7 . The method of routing recited in claim 1 further comprising the step of tracking network layer (network client, network access, providing network access) protocol availability data on a per destination basis .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (work layer) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5412654A CLAIM 7 . The method of routing recited in claim 1 further comprising the step of tracking network layer (network client, network access, providing network access) protocol availability data on a per destination basis .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (work layer) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (work layer) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (network address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5412654A CLAIM 1 . A method for routing a packet of information between two mobile hosts that are coupled to an ad-hoc network comprised of a plurality of mobile hosts , each of the mobile hosts having a unique network address (IP addresses) but not having a fixed location , said ad-hoc network conforming to a network standard including a network-layer and a link-layer , said method comprising the steps of : storing routing tables at each mobile host , said routing tables including a " ; metric" ; defined as a number of hops from a source mobile host to a destination mobile host ; advertising routes by periodically broadcasting by each mobile host the routing table stored by the mobile host ; originating a time stamp by a destination mobile host ; tagging each route table entry with a time stamp originated by the destination mobile host ; updating , for each destination mobile host , mobile host stored routing tables based on received broadcasts from other mobile hosts ; retransmitting by each mobile host new routing information received from a neighboring mobile host ; and routing a packet of information by choosing a route from updated routing tables for transmitting a packet of information from a source mobile host as a route having a best " ; metric" ; for a desired destination mobile host , said best " ; metric" ; being a minimum number of hops that a packet must jump before reaching its destination , the routing being performed at the link-layer of the ad-hoc network . US5412654A CLAIM 7 . The method of routing recited in claim 1 further comprising the step of tracking network layer (network client, network access, providing network access) protocol availability data on a per destination basis .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (work layer) to the NAD .	US5412654A CLAIM 7 . The method of routing recited in claim 1 further comprising the step of tracking network layer (network client, network access, providing network access) protocol availability data on a per destination basis .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (work layer) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5412654A CLAIM 7 . The method of routing recited in claim 1 further comprising the step of tracking network layer (network client, network access, providing network access) protocol availability data on a per destination basis .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (work layer) to the NAD is only available through the server .	US5412654A CLAIM 7 . The method of routing recited in claim 1 further comprising the step of tracking network layer (network client, network access, providing network access) protocol availability data on a per destination basis .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (work layer) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5412654A CLAIM 7 . The method of routing recited in claim 1 further comprising the step of tracking network layer (network client, network access, providing network access) protocol availability data on a per destination basis .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5473687A Filed: 1993-12-29 Issued: 1995-12-05 Method for retrieving secure information from a database (Original Assignee) Infosafe Systems Inc (Current Assignee) HARMONY LOGIC SYSTEMS LLC Thomas H. Lipscomb, Robert H. Nagel
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (data packet) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5473687A CLAIM 1 . A method of retrieving a packet of informational digital data which is stored in encrypted form , said method comprising the steps of : (a) retrieving the stored informational data packet (data packet) (IDP) ; (b) decrypting the IDP into a first sequence of digital data ; (c) expanding the first sequence of digital data into a second sequence of digital data which is so large as to be inconvenient for permanent storage , said expanding step including the step of embedding said first sequence of digital data in a series of pseudorandom digital data which is substantially equal to 1-5 megabytes or more in length , such that said second sequence is substantially equal to 1 . 5 megabytes or more in length and is not compressible ; (d) storing said second sequence of digital data ; (e) retrieving the stored second sequence of digital data ; and (f) extracting the IDP from said second sequence . US5473687A CLAIM 4 . The method defined in claim 3 , wherein said key is obtained from an external source (network destination) .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (data packet) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5473687A CLAIM 1 . A method of retrieving a packet of informational digital data which is stored in encrypted form , said method comprising the steps of : (a) retrieving the stored informational data packet (data packet) (IDP) ; (b) decrypting the IDP into a first sequence of digital data ; (c) expanding the first sequence of digital data into a second sequence of digital data which is so large as to be inconvenient for permanent storage , said expanding step including the step of embedding said first sequence of digital data in a series of pseudorandom digital data which is substantially equal to 1-5 megabytes or more in length , such that said second sequence is substantially equal to 1 . 5 megabytes or more in length and is not compressible ; (d) storing said second sequence of digital data ; (e) retrieving the stored second sequence of digital data ; and (f) extracting the IDP from said second sequence .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (data packet) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5473687A CLAIM 1 . A method of retrieving a packet of informational digital data which is stored in encrypted form , said method comprising the steps of : (a) retrieving the stored informational data packet (data packet) (IDP) ; (b) decrypting the IDP into a first sequence of digital data ; (c) expanding the first sequence of digital data into a second sequence of digital data which is so large as to be inconvenient for permanent storage , said expanding step including the step of embedding said first sequence of digital data in a series of pseudorandom digital data which is substantially equal to 1-5 megabytes or more in length , such that said second sequence is substantially equal to 1 . 5 megabytes or more in length and is not compressible ; (d) storing said second sequence of digital data ; (e) retrieving the stored second sequence of digital data ; and (f) extracting the IDP from said second sequence .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (data packet) arrived via an authorized network interface .	US5473687A CLAIM 1 . A method of retrieving a packet of informational digital data which is stored in encrypted form , said method comprising the steps of : (a) retrieving the stored informational data packet (data packet) (IDP) ; (b) decrypting the IDP into a first sequence of digital data ; (c) expanding the first sequence of digital data into a second sequence of digital data which is so large as to be inconvenient for permanent storage , said expanding step including the step of embedding said first sequence of digital data in a series of pseudorandom digital data which is substantially equal to 1-5 megabytes or more in length , such that said second sequence is substantially equal to 1 . 5 megabytes or more in length and is not compressible ; (d) storing said second sequence of digital data ; (e) retrieving the stored second sequence of digital data ; and (f) extracting the IDP from said second sequence .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (data packet) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5473687A CLAIM 1 . A method of retrieving a packet of informational digital data which is stored in encrypted form , said method comprising the steps of : (a) retrieving the stored informational data packet (data packet) (IDP) ; (b) decrypting the IDP into a first sequence of digital data ; (c) expanding the first sequence of digital data into a second sequence of digital data which is so large as to be inconvenient for permanent storage , said expanding step including the step of embedding said first sequence of digital data in a series of pseudorandom digital data which is substantially equal to 1-5 megabytes or more in length , such that said second sequence is substantially equal to 1 . 5 megabytes or more in length and is not compressible ; (d) storing said second sequence of digital data ; (e) retrieving the stored second sequence of digital data ; and (f) extracting the IDP from said second sequence .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5473687A CLAIM 1 . A method of retrieving a packet of informational digital data which is stored in encrypted form , said method comprising the steps of : (a) retrieving the stored informational data packet (data packet) (IDP) ; (b) decrypting the IDP into a first sequence of digital data ; (c) expanding the first sequence of digital data into a second sequence of digital data which is so large as to be inconvenient for permanent storage , said expanding step including the step of embedding said first sequence of digital data in a series of pseudorandom digital data which is substantially equal to 1-5 megabytes or more in length , such that said second sequence is substantially equal to 1 . 5 megabytes or more in length and is not compressible ; (d) storing said second sequence of digital data ; (e) retrieving the stored second sequence of digital data ; and (f) extracting the IDP from said second sequence . US5473687A CLAIM 4 . The method defined in claim 3 , wherein said key is obtained from an external source (network destination) .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5473687A CLAIM 1 . A method of retrieving a packet of informational digital data which is stored in encrypted form , said method comprising the steps of : (a) retrieving the stored informational data packet (data packet) (IDP) ; (b) decrypting the IDP into a first sequence of digital data ; (c) expanding the first sequence of digital data into a second sequence of digital data which is so large as to be inconvenient for permanent storage , said expanding step including the step of embedding said first sequence of digital data in a series of pseudorandom digital data which is substantially equal to 1-5 megabytes or more in length , such that said second sequence is substantially equal to 1 . 5 megabytes or more in length and is not compressible ; (d) storing said second sequence of digital data ; (e) retrieving the stored second sequence of digital data ; and (f) extracting the IDP from said second sequence . US5473687A CLAIM 4 . The method defined in claim 3 , wherein said key is obtained from an external source (network destination) .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access (different way) to a proper port over the directly attached device interface .	US5473687A CLAIM 2 . The method defined in claim 1 , wherein said first sequence of digital data is embedded in a different way (requests contain information to gain access) during each successive execution of said expanding step .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (binary digit) .	US5473687A CLAIM 16 . The method defined in claim 14 , wherein the bit length of said second sequence is equal to at least said twice the bit length of said first sequence plus two binary digit (application layer) s .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one (linear feedback shift register) of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (external source) , and a route of the data packet (data packet) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said key) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5473687A CLAIM 1 . A method of retrieving a packet of informational digital data which is stored in encrypted form , said method comprising the steps of : (a) retrieving the stored informational data packet (data packet) (IDP) ; (b) decrypting the IDP into a first sequence of digital data ; (c) expanding the first sequence of digital data into a second sequence of digital data which is so large as to be inconvenient for permanent storage , said expanding step including the step of embedding said first sequence of digital data in a series of pseudorandom digital data which is substantially equal to 1-5 megabytes or more in length , such that said second sequence is substantially equal to 1 . 5 megabytes or more in length and is not compressible ; (d) storing said second sequence of digital data ; (e) retrieving the stored second sequence of digital data ; and (f) extracting the IDP from said second sequence . US5473687A CLAIM 3 . The method defined in claim 1 , wherein said embedding step includes the steps of obtaining a key and a random number generating algorithm which requires a key , and thereafter executing said random number generating algorithm with said key (filtering means) to produce said pseudorandom digital data . US5473687A CLAIM 4 . The method defined in claim 3 , wherein said key is obtained from an external source (network destination) . US5473687A CLAIM 10 . The method defined in claim 3 , wherein said random number generating algorithm is formed by a linear feedback shift register (requests originating one) .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said key) is further configured to carry out the filtering at an application layer (binary digit) of a network stack .	US5473687A CLAIM 3 . The method defined in claim 1 , wherein said embedding step includes the steps of obtaining a key and a random number generating algorithm which requires a key , and thereafter executing said random number generating algorithm with said key (filtering means) to produce said pseudorandom digital data . US5473687A CLAIM 16 . The method defined in claim 14 , wherein the bit length of said second sequence is equal to at least said twice the bit length of said first sequence plus two binary digit (application layer) s .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5548726A Filed: 1993-12-17 Issued: 1996-08-20 System for activating new service in client server network by reconfiguring the multilayer network protocol stack dynamically within the server node (Original Assignee) Taligent Inc (Current Assignee) Apple Inc Christopher E. Pettus
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (computer program) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5548726A CLAIM 17 . A computer program (network protocol programs) product for activating a new service in a client-server network system having a plurality of communications links , a server node with a memory therein connectable to each of the plurality of communications links by a multilayer dynamically reconfigurable network protocol stack , a service program in the server node memory , a communications directory service program in the server node memory and a networking service program in the server node memory , the computer program product comprising a computer usable medium having computer readable program code including : (a) means for storing a plurality of stack definitions in the server node memory wherein each of the plurality of stack definitions corresponds to one of the plurality of communication links and the each stack definition includes a set of layer definitions for controlling the processing of data in each layer of the multilayer network protocol stack from a transport layer through a physical layer and the interactions between layers ; (b) means for storing in the server node memory service object class information including information for defining a data structure for holding a reference to one of the plurality of stack definitions and logic which is responsive to type and quality of service information for inserting a reference to at least one of the plurality of stack definitions into the data structure and for constructing a session layer of the multilayer network protocol stack ; (c) means controlled by the service program for creating a service object in the server node memory from the service object class information by passing in a type of service to the communications directory service and executing the logic to insert a reference to a stack definition and construct a session layer ; (d) means responsive to an activation request from the service program for sending the service object to the networking service program ; and (e) means in the networking service program and responsive to the service object for reconfiguring the multilayer network protocol stack using the reference to the stack definition and the session layer in the service object .
US7739302B2 CLAIM 3 . The network arrangement of claim 1 , wherein the computer-executable instructions comprise distributed program modules (sending means) .	US5548726A CLAIM 13 . The apparatus of claim 9 wherein the sending means (program modules) comprises first means for sending the service object to the networking service program via the service program .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (readable program) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5548726A CLAIM 17 . A computer program product for activating a new service in a client-server network system having a plurality of communications links , a server node with a memory therein connectable to each of the plurality of communications links by a multilayer dynamically reconfigurable network protocol stack , a service program in the server node memory , a communications directory service program in the server node memory and a networking service program in the server node memory , the computer program product comprising a computer usable medium having computer readable program (storing instructions) code including : (a) means for storing a plurality of stack definitions in the server node memory wherein each of the plurality of stack definitions corresponds to one of the plurality of communication links and the each stack definition includes a set of layer definitions for controlling the processing of data in each layer of the multilayer network protocol stack from a transport layer through a physical layer and the interactions between layers ; (b) means for storing in the server node memory service object class information including information for defining a data structure for holding a reference to one of the plurality of stack definitions and logic which is responsive to type and quality of service information for inserting a reference to at least one of the plurality of stack definitions into the data structure and for constructing a session layer of the multilayer network protocol stack ; (c) means controlled by the service program for creating a service object in the server node memory from the service object class information by passing in a type of service to the communications directory service and executing the logic to insert a reference to a stack definition and construct a session layer ; (d) means responsive to an activation request from the service program for sending the service object to the networking service program ; and (e) means in the networking service program and responsive to the service object for reconfiguring the multilayer network protocol stack using the reference to the stack definition and the session layer in the service object .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (other node) device , the selectively generated packet containing the request for access to the directly attached device .	US5548726A CLAIM 8 . The method of claim 1 further comprising the step of : (g) sending the service object to communications directory programs in other node (intermediary computing, intermediary computing device) s on the client-server network system .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (first sending) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5548726A CLAIM 14 . The apparatus of claim 13 wherein the first sending (receiving requests) means comprises : means for creating a service program interface in the server node memory ; means for creating a configuration data stream from the service program interface to the networking service program ; and means for streaming the service object from the communication directory service program via the service program interface and the configuration data stream to the networking service program to configure the multilayer network protocol stack .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (d log) of a plurality of protocols .	US5548726A CLAIM 1 . A method for activating a new service in a client-server network system having a plurality of communications links , a server node with a memory therein connectable to each of the plurality of communications links by a multilayer dynamically reconfigurable network protocol stack , a service program in the server node memory , a communications directory service program in the server node memory and a networking service program in the server node memory , the method comprising the steps of : (a) storing a plurality of stack definitions in the server node memory wherein each of the plurality of stack definitions corresponds to one of the plurality of communication links and the each stack definition includes a set of layer definitions for controlling the processing of data in each layer of the multilayer network protocol stack from a transport layer through a physical layer and the interactions between layers ; (b) storing in the server node memory service object class information including information for defining a data structure for holding a reference to one of the plurality of stack definitions and log (requests comprise one) ic which is responsive to type and quality of service information for inserting a reference to at least one of the plurality of stack definitions into the data structure and for constructing a session layer of the multilayer network protocol stack ; (c) creating a service object from the service object class information by passing in a type of service to the communications directory service and executing the logic to insert a reference to a stack definition and construct a session layer ; (d) sending the service object to the networking service program ; and (e) using the reference to the stack definition and the session layer in the service object to reconfigure the multilayer network protocol stack .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5606668A Filed: 1993-12-15 Issued: 1997-02-25 System for securing inbound and outbound data packet flow in a computer network (Original Assignee) Checkpoint Software Technologies Ltd (Current Assignee) Checkpoint Software Technologies Ltd Gil Shwed
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (data packet) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5606668A CLAIM 1 . A method of inspecting inbound and outbound data packet (data packet) s in a computer network , the inspection of said data packets occurring according to a security rule , the method comprising the steps of : a) generating a definition of each aspect or the computer network inspected by said security rule ; b) generating said security rule in terms of said aspect definitions , said security rule controlling as least one of said aspects ; c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets ; d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (data packet) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5606668A CLAIM 1 . A method of inspecting inbound and outbound data packet (data packet) s in a computer network , the inspection of said data packets occurring according to a security rule , the method comprising the steps of : a) generating a definition of each aspect or the computer network inspected by said security rule ; b) generating said security rule in terms of said aspect definitions , said security rule controlling as least one of said aspects ; c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets ; d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (data packet) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5606668A CLAIM 1 . A method of inspecting inbound and outbound data packet (data packet) s in a computer network , the inspection of said data packets occurring according to a security rule , the method comprising the steps of : a) generating a definition of each aspect or the computer network inspected by said security rule ; b) generating said security rule in terms of said aspect definitions , said security rule controlling as least one of said aspects ; c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets ; d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (data packet) arrived via an authorized network interface .	US5606668A CLAIM 1 . A method of inspecting inbound and outbound data packet (data packet) s in a computer network , the inspection of said data packets occurring according to a security rule , the method comprising the steps of : a) generating a definition of each aspect or the computer network inspected by said security rule ; b) generating said security rule in terms of said aspect definitions , said security rule controlling as least one of said aspects ; c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets ; d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (data packet) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5606668A CLAIM 1 . A method of inspecting inbound and outbound data packet (data packet) s in a computer network , the inspection of said data packets occurring according to a security rule , the method comprising the steps of : a) generating a definition of each aspect or the computer network inspected by said security rule ; b) generating said security rule in terms of said aspect definitions , said security rule controlling as least one of said aspects ; c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets ; d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5606668A CLAIM 1 . A method of inspecting inbound and outbound data packet (data packet) s in a computer network , the inspection of said data packets occurring according to a security rule , the method comprising the steps of : a) generating a definition of each aspect or the computer network inspected by said security rule ; b) generating said security rule in terms of said aspect definitions , said security rule controlling as least one of said aspects ; c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets ; d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5606668A CLAIM 1 . A method of inspecting inbound and outbound data packet (data packet) s in a computer network , the inspection of said data packets occurring according to a security rule , the method comprising the steps of : a) generating a definition of each aspect or the computer network inspected by said security rule ; b) generating said security rule in terms of said aspect definitions , said security rule controlling as least one of said aspects ; c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets ; d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (storage device) , and a video codec .	US5606668A CLAIM 8 . In a security system for inspecting inbound and outbound data packets in a computer network , said security system inspecting said data packets in said computer network according to a security rule , where each aspect of said computer network inspected by said security rule has been previously defined , said security rule previously defined in terms of said aspects and converted into packet filter language instructions , a method for operating said security system comprising the steps of : a) providing a packet filter module coupled to said computer network in at least one entity of said computer network to be controlled by said security rule , said packet filter module emulating a virtual packet filtering machine inspecting said data packets passing into and out of said computer network ; b) said packet filter module reading and executing said packet filter language instructions for performing packet filtering operations ; c) storing the results obtained in said step of reading and executing said packet filter language instructions in a storage device (storage device) ; and d) said packet filter module utilizing said stored results , from previous inspections , for operating said packet filter module to accept or reject the passage of said data packet into and out of said computer network .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (data packet) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5606668A CLAIM 1 . A method of inspecting inbound and outbound data packet (data packet) s in a computer network , the inspection of said data packets occurring according to a security rule , the method comprising the steps of : a) generating a definition of each aspect or the computer network inspected by said security rule ; b) generating said security rule in terms of said aspect definitions , said security rule controlling as least one of said aspects ; c) converting said security rule into a set of packet filter language instructions for controlling the operation of a packet filtering module which inspects said data packets ; d) providing a packet filter module coupled to said computer network for inspecting said data packets in accordance with said security rule , said packet filter module implementing a virtual packet filtering machine ; and e) said packet filter module executing said packet filter language instructions for operating said virtual packet filtering machine to either accept or reject the passage of said data packets into and out of said computer network .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (storage device) , and a video codec .	US5606668A CLAIM 8 . In a security system for inspecting inbound and outbound data packets in a computer network , said security system inspecting said data packets in said computer network according to a security rule , where each aspect of said computer network inspected by said security rule has been previously defined , said security rule previously defined in terms of said aspects and converted into packet filter language instructions , a method for operating said security system comprising the steps of : a) providing a packet filter module coupled to said computer network in at least one entity of said computer network to be controlled by said security rule , said packet filter module emulating a virtual packet filtering machine inspecting said data packets passing into and out of said computer network ; b) said packet filter module reading and executing said packet filter language instructions for performing packet filtering operations ; c) storing the results obtained in said step of reading and executing said packet filter language instructions in a storage device (storage device) ; and d) said packet filter module utilizing said stored results , from previous inspections , for operating said packet filter module to accept or reject the passage of said data packet into and out of said computer network .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5481542A Filed: 1993-11-10 Issued: 1996-01-02 Interactive information services control system (Original Assignee) Scientific Atlanta LLC (Current Assignee) Synamedia Ltd Gary L. Logston, Anthony J. Wasilewski, Timothy H. Addington, William E. Wall, Jr.
US7739302B2 CLAIM 1 . A network arrangement (counter value) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said format, first port, said time) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5481542A CLAIM 1 . An interactive information services system for providing at least one of video , audio , and data programs requested by a customer from a data service provider (SP) and routing a requested program over a transmission link having a predetermined bandwidth to a set top terminal (STT) associated with an information (network destination) presentation device of said customer , and for providing said customer with real-time interactive access to said requested program during presentation of said requested program to said STT by said SP , comprising : a unidirectional communication path from said SP to a plurality of STTs including said customer' ; s STT for providing said requested program to said customer' ; s STT for presentation of said requested program via said customer' ; s information presentation device , said unidirectional communication path including said transmission link ; and a bi-directional communication path between said STT and said SP for communicating data and presentation control commands between said STT and said SP during presentation of said requested program to said customer' ; s information presentation device , said bi-directional communication path also including said transmission link , wherein said presentation control commands initiate and control presentation of said requested program on said information presentation device in a real-time manner . US5481542A CLAIM 10 . An interactive information services system as in claim 8 , wherein said transmission link has a predetermined frequency band , a first port (data packet, filtering means) ion of said predetermined frequency band being allocated for providing said requested program to said customer' ; s STT and for providing said forward communication path from said SP to said customer' ; s STT , a second portion of said predetermined frequency band being allocated for providing said reverse communication path from said customer' ; s STT to said SP , and a third portion of said predetermined frequency band being allocated between said first and second portions to provide a guard band therebetween to minimize cross-talk between said reverse communication path and said forward communication path and between said reverse communication path and said requested program . US5481542A CLAIM 13 . An interactive information services system as in claim 11 , wherein each STT receives a framed bit stream from said connection management computer over said bi-directional communication path , said framed bit stream including a frame counter value (network arrangement) in each frame of said framed bit stream which is used by said STT to calculate said at least one time slot in said data stream from said STT to said SP for transmission of said presentation control commands and data to said SP during presentation of said requested program . US5481542A CLAIM 33 . A method as in claim 30 , wherein said step of providing presentation control commands and data to said SP comprises the step of adding a guard band to each of said time (data packet, filtering means) slots which accounts for propagation time differences of said presentation control commands and data from said plurality of STTs along said common communications link . US5481542A CLAIM 51 . A method as in claim 48 , comprising the further step of compressing said digital data from said SP prior to said format (data packet, filtering means) ting step .
US7739302B2 CLAIM 2 . The network arrangement (counter value) of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients (communication paths) having different operating systems .	US5481542A CLAIM 9 . An interactive information services system as in claim 8 , further comprising a connection management computer in said forward and reverse communication paths (network clients, communication path) for establishing and maintaining said forward and reverse communication paths between said SP and said customer' ; s STT during presentation of said requested program to said customer' ; s information presentation device . US5481542A CLAIM 13 . An interactive information services system as in claim 11 , wherein each STT receives a framed bit stream from said connection management computer over said bi-directional communication path , said framed bit stream including a frame counter value (network arrangement) in each frame of said framed bit stream which is used by said STT to calculate said at least one time slot in said data stream from said STT to said SP for transmission of said presentation control commands and data to said SP during presentation of said requested program .
US7739302B2 CLAIM 3 . The network arrangement (counter value) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5481542A CLAIM 13 . An interactive information services system as in claim 11 , wherein each STT receives a framed bit stream from said connection management computer over said bi-directional communication path , said framed bit stream including a frame counter value (network arrangement) in each frame of said framed bit stream which is used by said STT to calculate said at least one time slot in said data stream from said STT to said SP for transmission of said presentation control commands and data to said SP during presentation of said requested program .
US7739302B2 CLAIM 4 . The network arrangement (counter value) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said format, first port, said time) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5481542A CLAIM 10 . An interactive information services system as in claim 8 , wherein said transmission link has a predetermined frequency band , a first port (data packet, filtering means) ion of said predetermined frequency band being allocated for providing said requested program to said customer' ; s STT and for providing said forward communication path from said SP to said customer' ; s STT , a second portion of said predetermined frequency band being allocated for providing said reverse communication path from said customer' ; s STT to said SP , and a third portion of said predetermined frequency band being allocated between said first and second portions to provide a guard band therebetween to minimize cross-talk between said reverse communication path and said forward communication path and between said reverse communication path and said requested program . US5481542A CLAIM 13 . An interactive information services system as in claim 11 , wherein each STT receives a framed bit stream from said connection management computer over said bi-directional communication path , said framed bit stream including a frame counter value (network arrangement) in each frame of said framed bit stream which is used by said STT to calculate said at least one time slot in said data stream from said STT to said SP for transmission of said presentation control commands and data to said SP during presentation of said requested program . US5481542A CLAIM 33 . A method as in claim 30 , wherein said step of providing presentation control commands and data to said SP comprises the step of adding a guard band to each of said time (data packet, filtering means) slots which accounts for propagation time differences of said presentation control commands and data from said plurality of STTs along said common communications link . US5481542A CLAIM 51 . A method as in claim 48 , comprising the further step of compressing said digital data from said SP prior to said format (data packet, filtering means) ting step .
US7739302B2 CLAIM 5 . A local area network arrangement (counter value) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said format, first port, said time) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5481542A CLAIM 10 . An interactive information services system as in claim 8 , wherein said transmission link has a predetermined frequency band , a first port (data packet, filtering means) ion of said predetermined frequency band being allocated for providing said requested program to said customer' ; s STT and for providing said forward communication path from said SP to said customer' ; s STT , a second portion of said predetermined frequency band being allocated for providing said reverse communication path from said customer' ; s STT to said SP , and a third portion of said predetermined frequency band being allocated between said first and second portions to provide a guard band therebetween to minimize cross-talk between said reverse communication path and said forward communication path and between said reverse communication path and said requested program . US5481542A CLAIM 13 . An interactive information services system as in claim 11 , wherein each STT receives a framed bit stream from said connection management computer over said bi-directional communication path , said framed bit stream including a frame counter value (network arrangement) in each frame of said framed bit stream which is used by said STT to calculate said at least one time slot in said data stream from said STT to said SP for transmission of said presentation control commands and data to said SP during presentation of said requested program . US5481542A CLAIM 33 . A method as in claim 30 , wherein said step of providing presentation control commands and data to said SP comprises the step of adding a guard band to each of said time (data packet, filtering means) slots which accounts for propagation time differences of said presentation control commands and data from said plurality of STTs along said common communications link . US5481542A CLAIM 51 . A method as in claim 48 , comprising the further step of compressing said digital data from said SP prior to said format (data packet, filtering means) ting step .
US7739302B2 CLAIM 6 . The network arrangement (counter value) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said format, first port, said time) arrived via an authorized network interface .	US5481542A CLAIM 10 . An interactive information services system as in claim 8 , wherein said transmission link has a predetermined frequency band , a first port (data packet, filtering means) ion of said predetermined frequency band being allocated for providing said requested program to said customer' ; s STT and for providing said forward communication path from said SP to said customer' ; s STT , a second portion of said predetermined frequency band being allocated for providing said reverse communication path from said customer' ; s STT to said SP , and a third portion of said predetermined frequency band being allocated between said first and second portions to provide a guard band therebetween to minimize cross-talk between said reverse communication path and said forward communication path and between said reverse communication path and said requested program . US5481542A CLAIM 13 . An interactive information services system as in claim 11 , wherein each STT receives a framed bit stream from said connection management computer over said bi-directional communication path , said framed bit stream including a frame counter value (network arrangement) in each frame of said framed bit stream which is used by said STT to calculate said at least one time slot in said data stream from said STT to said SP for transmission of said presentation control commands and data to said SP during presentation of said requested program . US5481542A CLAIM 33 . A method as in claim 30 , wherein said step of providing presentation control commands and data to said SP comprises the step of adding a guard band to each of said time (data packet, filtering means) slots which accounts for propagation time differences of said presentation control commands and data from said plurality of STTs along said common communications link . US5481542A CLAIM 51 . A method as in claim 48 , comprising the further step of compressing said digital data from said SP prior to said format (data packet, filtering means) ting step .
US7739302B2 CLAIM 7 . The network arrangement (counter value) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5481542A CLAIM 13 . An interactive information services system as in claim 11 , wherein each STT receives a framed bit stream from said connection management computer over said bi-directional communication path , said framed bit stream including a frame counter value (network arrangement) in each frame of said framed bit stream which is used by said STT to calculate said at least one time slot in said data stream from said STT to said SP for transmission of said presentation control commands and data to said SP during presentation of said requested program .
US7739302B2 CLAIM 8 . The network arrangement (counter value) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5481542A CLAIM 13 . An interactive information services system as in claim 11 , wherein each STT receives a framed bit stream from said connection management computer over said bi-directional communication path , said framed bit stream including a frame counter value (network arrangement) in each frame of said framed bit stream which is used by said STT to calculate said at least one time slot in said data stream from said STT to said SP for transmission of said presentation control commands and data to said SP during presentation of said requested program .
US7739302B2 CLAIM 9 . The network arrangement (counter value) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said format, first port, said time) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5481542A CLAIM 10 . An interactive information services system as in claim 8 , wherein said transmission link has a predetermined frequency band , a first port (data packet, filtering means) ion of said predetermined frequency band being allocated for providing said requested program to said customer' ; s STT and for providing said forward communication path from said SP to said customer' ; s STT , a second portion of said predetermined frequency band being allocated for providing said reverse communication path from said customer' ; s STT to said SP , and a third portion of said predetermined frequency band being allocated between said first and second portions to provide a guard band therebetween to minimize cross-talk between said reverse communication path and said forward communication path and between said reverse communication path and said requested program . US5481542A CLAIM 13 . An interactive information services system as in claim 11 , wherein each STT receives a framed bit stream from said connection management computer over said bi-directional communication path , said framed bit stream including a frame counter value (network arrangement) in each frame of said framed bit stream which is used by said STT to calculate said at least one time slot in said data stream from said STT to said SP for transmission of said presentation control commands and data to said SP during presentation of said requested program . US5481542A CLAIM 33 . A method as in claim 30 , wherein said step of providing presentation control commands and data to said SP comprises the step of adding a guard band to each of said time (data packet, filtering means) slots which accounts for propagation time differences of said presentation control commands and data from said plurality of STTs along said common communications link . US5481542A CLAIM 51 . A method as in claim 48 , comprising the further step of compressing said digital data from said SP prior to said format (data packet, filtering means) ting step .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said format, first port, said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5481542A CLAIM 1 . An interactive information services system for providing at least one of video , audio , and data programs requested by a customer from a data service provider (SP) and routing a requested program over a transmission link having a predetermined bandwidth to a set top terminal (STT) associated with an information (network destination) presentation device of said customer , and for providing said customer with real-time interactive access to said requested program during presentation of said requested program to said STT by said SP , comprising : a unidirectional communication path from said SP to a plurality of STTs including said customer' ; s STT for providing said requested program to said customer' ; s STT for presentation of said requested program via said customer' ; s information presentation device , said unidirectional communication path including said transmission link ; and a bi-directional communication path between said STT and said SP for communicating data and presentation control commands between said STT and said SP during presentation of said requested program to said customer' ; s information presentation device , said bi-directional communication path also including said transmission link , wherein said presentation control commands initiate and control presentation of said requested program on said information presentation device in a real-time manner . US5481542A CLAIM 10 . An interactive information services system as in claim 8 , wherein said transmission link has a predetermined frequency band , a first port (data packet, filtering means) ion of said predetermined frequency band being allocated for providing said requested program to said customer' ; s STT and for providing said forward communication path from said SP to said customer' ; s STT , a second portion of said predetermined frequency band being allocated for providing said reverse communication path from said customer' ; s STT to said SP , and a third portion of said predetermined frequency band being allocated between said first and second portions to provide a guard band therebetween to minimize cross-talk between said reverse communication path and said forward communication path and between said reverse communication path and said requested program . US5481542A CLAIM 33 . A method as in claim 30 , wherein said step of providing presentation control commands and data to said SP comprises the step of adding a guard band to each of said time (data packet, filtering means) slots which accounts for propagation time differences of said presentation control commands and data from said plurality of STTs along said common communications link . US5481542A CLAIM 51 . A method as in claim 48 , comprising the further step of compressing said digital data from said SP prior to said format (data packet, filtering means) ting step .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path (communication paths) to a directly attached device ; and a memory coupled to the processing unit and storing instructions (requested data) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said format, first port, said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5481542A CLAIM 1 . An interactive information services system for providing at least one of video , audio , and data programs requested by a customer from a data service provider (SP) and routing a requested program over a transmission link having a predetermined bandwidth to a set top terminal (STT) associated with an information (network destination) presentation device of said customer , and for providing said customer with real-time interactive access to said requested program during presentation of said requested program to said STT by said SP , comprising : a unidirectional communication path from said SP to a plurality of STTs including said customer' ; s STT for providing said requested program to said customer' ; s STT for presentation of said requested program via said customer' ; s information presentation device , said unidirectional communication path including said transmission link ; and a bi-directional communication path between said STT and said SP for communicating data and presentation control commands between said STT and said SP during presentation of said requested program to said customer' ; s information presentation device , said bi-directional communication path also including said transmission link , wherein said presentation control commands initiate and control presentation of said requested program on said information presentation device in a real-time manner . US5481542A CLAIM 9 . An interactive information services system as in claim 8 , further comprising a connection management computer in said forward and reverse communication paths (network clients, communication path) for establishing and maintaining said forward and reverse communication paths between said SP and said customer' ; s STT during presentation of said requested program to said customer' ; s information presentation device . US5481542A CLAIM 10 . An interactive information services system as in claim 8 , wherein said transmission link has a predetermined frequency band , a first port (data packet, filtering means) ion of said predetermined frequency band being allocated for providing said requested program to said customer' ; s STT and for providing said forward communication path from said SP to said customer' ; s STT , a second portion of said predetermined frequency band being allocated for providing said reverse communication path from said customer' ; s STT to said SP , and a third portion of said predetermined frequency band being allocated between said first and second portions to provide a guard band therebetween to minimize cross-talk between said reverse communication path and said forward communication path and between said reverse communication path and said requested program . US5481542A CLAIM 33 . A method as in claim 30 , wherein said step of providing presentation control commands and data to said SP comprises the step of adding a guard band to each of said time (data packet, filtering means) slots which accounts for propagation time differences of said presentation control commands and data from said plurality of STTs along said common communications link . US5481542A CLAIM 51 . A method as in claim 48 , comprising the further step of compressing said digital data from said SP prior to said format (data packet, filtering means) ting step . US5481542A CLAIM 62 . A method of initiating and controlling presentation of a data service from a data services provider (SP) which provides at least one of a video , audio , and information data service to a customer' ; s set top terminal (STT) , comprising the steps of : said STT requesting a data service from said SP by sending a data service request command to said SP from said STT ; said SP providing said requested data (storing instructions) service to said STT ; said STT providing presentation control commands and data to said SP , said presentation control commands including a manipulating command for manipulating data provided by said requested data service ; and said SP varying , on a real-time basis , its presentation of said requested data service to said STT in response to said presentation control commands received from said STT .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet (said format, first port, said time) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said format, first port, said time) determines is authorized such that the NAD is protected from unauthorized access requests from network clients (communication paths) and other devices in a manner that is in addition to any protection afforded by a firewall .	US5481542A CLAIM 1 . An interactive information services system for providing at least one of video , audio , and data programs requested by a customer from a data service provider (SP) and routing a requested program over a transmission link having a predetermined bandwidth to a set top terminal (STT) associated with an information (network destination) presentation device of said customer , and for providing said customer with real-time interactive access to said requested program during presentation of said requested program to said STT by said SP , comprising : a unidirectional communication path from said SP to a plurality of STTs including said customer' ; s STT for providing said requested program to said customer' ; s STT for presentation of said requested program via said customer' ; s information presentation device , said unidirectional communication path including said transmission link ; and a bi-directional communication path between said STT and said SP for communicating data and presentation control commands between said STT and said SP during presentation of said requested program to said customer' ; s information presentation device , said bi-directional communication path also including said transmission link , wherein said presentation control commands initiate and control presentation of said requested program on said information presentation device in a real-time manner . US5481542A CLAIM 9 . An interactive information services system as in claim 8 , further comprising a connection management computer in said forward and reverse communication paths (network clients, communication path) for establishing and maintaining said forward and reverse communication paths between said SP and said customer' ; s STT during presentation of said requested program to said customer' ; s information presentation device . US5481542A CLAIM 10 . An interactive information services system as in claim 8 , wherein said transmission link has a predetermined frequency band , a first port (data packet, filtering means) ion of said predetermined frequency band being allocated for providing said requested program to said customer' ; s STT and for providing said forward communication path from said SP to said customer' ; s STT , a second portion of said predetermined frequency band being allocated for providing said reverse communication path from said customer' ; s STT to said SP , and a third portion of said predetermined frequency band being allocated between said first and second portions to provide a guard band therebetween to minimize cross-talk between said reverse communication path and said forward communication path and between said reverse communication path and said requested program . US5481542A CLAIM 33 . A method as in claim 30 , wherein said step of providing presentation control commands and data to said SP comprises the step of adding a guard band to each of said time (data packet, filtering means) slots which accounts for propagation time differences of said presentation control commands and data from said plurality of STTs along said common communications link . US5481542A CLAIM 51 . A method as in claim 48 , comprising the further step of compressing said digital data from said SP prior to said format (data packet, filtering means) ting step .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said format, first port, said time) is further configured to carry out the filtering at an application layer of a network stack (correction algorithm) .	US5481542A CLAIM 5 . An interactive information services system as in claim 4 , wherein said modulation means scrambles said data packet streams , encodes said scrambled data packet streams using an error correction algorithm (network stack) , interleaves data packets of said encoded data packet streams , and maps said interleaved data packets into a payload area of a multi-rate transport (MRT) packet on an analog video carrier . US5481542A CLAIM 10 . An interactive information services system as in claim 8 , wherein said transmission link has a predetermined frequency band , a first port (data packet, filtering means) ion of said predetermined frequency band being allocated for providing said requested program to said customer' ; s STT and for providing said forward communication path from said SP to said customer' ; s STT , a second portion of said predetermined frequency band being allocated for providing said reverse communication path from said customer' ; s STT to said SP , and a third portion of said predetermined frequency band being allocated between said first and second portions to provide a guard band therebetween to minimize cross-talk between said reverse communication path and said forward communication path and between said reverse communication path and said requested program . US5481542A CLAIM 33 . A method as in claim 30 , wherein said step of providing presentation control commands and data to said SP comprises the step of adding a guard band to each of said time (data packet, filtering means) slots which accounts for propagation time differences of said presentation control commands and data from said plurality of STTs along said common communications link . US5481542A CLAIM 51 . A method as in claim 48 , comprising the further step of compressing said digital data from said SP prior to said format (data packet, filtering means) ting step .

US5455953A

Filed: 1993-11-03 Issued: 1995-10-03

Authorization system for obtaining in single step both identification and access rights of client to server directly from encrypted authorization ticket

(Original Assignee) Wang Laboratories Inc (Current Assignee) Rakuten Inc ; BT Commercial Corp

Edward A. Russell

US5455953A
CLAIM 1 . In a data processing system including a client mechanism , a server mechanism including a server resource , and an authorization mechanism , the authorization mechanism including a directory server for storing and providing access rights of the client mechanism to the server resource and the client mechanism generating operation requests for operations to be performed by the server with respect to the server resource , wherein the client mechanism generates a request to the authorization mechanism for an authorization ticket to the server resource and the authorization mechanism responds to a request for an authorization ticket by returning an authorization ticket containing an identification of the client , the authorization ticket being encrypted with an encryption key (different operating, different operating systems) derived from the password of the server , the client mechanism providing the authorization ticket to the server mechanism is associated with an operation request , the server mechanism decrypting the authorization ticket with the server password and using the client identification to obtain the client access rights of the client mechanism to the server resource , an improved authorization mechanism , comprising : a directory server for storing access rights of the client mechanism and information regarding the client mechanism and required by the server mechanism in executing the operation request , a client mechanism for generating a request for an authorization ticket to the server mechanism , the request for an authorization ticket including an identification of the client mechanism , an authorization mechanism for generating a corresponding authorization ticket wherein the authorization ticket includes the access rights of the client mechanism and the information regarding the client mechanism and required by the server mechanism in executing the operation request and is encrypted with an encryption key derived from the password of the server , and the client mechanism being responsive to the authorization ticket for sending the authorization ticket to the server mechanism in association with the operation request , and a server mechanism for decrypting the authorization ticket with the server mechanism password and obtaining directly the access rights of the client mechanism to the server resource and the information regarding the client mechanism and required by the server mechanism in executing the operation request , wherein the client information including the client access rights are stored in the directory server in fields identified by generic field tags , the authorization ticket request generated by the client mechanism identifies the client information by tag names identifying the fields containing the required client information , the requested information is stored in the encrypted authorization ticket in fields identified by the corresponding tag names , and the server mechanism reads the client information from the decrypted authorization ticket by parsing the decrypted authorization ticket with the tag names of the fields containing the necessary client information .

US7739302B2
CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (client access) .

US5455953A
CLAIM 1 . In a data processing system including a client mechanism , a server mechanism including a server resource , and an authorization mechanism , the authorization mechanism including a directory server for storing and providing access rights of the client mechanism to the server resource and the client mechanism generating operation requests for operations to be performed by the server with respect to the server resource , wherein the client mechanism generates a request to the authorization mechanism for an authorization ticket to the server resource and the authorization mechanism responds to a request for an authorization ticket by returning an authorization ticket containing an identification of the client , the authorization ticket being encrypted with an encryption key derived from the password of the server , the client mechanism providing the authorization ticket to the server mechanism is associated with an operation request , the server mechanism decrypting the authorization ticket with the server password and using the client identification to obtain the client access (SCSI interface) rights of the client mechanism to the server resource , an improved authorization mechanism , comprising : a directory server for storing access rights of the client mechanism and information regarding the client mechanism and required by the server mechanism in executing the operation request , a client mechanism for generating a request for an authorization ticket to the server mechanism , the request for an authorization ticket including an identification of the client mechanism , an authorization mechanism for generating a corresponding authorization ticket wherein the authorization ticket includes the access rights of the client mechanism and the information regarding the client mechanism and required by the server mechanism in executing the operation request and is encrypted with an encryption key derived from the password of the server , and the client mechanism being responsive to the authorization ticket for sending the authorization ticket to the server mechanism in association with the operation request , and a server mechanism for decrypting the authorization ticket with the server mechanism password and obtaining directly the access rights of the client mechanism to the server resource and the information regarding the client mechanism and required by the server mechanism in executing the operation request , wherein the client information including the client access rights are stored in the directory server in fields identified by generic field tags , the authorization ticket request generated by the client mechanism identifies the client information by tag names identifying the fields containing the required client information , the requested information is stored in the encrypted authorization ticket in fields identified by the corresponding tag names , and the server mechanism reads the client information from the decrypted authorization ticket by parsing the decrypted authorization ticket with the tag names of the fields containing the necessary client information .

US5369571A

Filed: 1993-06-21 Issued: 1994-11-29

Method and apparatus for acquiring demographic information

(Original Assignee) Metts; Rodney H.

Rodney H. Metts

US7739302B2
CLAIM 1 . A network arrangement comprising : a network client (central location) and at least one network attached device (NAD) residing on a same network ;

a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ;

and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .

US7739302B2
CLAIM 5 . A local area network arrangement comprising a network client (central location) and at least one network attached device (NAD) disposed in electronic communication (pressed position) with each other over a same network , the NAD comprising ;

a data management component (central location) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .

US5369571A
CLAIM 3 . The method as recited in claim 1 , wherein said method further comprises the step of transmitting said associated demographic and identification data to a central location (network client, data management component) .

US5369571A
CLAIM 17 . The apparatus as recited in claim 16 , wherein said selecting means further comprises a keypad carrying an array of buttons , each button of said array of buttons corresponding to one selection of a set of selections of demographic information , said each button have a depressed position (electronic communication) and a nominal position , said button producing said second output signal when in said depressed position and not producing said second output signal when in said nominal position .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5327486A Filed: 1993-03-22 Issued: 1994-07-05 Method and system for managing telecommunications such as telephone calls (Original Assignee) Telcordia Technologies Inc (Current Assignee) BRAZOS HOLDINGS LLC ; Honeywell International Inc Richard S. Wolff, Warren S. Gifford, Michael Kramer, David S. Miller, Gerardo Ramirez, David L. Turock
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (receiving end) for network access to the NAD , the NAD server including computer executable instructions (graphic object) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5327486A CLAIM 17 . The method as claimed in claim 1 wherein at least one of the objects is a graphic object (executable instructions, computer executable instructions) . US5327486A CLAIM 35 . A system for managing a telecommunications call from a caller to an end user , the method comprising : means for receiving the call from the caller , the call including caller identification information ; means for identifying the caller from the caller identification information and means for screening the call , based on the caller identification information to obtain a first message ; a first transceiver for transmitting to said end user a first radio signal based on the first message ; a second transceiver at said end user for receiving the first radio signal ; a computer with a display device connected to the second transceiver and an input device for inputting data to the computer ; means for presenting the first message identifying the caller and for displaying functions which may be performed in response to the call ; means for receiving end (data packet) user selection data from the input device , the end user selection data representing a selection of the functions to be performed with respect to the call , the second transceiver transmitting to the first transceiver a second radio signal representing a second message identifying the function to be performed ; and means for processing the second message to perform the selected function identified .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (receiving end) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5327486A CLAIM 35 . A system for managing a telecommunications call from a caller to an end user , the method comprising : means for receiving the call from the caller , the call including caller identification information ; means for identifying the caller from the caller identification information and means for screening the call , based on the caller identification information to obtain a first message ; a first transceiver for transmitting to said end user a first radio signal based on the first message ; a second transceiver at said end user for receiving the first radio signal ; a computer with a display device connected to the second transceiver and an input device for inputting data to the computer ; means for presenting the first message identifying the caller and for displaying functions which may be performed in response to the call ; means for receiving end (data packet) user selection data from the input device , the end user selection data representing a selection of the functions to be performed with respect to the call , the second transceiver transmitting to the first transceiver a second radio signal representing a second message identifying the function to be performed ; and means for processing the second message to perform the selected function identified .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (receiving end) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5327486A CLAIM 35 . A system for managing a telecommunications call from a caller to an end user , the method comprising : means for receiving the call from the caller , the call including caller identification information ; means for identifying the caller from the caller identification information and means for screening the call , based on the caller identification information to obtain a first message ; a first transceiver for transmitting to said end user a first radio signal based on the first message ; a second transceiver at said end user for receiving the first radio signal ; a computer with a display device connected to the second transceiver and an input device for inputting data to the computer ; means for presenting the first message identifying the caller and for displaying functions which may be performed in response to the call ; means for receiving end (data packet) user selection data from the input device , the end user selection data representing a selection of the functions to be performed with respect to the call , the second transceiver transmitting to the first transceiver a second radio signal representing a second message identifying the function to be performed ; and means for processing the second message to perform the selected function identified .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (receiving end) arrived via an authorized network interface .	US5327486A CLAIM 35 . A system for managing a telecommunications call from a caller to an end user , the method comprising : means for receiving the call from the caller , the call including caller identification information ; means for identifying the caller from the caller identification information and means for screening the call , based on the caller identification information to obtain a first message ; a first transceiver for transmitting to said end user a first radio signal based on the first message ; a second transceiver at said end user for receiving the first radio signal ; a computer with a display device connected to the second transceiver and an input device for inputting data to the computer ; means for presenting the first message identifying the caller and for displaying functions which may be performed in response to the call ; means for receiving end (data packet) user selection data from the input device , the end user selection data representing a selection of the functions to be performed with respect to the call , the second transceiver transmitting to the first transceiver a second radio signal representing a second message identifying the function to be performed ; and means for processing the second message to perform the selected function identified .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (receiving end) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5327486A CLAIM 35 . A system for managing a telecommunications call from a caller to an end user , the method comprising : means for receiving the call from the caller , the call including caller identification information ; means for identifying the caller from the caller identification information and means for screening the call , based on the caller identification information to obtain a first message ; a first transceiver for transmitting to said end user a first radio signal based on the first message ; a second transceiver at said end user for receiving the first radio signal ; a computer with a display device connected to the second transceiver and an input device for inputting data to the computer ; means for presenting the first message identifying the caller and for displaying functions which may be performed in response to the call ; means for receiving end (data packet) user selection data from the input device , the end user selection data representing a selection of the functions to be performed with respect to the call , the second transceiver transmitting to the first transceiver a second radio signal representing a second message identifying the function to be performed ; and means for processing the second message to perform the selected function identified .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (receiving end) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5327486A CLAIM 35 . A system for managing a telecommunications call from a caller to an end user , the method comprising : means for receiving the call from the caller , the call including caller identification information ; means for identifying the caller from the caller identification information and means for screening the call , based on the caller identification information to obtain a first message ; a first transceiver for transmitting to said end user a first radio signal based on the first message ; a second transceiver at said end user for receiving the first radio signal ; a computer with a display device connected to the second transceiver and an input device for inputting data to the computer ; means for presenting the first message identifying the caller and for displaying functions which may be performed in response to the call ; means for receiving end (data packet) user selection data from the input device , the end user selection data representing a selection of the functions to be performed with respect to the call , the second transceiver transmitting to the first transceiver a second radio signal representing a second message identifying the function to be performed ; and means for processing the second message to perform the selected function identified .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (receiving end) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5327486A CLAIM 35 . A system for managing a telecommunications call from a caller to an end user , the method comprising : means for receiving the call from the caller , the call including caller identification information ; means for identifying the caller from the caller identification information and means for screening the call , based on the caller identification information to obtain a first message ; a first transceiver for transmitting to said end user a first radio signal based on the first message ; a second transceiver at said end user for receiving the first radio signal ; a computer with a display device connected to the second transceiver and an input device for inputting data to the computer ; means for presenting the first message identifying the caller and for displaying functions which may be performed in response to the call ; means for receiving end (data packet) user selection data from the input device , the end user selection data representing a selection of the functions to be performed with respect to the call , the second transceiver transmitting to the first transceiver a second radio signal representing a second message identifying the function to be performed ; and means for processing the second message to perform the selected function identified .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one (second messages) of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (receiving end) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5327486A CLAIM 7 . The method as claimed in claim 1 wherein at least one of the first and second messages (requests originating one) is a text message . US5327486A CLAIM 35 . A system for managing a telecommunications call from a caller to an end user , the method comprising : means for receiving the call from the caller , the call including caller identification information ; means for identifying the caller from the caller identification information and means for screening the call , based on the caller identification information to obtain a first message ; a first transceiver for transmitting to said end user a first radio signal based on the first message ; a second transceiver at said end user for receiving the first radio signal ; a computer with a display device connected to the second transceiver and an input device for inputting data to the computer ; means for presenting the first message identifying the caller and for displaying functions which may be performed in response to the call ; means for receiving end (data packet) user selection data from the input device , the end user selection data representing a selection of the functions to be performed with respect to the call , the second transceiver transmitting to the first transceiver a second radio signal representing a second message identifying the function to be performed ; and means for processing the second message to perform the selected function identified .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5361259A Filed: 1993-02-19 Issued: 1994-11-01 Wide area network (WAN)-arrangement (Original Assignee) American Telephone and Telegraph Co Inc (Current Assignee) IPR 3 Pty Ltd Steven D. Hunt, Edward W. Landis
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5361259A CLAIM 3 . The communication system of claim 2 , wherein said network (NAD server) interface means comprises map means for associating said address with a plurality of phone numbers .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5361259A CLAIM 3 . The communication system of claim 2 , wherein said network (NAD server) interface means comprises map means for associating said address with a plurality of phone numbers .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (telephone network) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5361259A CLAIM 9 . The communication system of claim 1 , wherein said communication network is a telephone network (IP addresses) .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path (communication path) to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5361259A CLAIM 1 . A communication system between LANs comprising : LAN interface means for providing a plurality of data packets containing information from a source LAN , each of said data packets having an address field with an address ; a communication network that provides a communication path (communication path) to a destination LAN ; and network interface means for communicating each of said data packets to one of a plurality of variable bandwidth channels between said LAN interface means and said communication network , based on said address obtained from each of said packets received from said LAN interface means .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (said communication network) is further configured to manage access over a SCSI interface .	US5361259A CLAIM 1 . A communication system between LANs comprising : LAN interface means for providing a plurality of data packets containing information from a source LAN , each of said data packets having an address field with an address ; a communication network that provides a communication path to a destination LAN ; and network interface means for communicating each of said data packets to one of a plurality of variable bandwidth channels between said LAN interface means and said communication network (managing means) , based on said address obtained from each of said packets received from said LAN interface means .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5586260A Filed: 1993-02-12 Issued: 1996-12-17 Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms (Original Assignee) Digital Equipment Corp (Current Assignee) Hewlett Packard Development Co LP Wei-Ming Hu
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface (following steps) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5586260A CLAIM 2 . For use in a distributed computer environment having multiple computer systems , some of which function from time to time as systems known as clients , which utilize the services of others of the systems , known as servers , a method for authenticating a client to a server when the client and server support different security mechanisms , the method comprising the following steps (device interface, storage device) performed by an authentication gateway system : receiving a call from a client system to log in to a server ; acquiring security credentials that will permit client access to the server ; saving the security credentials for later use ; receiving a subsequent call from the client system , for access to the server ; retrieving a subsequent call from the client system , for access to the server ; retrieving the security credentials ; and using the retrieved security credentials to impersonate the client and call the server on the client' ; s behalf ; associating previously saved security credentials with client systems calling for access to the server , by means of access keys .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (following steps) .	US5586260A CLAIM 2 . For use in a distributed computer environment having multiple computer systems , some of which function from time to time as systems known as clients , which utilize the services of others of the systems , known as servers , a method for authenticating a client to a server when the client and server support different security mechanisms , the method comprising the following steps (device interface, storage device) performed by an authentication gateway system : receiving a call from a client system to log in to a server ; acquiring security credentials that will permit client access to the server ; saving the security credentials for later use ; receiving a subsequent call from the client system , for access to the server ; retrieving a subsequent call from the client system , for access to the server ; retrieving the security credentials ; and using the retrieved security credentials to impersonate the client and call the server on the client' ; s behalf ; associating previously saved security credentials with client systems calling for access to the server , by means of access keys .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (following steps) comprises a SCSI interface (client access) .	US5586260A CLAIM 2 . For use in a distributed computer environment having multiple computer systems , some of which function from time to time as systems known as clients , which utilize the services of others of the systems , known as servers , a method for authenticating a client to a server when the client and server support different security mechanisms , the method comprising the following steps (device interface, storage device) performed by an authentication gateway system : receiving a call from a client system to log in to a server ; acquiring security credentials that will permit client access (SCSI interface) to the server ; saving the security credentials for later use ; receiving a subsequent call from the client system , for access to the server ; retrieving a subsequent call from the client system , for access to the server ; retrieving the security credentials ; and using the retrieved security credentials to impersonate the client and call the server on the client' ; s behalf ; associating previously saved security credentials with client systems calling for access to the server , by means of access keys .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (following steps) , and a video codec .	US5586260A CLAIM 2 . For use in a distributed computer environment having multiple computer systems , some of which function from time to time as systems known as clients , which utilize the services of others of the systems , known as servers , a method for authenticating a client to a server when the client and server support different security mechanisms , the method comprising the following steps (device interface, storage device) performed by an authentication gateway system : receiving a call from a client system to log in to a server ; acquiring security credentials that will permit client access to the server ; saving the security credentials for later use ; receiving a subsequent call from the client system , for access to the server ; retrieving a subsequent call from the client system , for access to the server ; retrieving the security credentials ; and using the retrieved security credentials to impersonate the client and call the server on the client' ; s behalf ; associating previously saved security credentials with client systems calling for access to the server , by means of access keys .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (following steps) if the request is allowed .	US5586260A CLAIM 2 . For use in a distributed computer environment having multiple computer systems , some of which function from time to time as systems known as clients , which utilize the services of others of the systems , known as servers , a method for authenticating a client to a server when the client and server support different security mechanisms , the method comprising the following steps (device interface, storage device) performed by an authentication gateway system : receiving a call from a client system to log in to a server ; acquiring security credentials that will permit client access to the server ; saving the security credentials for later use ; receiving a subsequent call from the client system , for access to the server ; retrieving a subsequent call from the client system , for access to the server ; retrieving the security credentials ; and using the retrieved security credentials to impersonate the client and call the server on the client' ; s behalf ; associating previously saved security credentials with client systems calling for access to the server , by means of access keys .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (client access) .	US5586260A CLAIM 2 . For use in a distributed computer environment having multiple computer systems , some of which function from time to time as systems known as clients , which utilize the services of others of the systems , known as servers , a method for authenticating a client to a server when the client and server support different security mechanisms , the method comprising the following steps performed by an authentication gateway system : receiving a call from a client system to log in to a server ; acquiring security credentials that will permit client access (SCSI interface) to the server ; saving the security credentials for later use ; receiving a subsequent call from the client system , for access to the server ; retrieving a subsequent call from the client system , for access to the server ; retrieving the security credentials ; and using the retrieved security credentials to impersonate the client and call the server on the client' ; s behalf ; associating previously saved security credentials with client systems calling for access to the server , by means of access keys .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (different security) of a plurality of protocols .	US5586260A CLAIM 1 . For use in a distributed computer environment having multiple computer systems , some of which function from time to time as systems known as clients , which utilize the services of others of the systems , known as servers , a method for authenticating a client to a server when the client and server support different security (requests comprise one) mechanisms , the method comprising the steps of : calling , from a client , a proxy server , including passing an access key to the proxy server ; mutually authenticating the identities of the client and the proxy server in accordance with a client security mechanism of the client system , the step of mutually authenticating including the substeps of : generating a set of security credentials that would enable the client to call the a server ; saving the security credentials for later use and generating an access key for retrieval of the security credentials ; and passing the access key to the client ; calling the server from the proxy server and impersonating the client , while conforming with a server security mechanism imposed by the server , the step of impersonating the client including using the access key to retrieve the client security credentials needed to call the server ; and returning requested information from the server to the client , through the proxy server .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (following steps) , and a video codec .	US5586260A CLAIM 2 . For use in a distributed computer environment having multiple computer systems , some of which function from time to time as systems known as clients , which utilize the services of others of the systems , known as servers , a method for authenticating a client to a server when the client and server support different security mechanisms , the method comprising the following steps (device interface, storage device) performed by an authentication gateway system : receiving a call from a client system to log in to a server ; acquiring security credentials that will permit client access to the server ; saving the security credentials for later use ; receiving a subsequent call from the client system , for access to the server ; retrieving a subsequent call from the client system , for access to the server ; retrieving the security credentials ; and using the retrieved security credentials to impersonate the client and call the server on the client' ; s behalf ; associating previously saved security credentials with client systems calling for access to the server , by means of access keys .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5287270A Filed: 1992-12-02 Issued: 1994-02-15 Billing system (Original Assignee) Compucom Communications Corp (Current Assignee) CENTILLION DATA SYSTEMS LLC Robert M. Hardy, John M. Cauffman, Lynn S. Cauffman, Robert C. Lovell, Jr., Murray B. Frazier, Michael L. Johnson, James W. Dohrenwend, Jr.
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (usage record) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5287270A CLAIM 8 . A system for presenting , under control of a user , usage and actual cost information relating to telecommunications service provided to said user by a telecommunications service provider , said system comprising : telecommunications service provider storage means for storing records prepared by a telecommunications service provider relating to telecommunications usage for one or more telecommunications subscribers including said user , and the exact charges actually billed to said user by said service provider for said usage ; data processing means comprising respective computation hardware means and respective software programming means for directing the activities of said computation hardware means ; means for transferring at least a part of the records from said service provider storage means to said data processing means ; said data processing means generating preprocessed summary reports as specified by the user from said telecommunications usage record (electronic communication) s transferred from said storage means and organizing said summary reports into a format for storage , manipulation and display on a personal computer data processing means ; means for transferring said telecommunications usage records including said summary reports from said data processing means to said personal computer data processing means ; and said personal computer data processing means being adapted to perform additional processing on said telecommunications records which have been at least in part preprocessed by said data processing means utilizing said summary reports for expedited retrieval of data , to present a subset of said telecommunications usage records including said exact charges actually billed to said user .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (additional processing) , and a video codec .	US5287270A CLAIM 1 . A system for presenting information concerning the actual cost of a service provided to a user by a service provider , said system comprising : storage means for storing individual transaction records prepared by said service provider , said transaction records relating to individual service transactions for one or more service customers including said user , and the exact charges actually billed to said user by said service provider for each said service transaction ; data processing means comprising respective computation hardware means and respective software programming means for directing the activities of said computation hardware means ; means for transferring at least a part of said individual transaction records from said storage means to said data processing means ; said data processing means generating preprocessed summary reports as specified by the user from said individual transaction records transferred from said storage means and organizing said summary reports into a format for storage , manipulation and display on a personal computer data processing means ; means for transferring said individual transaction records including said summary reports from said data processing means to said personal computer data processing means ; and said personal computer data processing means being adapted to perform additional processing (storage device) on said individual transaction records which have been at least in part preprocessed by said data processing means utilizing said summary reports for expedited retrieval of data , to present a subset of said selected records including said exact charges actually billed to said user .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (additional processing) , and a video codec .	US5287270A CLAIM 1 . A system for presenting information concerning the actual cost of a service provided to a user by a service provider , said system comprising : storage means for storing individual transaction records prepared by said service provider , said transaction records relating to individual service transactions for one or more service customers including said user , and the exact charges actually billed to said user by said service provider for each said service transaction ; data processing means comprising respective computation hardware means and respective software programming means for directing the activities of said computation hardware means ; means for transferring at least a part of said individual transaction records from said storage means to said data processing means ; said data processing means generating preprocessed summary reports as specified by the user from said individual transaction records transferred from said storage means and organizing said summary reports into a format for storage , manipulation and display on a personal computer data processing means ; means for transferring said individual transaction records including said summary reports from said data processing means to said personal computer data processing means ; and said personal computer data processing means being adapted to perform additional processing (storage device) on said individual transaction records which have been at least in part preprocessed by said data processing means utilizing said summary reports for expedited retrieval of data , to present a subset of said selected records including said exact charges actually billed to said user .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5452446A Filed: 1992-11-12 Issued: 1995-09-19 Method and apparatus for managing dynamic vehicle data recording data by current time minus latency (Original Assignee) SPX Corp (Current Assignee) SPX Corp ; SPX Development Corp Steven F. Johnson
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (data source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5452446A CLAIM 1 . A method for management of dynamic data comprising : receiving data entries with data type and latency from data source (network destination) s ; storing said data entries in a data storage structure having data types , current time , and time positions , each data entry being stored by type at a time position corresponding to current time minus latency ; retrieving data entries from the data storage structure based upon requests from data clients , said requests specifying data type and historical time , each request causing retrieval of a data entry from a time position corresponding to the historical time requested if that time position contains a data entry of the type requested .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (receiving requests) with each other over a same network , the NAD comprising ; a data management component (receiving requests) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5452446A CLAIM 2 . A method for management of dynamic vehicle data comprising : receiving data entries with data type and latency from data sources at non-fixed and predetermined times ; storing said data entries in a data storage structure having data types , current time , and time positions , each data entry being stored by type at a time position corresponding to current time minus latency ; updating said current time at predetermined intervals ; receiving requests (electronic communication, data management component, receiving requests) from data clients for data retrieval , said requests specifying data type and historical time ; retrieving data entries from the data storage structure based upon said requests by returning a data entry from a time position corresponding to the historical time requested if that time position contains a data entry of the type requested , otherwise returning a data entry of the type requested from a time position containing a data entry of the type requested whose corresponding time is nearest in time to the historical time requested .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (data source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5452446A CLAIM 1 . A method for management of dynamic data comprising : receiving data entries with data type and latency from data source (network destination) s ; storing said data entries in a data storage structure having data types , current time , and time positions , each data entry being stored by type at a time position corresponding to current time minus latency ; retrieving data entries from the data storage structure based upon requests from data clients , said requests specifying data type and historical time , each request causing retrieval of a data entry from a time position corresponding to the historical time requested if that time position contains a data entry of the type requested .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (data source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5452446A CLAIM 1 . A method for management of dynamic data comprising : receiving data entries with data type and latency from data source (network destination) s ; storing said data entries in a data storage structure having data types , current time , and time positions , each data entry being stored by type at a time position corresponding to current time minus latency ; retrieving data entries from the data storage structure based upon requests from data clients , said requests specifying data type and historical time , each request causing retrieval of a data entry from a time position corresponding to the historical time requested if that time position contains a data entry of the type requested .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data request) .	US5452446A CLAIM 8 . Apparatus for management of dynamic vehicle data with different periods and latencies comprising , in combination : one or more data sources supplying incoming data entries with data type and latency ; one or more data clients with data request (SCSI interface) s specifying data type and historical time ; a processor , said processor : storing said incoming data entries in a data storage structure having data types , current time , and time positions , each data entry being stored by type at a time position corresponding to current time minus latency ; updating said current time at predetermined intervals ; retrieving data entries from the data storage structure based upon said requests by returning a retrieved data entry from a time position corresponding to the historical time requested if that time position contains a data entry of the type requested , otherwise returning a retrieved data entry from a time position containing a data entry of the type requested whose corresponding time is nearest in time to the historical time requested ; means for transmitting incoming data entries from said data sources to the processor ; means for transmitting data requests from said data clients to the processor ; means for transmitting retrieved data entries from the processor to said data clients .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (receiving requests) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (data source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5452446A CLAIM 1 . A method for management of dynamic data comprising : receiving data entries with data type and latency from data source (network destination) s ; storing said data entries in a data storage structure having data types , current time , and time positions , each data entry being stored by type at a time position corresponding to current time minus latency ; retrieving data entries from the data storage structure based upon requests from data clients , said requests specifying data type and historical time , each request causing retrieval of a data entry from a time position corresponding to the historical time requested if that time position contains a data entry of the type requested . US5452446A CLAIM 2 . A method for management of dynamic vehicle data comprising : receiving data entries with data type and latency from data sources at non-fixed and predetermined times ; storing said data entries in a data storage structure having data types , current time , and time positions , each data entry being stored by type at a time position corresponding to current time minus latency ; updating said current time at predetermined intervals ; receiving requests (electronic communication, data management component, receiving requests) from data clients for data retrieval , said requests specifying data type and historical time ; retrieving data entries from the data storage structure based upon said requests by returning a data entry from a time position corresponding to the historical time requested if that time position contains a data entry of the type requested , otherwise returning a data entry of the type requested from a time position containing a data entry of the type requested whose corresponding time is nearest in time to the historical time requested .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (different period) is further configured to manage access over a SCSI interface (data request) .	US5452446A CLAIM 8 . Apparatus for management of dynamic vehicle data with different period (managing means) s and latencies comprising , in combination : one or more data sources supplying incoming data entries with data type and latency ; one or more data clients with data request (SCSI interface) s specifying data type and historical time ; a processor , said processor : storing said incoming data entries in a data storage structure having data types , current time , and time positions , each data entry being stored by type at a time position corresponding to current time minus latency ; updating said current time at predetermined intervals ; retrieving data entries from the data storage structure based upon said requests by returning a retrieved data entry from a time position corresponding to the historical time requested if that time position contains a data entry of the type requested , otherwise returning a retrieved data entry from a time position containing a data entry of the type requested whose corresponding time is nearest in time to the historical time requested ; means for transmitting incoming data entries from said data sources to the processor ; means for transmitting data requests from said data clients to the processor ; means for transmitting retrieved data entries from the processor to said data clients .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5491796A Filed: 1992-10-23 Issued: 1996-02-13 Apparatus for remotely managing diverse information network resources (Original Assignee) Net Labs Inc (Current Assignee) NortonLifeLock Inc James Wanderer, Claus Cooper, Mark Gerolimatos, Michele Chen
US7739302B2 CLAIM 1 . A network arrangement (processing time) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said format) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5491796A CLAIM 1 . An apparatus for remotely managing diverse information network resources , comprising : a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format (data packet) is specific to each device and to each device functional class ; a protocol module located at a network management site and in communication with said remote devices for scheduling remote device polls to optimize remote device polling and minimize use of said information network ; a values module located at said network (NAD server) management site for storing data obtained by polling said remote devices , wherein said data are representative by events that occur at said remote devices as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for use in connection with recording a time of occurrence of said remote device events , processing time (network arrangement, network protocol programs) varying data from said stored remote device events , and for storing common groupings of said raw information ; a nonprocedural builder module located at said network management site and operable to generate a data specification module ; said data specification module located at said network management site and operable to store information that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; an engine located at said network management site , said engine being operable to read information stored in said data specification module and to generate said device specific representation for each of said remote devices therefrom and , based on the contents of said data specification module and said raw information from said remote devices , to control operation of said remote devices , to enable polls of said remote devices by said protocol module , to process said raw information in accordance with said information stored in said data specification module , to process said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and to generate poll results for each of said remote devices in the form of said device specific representations ; and a user interface module located at said network management site , and , responsive to said engine , for displaying said device specific representations of said remote devices at said network management site as a user controlled virtual panel . US5491796A CLAIM 7 . A method for remotely managing an information (network destination) network including a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format is specific to each device and to each device functional class , said method comprising the steps of : scheduling remote device polls with a protocol module located at a network management site and in communication with said remote devices to optimize remote device polling and minimize use of said information network ; storing data obtained by said remote device polling , wherein said data are representative of events that occur at said remote devices with a values module located at said network management site as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for recording a time of occurrence of said remote device events , processing time varying data from said stored remote device events , and for storing common groupings of said raw information ; generating a data specification module with a nonprocedural builder module located at said network management site ; storing information in said data specification module that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; reading information stored in said data specification module with an engine located at said network management site ; generating said device specific representation for each of said remote devices with said engine ; with said engine , controlling operation of said remote devices , enabling polls of said remote devices by said protocol module , processing said raw information in accordance with said information stored in said data specification module , processing said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and generating poll results for each of said remote devices in the form of said device specific representations ; and displaying said device specific representations of said remote devices as a user controlled virtual panel with a user interface module located at said network management site .
US7739302B2 CLAIM 2 . The network arrangement (processing time) of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs (processing time) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5491796A CLAIM 1 . An apparatus for remotely managing diverse information network resources , comprising : a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format is specific to each device and to each device functional class ; a protocol module located at a network management site and in communication with said remote devices for scheduling remote device polls to optimize remote device polling and minimize use of said information network ; a values module located at said network (NAD server) management site for storing data obtained by polling said remote devices , wherein said data are representative by events that occur at said remote devices as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for use in connection with recording a time of occurrence of said remote device events , processing time (network arrangement, network protocol programs) varying data from said stored remote device events , and for storing common groupings of said raw information ; a nonprocedural builder module located at said network management site and operable to generate a data specification module ; said data specification module located at said network management site and operable to store information that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; an engine located at said network management site , said engine being operable to read information stored in said data specification module and to generate said device specific representation for each of said remote devices therefrom and , based on the contents of said data specification module and said raw information from said remote devices , to control operation of said remote devices , to enable polls of said remote devices by said protocol module , to process said raw information in accordance with said information stored in said data specification module , to process said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and to generate poll results for each of said remote devices in the form of said device specific representations ; and a user interface module located at said network management site , and , responsive to said engine , for displaying said device specific representations of said remote devices at said network management site as a user controlled virtual panel .
US7739302B2 CLAIM 3 . The network arrangement (processing time) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5491796A CLAIM 1 . An apparatus for remotely managing diverse information network resources , comprising : a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format is specific to each device and to each device functional class ; a protocol module located at a network management site and in communication with said remote devices for scheduling remote device polls to optimize remote device polling and minimize use of said information network ; a values module located at said network management site for storing data obtained by polling said remote devices , wherein said data are representative by events that occur at said remote devices as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for use in connection with recording a time of occurrence of said remote device events , processing time (network arrangement, network protocol programs) varying data from said stored remote device events , and for storing common groupings of said raw information ; a nonprocedural builder module located at said network management site and operable to generate a data specification module ; said data specification module located at said network management site and operable to store information that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; an engine located at said network management site , said engine being operable to read information stored in said data specification module and to generate said device specific representation for each of said remote devices therefrom and , based on the contents of said data specification module and said raw information from said remote devices , to control operation of said remote devices , to enable polls of said remote devices by said protocol module , to process said raw information in accordance with said information stored in said data specification module , to process said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and to generate poll results for each of said remote devices in the form of said device specific representations ; and a user interface module located at said network management site , and , responsive to said engine , for displaying said device specific representations of said remote devices at said network management site as a user controlled virtual panel .
US7739302B2 CLAIM 4 . The network arrangement (processing time) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said format) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5491796A CLAIM 1 . An apparatus for remotely managing diverse information network resources , comprising : a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format (data packet) is specific to each device and to each device functional class ; a protocol module located at a network management site and in communication with said remote devices for scheduling remote device polls to optimize remote device polling and minimize use of said information network ; a values module located at said network management site for storing data obtained by polling said remote devices , wherein said data are representative by events that occur at said remote devices as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for use in connection with recording a time of occurrence of said remote device events , processing time (network arrangement, network protocol programs) varying data from said stored remote device events , and for storing common groupings of said raw information ; a nonprocedural builder module located at said network management site and operable to generate a data specification module ; said data specification module located at said network management site and operable to store information that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; an engine located at said network management site , said engine being operable to read information stored in said data specification module and to generate said device specific representation for each of said remote devices therefrom and , based on the contents of said data specification module and said raw information from said remote devices , to control operation of said remote devices , to enable polls of said remote devices by said protocol module , to process said raw information in accordance with said information stored in said data specification module , to process said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and to generate poll results for each of said remote devices in the form of said device specific representations ; and a user interface module located at said network management site , and , responsive to said engine , for displaying said device specific representations of said remote devices at said network management site as a user controlled virtual panel .
US7739302B2 CLAIM 5 . A local area network arrangement (processing time) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said format) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5491796A CLAIM 1 . An apparatus for remotely managing diverse information network resources , comprising : a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format (data packet) is specific to each device and to each device functional class ; a protocol module located at a network management site and in communication with said remote devices for scheduling remote device polls to optimize remote device polling and minimize use of said information network ; a values module located at said network management site for storing data obtained by polling said remote devices , wherein said data are representative by events that occur at said remote devices as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for use in connection with recording a time of occurrence of said remote device events , processing time (network arrangement, network protocol programs) varying data from said stored remote device events , and for storing common groupings of said raw information ; a nonprocedural builder module located at said network management site and operable to generate a data specification module ; said data specification module located at said network management site and operable to store information that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; an engine located at said network management site , said engine being operable to read information stored in said data specification module and to generate said device specific representation for each of said remote devices therefrom and , based on the contents of said data specification module and said raw information from said remote devices , to control operation of said remote devices , to enable polls of said remote devices by said protocol module , to process said raw information in accordance with said information stored in said data specification module , to process said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and to generate poll results for each of said remote devices in the form of said device specific representations ; and a user interface module located at said network management site , and , responsive to said engine , for displaying said device specific representations of said remote devices at said network management site as a user controlled virtual panel .
US7739302B2 CLAIM 6 . The network arrangement (processing time) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said format) arrived via an authorized network interface .	US5491796A CLAIM 7 . A method for remotely managing an information network including a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format (data packet) is specific to each device and to each device functional class , said method comprising the steps of : scheduling remote device polls with a protocol module located at a network management site and in communication with said remote devices to optimize remote device polling and minimize use of said information network ; storing data obtained by said remote device polling , wherein said data are representative of events that occur at said remote devices with a values module located at said network management site as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for recording a time of occurrence of said remote device events , processing time (network arrangement, network protocol programs) varying data from said stored remote device events , and for storing common groupings of said raw information ; generating a data specification module with a nonprocedural builder module located at said network management site ; storing information in said data specification module that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; reading information stored in said data specification module with an engine located at said network management site ; generating said device specific representation for each of said remote devices with said engine ; with said engine , controlling operation of said remote devices , enabling polls of said remote devices by said protocol module , processing said raw information in accordance with said information stored in said data specification module , processing said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and generating poll results for each of said remote devices in the form of said device specific representations ; and displaying said device specific representations of said remote devices as a user controlled virtual panel with a user interface module located at said network management site .
US7739302B2 CLAIM 7 . The network arrangement (processing time) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5491796A CLAIM 7 . A method for remotely managing an information network including a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format is specific to each device and to each device functional class , said method comprising the steps of : scheduling remote device polls with a protocol module located at a network management site and in communication with said remote devices to optimize remote device polling and minimize use of said information network ; storing data obtained by said remote device polling , wherein said data are representative of events that occur at said remote devices with a values module located at said network management site as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for recording a time of occurrence of said remote device events , processing time (network arrangement, network protocol programs) varying data from said stored remote device events , and for storing common groupings of said raw information ; generating a data specification module with a nonprocedural builder module located at said network management site ; storing information in said data specification module that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; reading information stored in said data specification module with an engine located at said network management site ; generating said device specific representation for each of said remote devices with said engine ; with said engine , controlling operation of said remote devices , enabling polls of said remote devices by said protocol module , processing said raw information in accordance with said information stored in said data specification module , processing said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and generating poll results for each of said remote devices in the form of said device specific representations ; and displaying said device specific representations of said remote devices as a user controlled virtual panel with a user interface module located at said network management site .
US7739302B2 CLAIM 8 . The network arrangement (processing time) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5491796A CLAIM 7 . A method for remotely managing an information network including a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format is specific to each device and to each device functional class , said method comprising the steps of : scheduling remote device polls with a protocol module located at a network management site and in communication with said remote devices to optimize remote device polling and minimize use of said information network ; storing data obtained by said remote device polling , wherein said data are representative of events that occur at said remote devices with a values module located at said network management site as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for recording a time of occurrence of said remote device events , processing time (network arrangement, network protocol programs) varying data from said stored remote device events , and for storing common groupings of said raw information ; generating a data specification module with a nonprocedural builder module located at said network management site ; storing information in said data specification module that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; reading information stored in said data specification module with an engine located at said network management site ; generating said device specific representation for each of said remote devices with said engine ; with said engine , controlling operation of said remote devices , enabling polls of said remote devices by said protocol module , processing said raw information in accordance with said information stored in said data specification module , processing said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and generating poll results for each of said remote devices in the form of said device specific representations ; and displaying said device specific representations of said remote devices as a user controlled virtual panel with a user interface module located at said network management site .
US7739302B2 CLAIM 9 . The network arrangement (processing time) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said format) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5491796A CLAIM 7 . A method for remotely managing an information network including a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format (data packet) is specific to each device and to each device functional class , said method comprising the steps of : scheduling remote device polls with a protocol module located at a network management site and in communication with said remote devices to optimize remote device polling and minimize use of said information network ; storing data obtained by said remote device polling , wherein said data are representative of events that occur at said remote devices with a values module located at said network management site as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for recording a time of occurrence of said remote device events , processing time (network arrangement, network protocol programs) varying data from said stored remote device events , and for storing common groupings of said raw information ; generating a data specification module with a nonprocedural builder module located at said network management site ; storing information in said data specification module that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; reading information stored in said data specification module with an engine located at said network management site ; generating said device specific representation for each of said remote devices with said engine ; with said engine , controlling operation of said remote devices , enabling polls of said remote devices by said protocol module , processing said raw information in accordance with said information stored in said data specification module , processing said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and generating poll results for each of said remote devices in the form of said device specific representations ; and displaying said device specific representations of said remote devices as a user controlled virtual panel with a user interface module located at said network management site .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said format) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5491796A CLAIM 7 . A method for remotely managing an information (network destination) network including a plurality of heterogeneous , remote devices of functionally diverse classes , each device providing raw information in one of a plurality of heterogeneous formats , wherein said format (data packet) is specific to each device and to each device functional class , said method comprising the steps of : scheduling remote device polls with a protocol module located at a network management site and in communication with said remote devices to optimize remote device polling and minimize use of said information network ; storing data obtained by said remote device polling , wherein said data are representative of events that occur at said remote devices with a values module located at said network management site as the events occur over time , said values module being operable to store , retrieve , and manipulate said raw information , said values module including a time stamp for recording a time of occurrence of said remote device events , processing time varying data from said stored remote device events , and for storing common groupings of said raw information ; generating a data specification module with a nonprocedural builder module located at said network management site ; storing information in said data specification module that specifies device content and behavior for each of said heterogeneous , functionally diverse , remote devices in the form of a device specific representation , wherein said representation appears to a user in the same format for each device within a device functional class even though each functional class may include a plurality of heterogeneous remote devices ; reading information stored in said data specification module with an engine located at said network management site ; generating said device specific representation for each of said remote devices with said engine ; with said engine , controlling operation of said remote devices , enabling polls of said remote devices by said protocol module , processing said raw information in accordance with said information stored in said data specification module , processing said common groupings of said raw information stored in said values module from two or more of said remote devices to generate information characterizing inter-device performance therefrom , and generating poll results for each of said remote devices in the form of said device specific representations ; and displaying said device specific representations of said remote devices as a user controlled virtual panel with a user interface module located at said network management site .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5371852A Filed: 1992-10-14 Issued: 1994-12-06 Method and apparatus for making a cluster of computers appear as a single host on a network (Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp Clement R. Attanasio, Stephen E. Smith
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (N type) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (IP address) of a network source , an IP address of a network destination (same destination node, external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5371852A CLAIM 24 . A method of routing incoming messages across a boundary of a cluster of computers , as in claim 22 , where the function is a connection manager which routes the message to a destination computer node in the cluster based on the values of a source port number and a source IP address (IP address) number . US5371852A CLAIM 28 . A method of routing incoming messages across the boundary of a cluster of computers , as in claim 25 , where the algorithm ensures that , for each external source (network destination) host , all TCP messages from that source host are routed to the same destination node (network destination) . US5371852A CLAIM 31 . A method of routing an incoming TCP connection based message across a boundary of a cluster of computers , as in claim 30 , where the message is a RLOGIN type (NAD server) .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (N type) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5371852A CLAIM 31 . A method of routing an incoming TCP connection based message across a boundary of a cluster of computers , as in claim 30 , where the message is a RLOGIN type (NAD server) .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5371852A CLAIM 1 . A method for routing incoming messages across a boundary of a cluster of computer nodes , the cluster connected to one or more networks , comprising the steps of : reading a software communication protocol number in a message header of the message to recognize an incoming message as a software communication protocol port type message , the message having a destination address (IP addresses) of a gateway node within the cluster of computer nodes ; locating and reading a software communication protocol port number in the message header of the software communication protocol port type message ; matching both the software communication protocol port number and the software communication protocol number to an entry in a message switch memory , the matched software communication protocol port number entry being associated with a software communication protocol port specific function which selects a routing destination for the message from a plurality of possible destinations , the destination being a computer node in the cluster ; and routing the message to the computer node destination .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address (IP address) of a network source , an IP address of a network destination (same destination node, external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5371852A CLAIM 24 . A method of routing incoming messages across a boundary of a cluster of computers , as in claim 22 , where the function is a connection manager which routes the message to a destination computer node in the cluster based on the values of a source port number and a source IP address (IP address) number . US5371852A CLAIM 28 . A method of routing incoming messages across the boundary of a cluster of computers , as in claim 25 , where the algorithm ensures that , for each external source (network destination) host , all TCP messages from that source host are routed to the same destination node (network destination) .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address (IP address) of a network source , an IP address of a network destination (same destination node, external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5371852A CLAIM 24 . A method of routing incoming messages across a boundary of a cluster of computers , as in claim 22 , where the function is a connection manager which routes the message to a destination computer node in the cluster based on the values of a source port number and a source IP address (IP address) number . US5371852A CLAIM 28 . A method of routing incoming messages across the boundary of a cluster of computers , as in claim 25 , where the algorithm ensures that , for each external source (network destination) host , all TCP messages from that source host are routed to the same destination node (network destination) .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit to determine whether each packet contains an unauthorized IP address (IP address) .	US5371852A CLAIM 24 . A method of routing incoming messages across a boundary of a cluster of computers , as in claim 22 , where the function is a connection manager which routes the message to a destination computer node in the cluster based on the values of a source port number and a source IP address (IP address) number .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address (IP address) of a network source , an IP address of a network destination (same destination node, external source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5371852A CLAIM 24 . A method of routing incoming messages across a boundary of a cluster of computers , as in claim 22 , where the function is a connection manager which routes the message to a destination computer node in the cluster based on the values of a source port number and a source IP address (IP address) number . US5371852A CLAIM 28 . A method of routing incoming messages across the boundary of a cluster of computers , as in claim 25 , where the algorithm ensures that , for each external source (network destination) host , all TCP messages from that source host are routed to the same destination node (network destination) .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5490252A Filed: 1992-09-30 Issued: 1996-02-06 System having central processor for transmitting generic packets to another processor to be altered and transmitting altered packets back to central processor for routing (Original Assignee) Bay Networks Group Inc (Current Assignee) Rockstar Consortium US LP Mario Macera, William E. Jennings, Dennis Josifovich, George W. Kajos, John A. Mastroianni, Francis E. Neil, Victor Bennett, Frank J. Bruns, Gururaj Deshpande, Jeremy Greene
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5490252A CLAIM 1 . An internetworking system for exchanging packets of information between networks , said system comprising : a network interface module for connecting a network to said system , receiving packets from the network in a native packet format used by the network and converting each received native packet having a generic format common to all networks connected to said system , and converting each said generic packet to the native packet format for transmission to the network , a communication channel for carrying said generic packets to and from said network interface module , said channel having bandwidth , a first processing module for controlling dynamic allocation and deallocation of said channel bandwidth to the network connected to said system via said network interface module , a second processing module for receiving all said generic packets put on said channel by said network interface module , determining whether each said generic packet needs to be bridged or routed to a destination network interface module , and bridging each said generic packets determined to need bridging ; a third processing module for receiving and routing each said generic packet determined to need routing from said second processing module via said channel , said third processing module routing those generic packets received from said second processing module by altering those generic packets to contain appropriate destination information (network destination) and transmitting those altered packets to said second processing module ; and said second processing module also for receiving said altered generic packets , determining the destination network interface for each of said altered generic packets , and transmitting those altered generic packets to the destination network interface module .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (electronic components) .	US5490252A CLAIM 4 . The system of claim 1 wherein said second processing module comprises dedicated electronic components (network interface) for performing all functions required of said second processing module including receiving all said generic packets put on said channel by said network interface module and determining a destination network interface module for each said generic packet on said channel and whether each said generic packet needs to be bridged to the destination network interface module .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5490252A CLAIM 1 . An internetworking system for exchanging packets of information between networks , said system comprising : a network interface module for connecting a network to said system , receiving packets from the network in a native packet format used by the network and converting each received native packet having a generic format common to all networks connected to said system , and converting each said generic packet to the native packet format for transmission to the network , a communication channel for carrying said generic packets to and from said network interface module , said channel having bandwidth , a first processing module for controlling dynamic allocation and deallocation of said channel bandwidth to the network connected to said system via said network interface module , a second processing module for receiving all said generic packets put on said channel by said network interface module , determining whether each said generic packet needs to be bridged or routed to a destination network interface module , and bridging each said generic packets determined to need bridging ; a third processing module for receiving and routing each said generic packet determined to need routing from said second processing module via said channel , said third processing module routing those generic packets received from said second processing module by altering those generic packets to contain appropriate destination information (network destination) and transmitting those altered packets to said second processing module ; and said second processing module also for receiving said altered generic packets , determining the destination network interface for each of said altered generic packets , and transmitting those altered generic packets to the destination network interface module .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (electronic components) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5490252A CLAIM 1 . An internetworking system for exchanging packets of information between networks , said system comprising : a network interface module for connecting a network to said system , receiving packets from the network in a native packet format used by the network and converting each received native packet having a generic format common to all networks connected to said system , and converting each said generic packet to the native packet format for transmission to the network , a communication channel for carrying said generic packets to and from said network interface module , said channel having bandwidth , a first processing module for controlling dynamic allocation and deallocation of said channel bandwidth to the network connected to said system via said network interface module , a second processing module for receiving all said generic packets put on said channel by said network interface module , determining whether each said generic packet needs to be bridged or routed to a destination network interface module , and bridging each said generic packets determined to need bridging ; a third processing module for receiving and routing each said generic packet determined to need routing from said second processing module via said channel , said third processing module routing those generic packets received from said second processing module by altering those generic packets to contain appropriate destination information (network destination) and transmitting those altered packets to said second processing module ; and said second processing module also for receiving said altered generic packets , determining the destination network interface for each of said altered generic packets , and transmitting those altered generic packets to the destination network interface module . US5490252A CLAIM 4 . The system of claim 1 wherein said second processing module comprises dedicated electronic components (network interface) for performing all functions required of said second processing module including receiving all said generic packets put on said channel by said network interface module and determining a destination network interface module for each said generic packet on said channel and whether each said generic packet needs to be bridged to the destination network interface module .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (electronic components) .	US5490252A CLAIM 4 . The system of claim 1 wherein said second processing module comprises dedicated electronic components (network interface) for performing all functions required of said second processing module including receiving all said generic packets put on said channel by said network interface module and determining a destination network interface module for each said generic packet on said channel and whether each said generic packet needs to be bridged to the destination network interface module .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing device (fault tolerance) , the selectively generated packet containing the request for access to the directly attached device .	US5490252A CLAIM 8 . The system of claim 1 further comprising at least one redundant network interface module which is a duplicate of said network interface module to provide fault tolerance (intermediary computing device) .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5490252A CLAIM 1 . An internetworking system for exchanging packets of information between networks , said system comprising : a network interface module for connecting a network to said system , receiving packets from the network in a native packet format used by the network and converting each received native packet having a generic format common to all networks connected to said system , and converting each said generic packet to the native packet format for transmission to the network , a communication channel for carrying said generic packets to and from said network interface module , said channel having bandwidth , a first processing module for controlling dynamic allocation and deallocation of said channel bandwidth to the network connected to said system via said network interface module , a second processing module for receiving all said generic packets put on said channel by said network interface module , determining whether each said generic packet needs to be bridged or routed to a destination network interface module , and bridging each said generic packets determined to need bridging ; a third processing module for receiving and routing each said generic packet determined to need routing from said second processing module via said channel , said third processing module routing those generic packets received from said second processing module by altering those generic packets to contain appropriate destination information (network destination) and transmitting those altered packets to said second processing module ; and said second processing module also for receiving said altered generic packets , determining the destination network interface for each of said altered generic packets , and transmitting those altered generic packets to the destination network interface module .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer of a network stack (generic format) .	US5490252A CLAIM 1 . An internetworking system for exchanging packets of information between networks , said system comprising : a network interface module for connecting a network to said system , receiving packets from the network in a native packet format used by the network and converting each received native packet having a generic format (network stack) common to all networks connected to said system , and converting each said generic packet to the native packet format for transmission to the network , a communication channel for carrying said generic packets to and from said network interface module , said channel having bandwidth , a first processing module for controlling dynamic allocation and deallocation of said channel bandwidth to the network connected to said system via said network interface module , a second processing module for receiving all said generic packets put on said channel by said network interface module , determining whether each said generic packet needs to be bridged or routed to a destination network interface module , and bridging each said generic packets determined to need bridging ; a third processing module for receiving and routing each said generic packet determined to need routing from said second processing module via said channel , said third processing module routing those generic packets received from said second processing module by altering those generic packets to contain appropriate destination information and transmitting those altered packets to said second processing module ; and said second processing module also for receiving said altered generic packets , determining the destination network interface for each of said altered generic packets , and transmitting those altered generic packets to the destination network interface module .

JPH0697905A

Filed: 1992-09-11 Issued: 1994-04-08

インチャネルシグナリング伝送装置

(Original Assignee) Mitsubishi Electric Corp; 三菱電機株式会社

Noriaki Kono, Hisashi Naito, 悠史内藤, 典明河野

US7739302B2
CLAIM 3 . The network arrangement of claim 1 , wherein the computer-executable instructions comprise distributed program modules (の所定) .

JPH0697905A
CLAIM 1 【請求項１】高能率音声符号化装置の使用する伝送チャネルを使用してシグナリング情報の伝送を行うインチャネルシグナリング伝送装置において、符号器側では、多点サンプリングされたシグナリング信号の所定 (program modules) のサンプル数に対応する時間を符号化の１フレームの時間に対応させ、あるフレームにおいてこのサンプル中に変化点があれば、該フレームにおいて発生頻度が最も少ないデータ列を符号化データの代わりにシグナリング挿入情報として挿入し、このシグナリング挿入情報の後に、変化点を含むシグナリングデータを同じく符号化データの代わりに挿入し、復号器側では、上記符号器側から送信されてきたシグナリング挿入情報である発生頻度が最も少ないデータ列を受信するとシグナリング挿入情報を受信したと判断し、後続するデータをシグナリングデータとして抽出し、シグナリング挿入情報を受信しない時は以前受信したシグナリングデータを保持することを特徴とするインチャネルシグナリング伝送装置。

US7739302B2
CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access (代わり) to a proper port over the directly attached device interface .

JPH0697905A
CLAIM 1 【請求項１】高能率音声符号化装置の使用する伝送チャネルを使用してシグナリング情報の伝送を行うインチャネルシグナリング伝送装置において、符号器側では、多点サンプリングされたシグナリング信号の所定のサンプル数に対応する時間を符号化の１フレームの時間に対応させ、あるフレームにおいてこのサンプル中に変化点があれば、該フレームにおいて発生頻度が最も少ないデータ列を符号化データの代わり (requests contain information to gain access) にシグナリング挿入情報として挿入し、このシグナリング挿入情報の後に、変化点を含むシグナリングデータを同じく符号化データの代わりに挿入し、復号器側では、上記符号器側から送信されてきたシグナリング挿入情報である発生頻度が最も少ないデータ列を受信するとシグナリング挿入情報を受信したと判断し、後続するデータをシグナリングデータとして抽出し、シグナリング挿入情報を受信しない時は以前受信したシグナリングデータを保持することを特徴とするインチャネルシグナリング伝送装置。

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5377060A Filed: 1992-09-02 Issued: 1994-12-27 Ultra slim data storage module utilizing plural flexible disks (Original Assignee) Antek Peripherals Inc (Current Assignee) ANTEK PERIPHERALS Inc A CORP OF CALIFORNIA ; Antek Peripherals Inc Anil Nigam
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (second air) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5377060A CLAIM 1 . A data storage device comprising ; a housing ; a motor having a rotatable spindle ; at least a first and a second flexible disk separated from each other along a rotational axis of the spindle and disposed to rotate with the spindle , the first and second disks having first and second recording surfaces ; a first head mounted between the first and the second disks , the first head being movable in a radial direction along the disks , the first head having a first air bearing surface that is adjacent to the first recording surface of the first disk , the first head having a second air (processing unit) bearing surface that is adjacent to the first recording surface of the second disk , the first and second air bearing surfaces of the first head having an air film separating the first head from the first recording surfaces of the first and second disks during operation ; a second head having an air bearing surface adjacent to the second recording surface of the first disk , the second head being suspension mounted to substantially oppose the first air bearing surface of the first head and to provide a force that urges the first disk towards the first air bearing surface of the first head and creates an air film separating the air bearing surface of the second head from the second recording surface of the first disk during operation ; and a third head having an air bearing surface adjacent to the second recording surface of the second disk , the third head being suspension mounted to substantially oppose the second air bearing surface of the first head and to provide a force that urges the second disk towards the second air bearing surface of the first head and creates an air film separating the air bearing surface of the third head from the second recording surface of the second disk during operation ; and at least one of the three heads containing a recording transducer to write and read information to and from at least one of the disk surfaces .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (second air) to determine whether each packet arrived via an authorized network interface .	US5377060A CLAIM 1 . A data storage device comprising ; a housing ; a motor having a rotatable spindle ; at least a first and a second flexible disk separated from each other along a rotational axis of the spindle and disposed to rotate with the spindle , the first and second disks having first and second recording surfaces ; a first head mounted between the first and the second disks , the first head being movable in a radial direction along the disks , the first head having a first air bearing surface that is adjacent to the first recording surface of the first disk , the first head having a second air (processing unit) bearing surface that is adjacent to the first recording surface of the second disk , the first and second air bearing surfaces of the first head having an air film separating the first head from the first recording surfaces of the first and second disks during operation ; a second head having an air bearing surface adjacent to the second recording surface of the first disk , the second head being suspension mounted to substantially oppose the first air bearing surface of the first head and to provide a force that urges the first disk towards the first air bearing surface of the first head and creates an air film separating the air bearing surface of the second head from the second recording surface of the first disk during operation ; and a third head having an air bearing surface adjacent to the second recording surface of the second disk , the third head being suspension mounted to substantially oppose the second air bearing surface of the first head and to provide a force that urges the second disk towards the second air bearing surface of the first head and creates an air film separating the air bearing surface of the third head from the second recording surface of the second disk during operation ; and at least one of the three heads containing a recording transducer to write and read information to and from at least one of the disk surfaces .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (second air) to determine whether each packet contains an unauthorized IP address .	US5377060A CLAIM 1 . A data storage device comprising ; a housing ; a motor having a rotatable spindle ; at least a first and a second flexible disk separated from each other along a rotational axis of the spindle and disposed to rotate with the spindle , the first and second disks having first and second recording surfaces ; a first head mounted between the first and the second disks , the first head being movable in a radial direction along the disks , the first head having a first air bearing surface that is adjacent to the first recording surface of the first disk , the first head having a second air (processing unit) bearing surface that is adjacent to the first recording surface of the second disk , the first and second air bearing surfaces of the first head having an air film separating the first head from the first recording surfaces of the first and second disks during operation ; a second head having an air bearing surface adjacent to the second recording surface of the first disk , the second head being suspension mounted to substantially oppose the first air bearing surface of the first head and to provide a force that urges the first disk towards the first air bearing surface of the first head and creates an air film separating the air bearing surface of the second head from the second recording surface of the first disk during operation ; and a third head having an air bearing surface adjacent to the second recording surface of the second disk , the third head being suspension mounted to substantially oppose the second air bearing surface of the first head and to provide a force that urges the second disk towards the second air bearing surface of the first head and creates an air film separating the air bearing surface of the third head from the second recording surface of the second disk during operation ; and at least one of the three heads containing a recording transducer to write and read information to and from at least one of the disk surfaces .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (second air) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US5377060A CLAIM 1 . A data storage device comprising ; a housing ; a motor having a rotatable spindle ; at least a first and a second flexible disk separated from each other along a rotational axis of the spindle and disposed to rotate with the spindle , the first and second disks having first and second recording surfaces ; a first head mounted between the first and the second disks , the first head being movable in a radial direction along the disks , the first head having a first air bearing surface that is adjacent to the first recording surface of the first disk , the first head having a second air (processing unit) bearing surface that is adjacent to the first recording surface of the second disk , the first and second air bearing surfaces of the first head having an air film separating the first head from the first recording surfaces of the first and second disks during operation ; a second head having an air bearing surface adjacent to the second recording surface of the first disk , the second head being suspension mounted to substantially oppose the first air bearing surface of the first head and to provide a force that urges the first disk towards the first air bearing surface of the first head and creates an air film separating the air bearing surface of the second head from the second recording surface of the first disk during operation ; and a third head having an air bearing surface adjacent to the second recording surface of the second disk , the third head being suspension mounted to substantially oppose the second air bearing surface of the first head and to provide a force that urges the second disk towards the second air bearing surface of the first head and creates an air film separating the air bearing surface of the third head from the second recording surface of the second disk during operation ; and at least one of the three heads containing a recording transducer to write and read information to and from at least one of the disk surfaces .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (second air) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US5377060A CLAIM 1 . A data storage device comprising ; a housing ; a motor having a rotatable spindle ; at least a first and a second flexible disk separated from each other along a rotational axis of the spindle and disposed to rotate with the spindle , the first and second disks having first and second recording surfaces ; a first head mounted between the first and the second disks , the first head being movable in a radial direction along the disks , the first head having a first air bearing surface that is adjacent to the first recording surface of the first disk , the first head having a second air (processing unit) bearing surface that is adjacent to the first recording surface of the second disk , the first and second air bearing surfaces of the first head having an air film separating the first head from the first recording surfaces of the first and second disks during operation ; a second head having an air bearing surface adjacent to the second recording surface of the first disk , the second head being suspension mounted to substantially oppose the first air bearing surface of the first head and to provide a force that urges the first disk towards the first air bearing surface of the first head and creates an air film separating the air bearing surface of the second head from the second recording surface of the first disk during operation ; and a third head having an air bearing surface adjacent to the second recording surface of the second disk , the third head being suspension mounted to substantially oppose the second air bearing surface of the first head and to provide a force that urges the second disk towards the second air bearing surface of the first head and creates an air film separating the air bearing surface of the third head from the second recording surface of the second disk during operation ; and at least one of the three heads containing a recording transducer to write and read information to and from at least one of the disk surfaces .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (disk surface) .	US5377060A CLAIM 1 . A data storage device comprising ; a housing ; a motor having a rotatable spindle ; at least a first and a second flexible disk separated from each other along a rotational axis of the spindle and disposed to rotate with the spindle , the first and second disks having first and second recording surfaces ; a first head mounted between the first and the second disks , the first head being movable in a radial direction along the disks , the first head having a first air bearing surface that is adjacent to the first recording surface of the first disk , the first head having a second air bearing surface that is adjacent to the first recording surface of the second disk , the first and second air bearing surfaces of the first head having an air film separating the first head from the first recording surfaces of the first and second disks during operation ; a second head having an air bearing surface adjacent to the second recording surface of the first disk , the second head being suspension mounted to substantially oppose the first air bearing surface of the first head and to provide a force that urges the first disk towards the first air bearing surface of the first head and creates an air film separating the air bearing surface of the second head from the second recording surface of the first disk during operation ; and a third head having an air bearing surface adjacent to the second recording surface of the second disk , the third head being suspension mounted to substantially oppose the second air bearing surface of the first head and to provide a force that urges the second disk towards the second air bearing surface of the first head and creates an air film separating the air bearing surface of the third head from the second recording surface of the second disk during operation ; and at least one of the three heads containing a recording transducer to write and read information to and from at least one of the disk surface (application layer) s .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (disk surface) of a network stack .	US5377060A CLAIM 1 . A data storage device comprising ; a housing ; a motor having a rotatable spindle ; at least a first and a second flexible disk separated from each other along a rotational axis of the spindle and disposed to rotate with the spindle , the first and second disks having first and second recording surfaces ; a first head mounted between the first and the second disks , the first head being movable in a radial direction along the disks , the first head having a first air bearing surface that is adjacent to the first recording surface of the first disk , the first head having a second air bearing surface that is adjacent to the first recording surface of the second disk , the first and second air bearing surfaces of the first head having an air film separating the first head from the first recording surfaces of the first and second disks during operation ; a second head having an air bearing surface adjacent to the second recording surface of the first disk , the second head being suspension mounted to substantially oppose the first air bearing surface of the first head and to provide a force that urges the first disk towards the first air bearing surface of the first head and creates an air film separating the air bearing surface of the second head from the second recording surface of the first disk during operation ; and a third head having an air bearing surface adjacent to the second recording surface of the second disk , the third head being suspension mounted to substantially oppose the second air bearing surface of the first head and to provide a force that urges the second disk towards the second air bearing surface of the first head and creates an air film separating the air bearing surface of the third head from the second recording surface of the second disk during operation ; and at least one of the three heads containing a recording transducer to write and read information to and from at least one of the disk surface (application layer) s .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5241594A Filed: 1992-06-02 Issued: 1993-08-31 One-time logon means and methods for distributed computing systems (Original Assignee) Hughes Aircraft Co (Current Assignee) Raytheon Co Kenneth C. Kung
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests (server request) for network access to the NAD from a plurality of network clients having different operating systems .	US5241594A CLAIM 7 . A method of authenticating users in a distributed computing system comprising a plurality of workstations and remote computers interconnected by way of a network and a server interposed between the workstations and the remote computers , said method comprising the steps of : storing a file on the server that comprises each user identification code and encrypted passwords for all computers in the distributed computing system ; providing a predetermined multiple logon procedure that operates on a workstation that is adapted to interface between a workstation and a plurality of remote computers ; using the multiple logon procedure to generate a service request at the workstation for a service available at a remote computer and transmit the service request to the server using a predetermined communication protocol ; determining whether a user is connected to the server , and if the user is connected to the server , transmitting an authorization message to the workstation ; using the multiple logon procedure to send a service connect request from the workstation to the remote computer to connect the workstation to the remote computer ; requesting entry of a user ID and password from the workstation ; using the multiple logon procedure to send an appropriate user ID and password from the workstation to the remote computer to establish connection therebetween ; if the user workstation is not connected to the server , then the server request (accepting requests, requests originating one) s authentication from the workstation ; using the multiple logon procedure to process the authorization request and retrieve an appropriate user ID and password from the file and send a connect request to the server ; upon receipt of the proper user ID and password , the server sends a service connect message to the workstation and connection is established therebetween ; if the service request is accepted , the multiple logon procedure waits for a new request ; if the service request is not accepted , the multiple logon procedure rejects the user and waits for the user to initiate an appropriate service authorization request .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (communication protocol) .	US5241594A CLAIM 7 . A method of authenticating users in a distributed computing system comprising a plurality of workstations and remote computers interconnected by way of a network and a server interposed between the workstations and the remote computers , said method comprising the steps of : storing a file on the server that comprises each user identification code and encrypted passwords for all computers in the distributed computing system ; providing a predetermined multiple logon procedure that operates on a workstation that is adapted to interface between a workstation and a plurality of remote computers ; using the multiple logon procedure to generate a service request at the workstation for a service available at a remote computer and transmit the service request to the server using a predetermined communication protocol (network protocols) ; determining whether a user is connected to the server , and if the user is connected to the server , transmitting an authorization message to the workstation ; using the multiple logon procedure to send a service connect request from the workstation to the remote computer to connect the workstation to the remote computer ; requesting entry of a user ID and password from the workstation ; using the multiple logon procedure to send an appropriate user ID and password from the workstation to the remote computer to establish connection therebetween ; if the user workstation is not connected to the server , then the server requests authentication from the workstation ; using the multiple logon procedure to process the authorization request and retrieve an appropriate user ID and password from the file and send a connect request to the server ; upon receipt of the proper user ID and password , the server sends a service connect message to the workstation and connection is established therebetween ; if the service request is accepted , the multiple logon procedure waits for a new request ; if the service request is not accepted , the multiple logon procedure rejects the user and waits for the user to initiate an appropriate service authorization request .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (communication protocol) is TCP/IP .	US5241594A CLAIM 7 . A method of authenticating users in a distributed computing system comprising a plurality of workstations and remote computers interconnected by way of a network and a server interposed between the workstations and the remote computers , said method comprising the steps of : storing a file on the server that comprises each user identification code and encrypted passwords for all computers in the distributed computing system ; providing a predetermined multiple logon procedure that operates on a workstation that is adapted to interface between a workstation and a plurality of remote computers ; using the multiple logon procedure to generate a service request at the workstation for a service available at a remote computer and transmit the service request to the server using a predetermined communication protocol (network protocols) ; determining whether a user is connected to the server , and if the user is connected to the server , transmitting an authorization message to the workstation ; using the multiple logon procedure to send a service connect request from the workstation to the remote computer to connect the workstation to the remote computer ; requesting entry of a user ID and password from the workstation ; using the multiple logon procedure to send an appropriate user ID and password from the workstation to the remote computer to establish connection therebetween ; if the user workstation is not connected to the server , then the server requests authentication from the workstation ; using the multiple logon procedure to process the authorization request and retrieve an appropriate user ID and password from the file and send a connect request to the server ; upon receipt of the proper user ID and password , the server sends a service connect message to the workstation and connection is established therebetween ; if the service request is accepted , the multiple logon procedure waits for a new request ; if the service request is not accepted , the multiple logon procedure rejects the user and waits for the user to initiate an appropriate service authorization request .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one (server request) of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5241594A CLAIM 7 . A method of authenticating users in a distributed computing system comprising a plurality of workstations and remote computers interconnected by way of a network and a server interposed between the workstations and the remote computers , said method comprising the steps of : storing a file on the server that comprises each user identification code and encrypted passwords for all computers in the distributed computing system ; providing a predetermined multiple logon procedure that operates on a workstation that is adapted to interface between a workstation and a plurality of remote computers ; using the multiple logon procedure to generate a service request at the workstation for a service available at a remote computer and transmit the service request to the server using a predetermined communication protocol ; determining whether a user is connected to the server , and if the user is connected to the server , transmitting an authorization message to the workstation ; using the multiple logon procedure to send a service connect request from the workstation to the remote computer to connect the workstation to the remote computer ; requesting entry of a user ID and password from the workstation ; using the multiple logon procedure to send an appropriate user ID and password from the workstation to the remote computer to establish connection therebetween ; if the user workstation is not connected to the server , then the server request (accepting requests, requests originating one) s authentication from the workstation ; using the multiple logon procedure to process the authorization request and retrieve an appropriate user ID and password from the file and send a connect request to the server ; upon receipt of the proper user ID and password , the server sends a service connect message to the workstation and connection is established therebetween ; if the service request is accepted , the multiple logon procedure waits for a new request ; if the service request is not accepted , the multiple logon procedure rejects the user and waits for the user to initiate an appropriate service authorization request .
US7739302B2 CLAIM 27 . The apparatus of claim 22 , wherein the requests comprise one (d log) of a plurality of protocols .	US5241594A CLAIM 1 . A distributed computing system comprising : a user computer comprising a communication program including a multiple logon procedure that is adapted to communicate with a remote computer and that employs a secure transport layer protocol that permits secure file transfer between computers of the distributed computing system , and that comprises a stored file including a user identification code and an encrypted password that permits access to the remote computer from the user computer ; a remote computer comprising a communication program that is adapted to respond the the communication program on the user computer and that employs the secure transport layer protocol , and that comprises a stored file including a user identification code and an encrypted password that permits access to the remote computer ; a network interconnecting the user computer and the remote computer ; and wherein a service request entered from the user computer is processed by the multiple logon procedure which accesses the stored file that contains the user identification code and encrypted password , decrypts the encrypted password of the remote computer , transfers the identification code and decrypted password to the remote computer , and log (requests comprise one) s the user computer onto the remote computer .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5491779A Filed: 1992-04-03 Issued: 1996-02-13 Three dimensional presentation of multiple data sets in unitary format with pie charts (Original Assignee) Bezjian; Richard D. Richard D. Bezjian
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5491779A CLAIM 1 . In a data processing system , a method of graphically displaying data in a pie figure comprising : defining at least first and second data (data packet) sets relative to plural identities , the second data set including at least one value which is unequal to at least one other value of the second data set ; defining the angles of plural pie slices , each pie slice corresponding to an identity , such that the angles are proportional to data of the first data set , the angles totalling 360° ; defining a second dimension of each pie slice such that the second dimensions are proportional to data of the second data set ; and generating a three dimensional display of the plural pie slices in a circular arrangement as a single pie figure , each pie slice having the defined angle and the defined second dimension .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5491779A CLAIM 1 . In a data processing system , a method of graphically displaying data in a pie figure comprising : defining at least first and second data (data packet) sets relative to plural identities , the second data set including at least one value which is unequal to at least one other value of the second data set ; defining the angles of plural pie slices , each pie slice corresponding to an identity , such that the angles are proportional to data of the first data set , the angles totalling 360° ; defining a second dimension of each pie slice such that the second dimensions are proportional to data of the second data set ; and generating a three dimensional display of the plural pie slices in a circular arrangement as a single pie figure , each pie slice having the defined angle and the defined second dimension .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5491779A CLAIM 1 . In a data processing system , a method of graphically displaying data in a pie figure comprising : defining at least first and second data (data packet) sets relative to plural identities , the second data set including at least one value which is unequal to at least one other value of the second data set ; defining the angles of plural pie slices , each pie slice corresponding to an identity , such that the angles are proportional to data of the first data set , the angles totalling 360° ; defining a second dimension of each pie slice such that the second dimensions are proportional to data of the second data set ; and generating a three dimensional display of the plural pie slices in a circular arrangement as a single pie figure , each pie slice having the defined angle and the defined second dimension .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data) arrived via an authorized network interface .	US5491779A CLAIM 1 . In a data processing system , a method of graphically displaying data in a pie figure comprising : defining at least first and second data (data packet) sets relative to plural identities , the second data set including at least one value which is unequal to at least one other value of the second data set ; defining the angles of plural pie slices , each pie slice corresponding to an identity , such that the angles are proportional to data of the first data set , the angles totalling 360° ; defining a second dimension of each pie slice such that the second dimensions are proportional to data of the second data set ; and generating a three dimensional display of the plural pie slices in a circular arrangement as a single pie figure , each pie slice having the defined angle and the defined second dimension .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5491779A CLAIM 1 . In a data processing system , a method of graphically displaying data in a pie figure comprising : defining at least first and second data (data packet) sets relative to plural identities , the second data set including at least one value which is unequal to at least one other value of the second data set ; defining the angles of plural pie slices , each pie slice corresponding to an identity , such that the angles are proportional to data of the first data set , the angles totalling 360° ; defining a second dimension of each pie slice such that the second dimensions are proportional to data of the second data set ; and generating a three dimensional display of the plural pie slices in a circular arrangement as a single pie figure , each pie slice having the defined angle and the defined second dimension .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5491779A CLAIM 1 . In a data processing system , a method of graphically displaying data in a pie figure comprising : defining at least first and second data (data packet) sets relative to plural identities , the second data set including at least one value which is unequal to at least one other value of the second data set ; defining the angles of plural pie slices , each pie slice corresponding to an identity , such that the angles are proportional to data of the first data set , the angles totalling 360° ; defining a second dimension of each pie slice such that the second dimensions are proportional to data of the second data set ; and generating a three dimensional display of the plural pie slices in a circular arrangement as a single pie figure , each pie slice having the defined angle and the defined second dimension .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5491779A CLAIM 1 . In a data processing system , a method of graphically displaying data in a pie figure comprising : defining at least first and second data (data packet) sets relative to plural identities , the second data set including at least one value which is unequal to at least one other value of the second data set ; defining the angles of plural pie slices , each pie slice corresponding to an identity , such that the angles are proportional to data of the first data set , the angles totalling 360° ; defining a second dimension of each pie slice such that the second dimensions are proportional to data of the second data set ; and generating a three dimensional display of the plural pie slices in a circular arrangement as a single pie figure , each pie slice having the defined angle and the defined second dimension .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (third dimension) .	US5491779A CLAIM 4 . A method as claimed in claim 1 further comprising : defining a third dimension (application layer) of each pie slice such that the third dimensions are proportional to data of a third data set , the third data set including at least one value which is unequal to at least one other value of the third data set ; and generating the three dimensional display of the plural pie slices with each pie slice having the defined angle and second and third dimensions .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5491779A CLAIM 1 . In a data processing system , a method of graphically displaying data in a pie figure comprising : defining at least first and second data (data packet) sets relative to plural identities , the second data set including at least one value which is unequal to at least one other value of the second data set ; defining the angles of plural pie slices , each pie slice corresponding to an identity , such that the angles are proportional to data of the first data set , the angles totalling 360° ; defining a second dimension of each pie slice such that the second dimensions are proportional to data of the second data set ; and generating a three dimensional display of the plural pie slices in a circular arrangement as a single pie figure , each pie slice having the defined angle and the defined second dimension .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (third dimension) of a network stack .	US5491779A CLAIM 4 . A method as claimed in claim 1 further comprising : defining a third dimension (application layer) of each pie slice such that the third dimensions are proportional to data of a third data set , the third data set including at least one value which is unequal to at least one other value of the third data set ; and generating the three dimensional display of the plural pie slices with each pie slice having the defined angle and second and third dimensions .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5249292A Filed: 1992-03-10 Issued: 1993-09-28 Data packet switch using a primary processing unit to designate one of a plurality of data stream control circuits to selectively handle the header processing of incoming packets in one data packet stream (Original Assignee) Chiappa J Noel J. Noel Chiappa
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5249292A CLAIM 1 . A high speed data packet switching circuit comprising : a software controlled primary processing units , a plurality of network interface units for receiving incoming data packet streams and for transmitting outgoing data packet streams , each of said data packet streams having a selected protocol and all of the data packets in a said stream having the identical protocol , a plurality of data stream control circuits for concurrently receiving at least a portion of a header of the data packets and selectively processing the received packets only wherein each said data stream control circuit processes the data packets of one data stream having one of said selected protocol in response to previously generated electrical signals from the primary processing unit based upon header identification information (network destination) in the at least first data packet of the new data packet stream for designating and initializing one of said data stream control circuits to process a remainder of the data packets of the new data packet stream , means for interconnecting said primary processing unit , said plurality of interface units and said plurality of data stream control circuits , said primary processing unit receiving from said network interface units , and for processing , at least a first one of the data packets of a new data packet stream and having means for generating said electrical signals means in each said designated and initialized data stream control circuit for receiving and processing only those data packets which include said header identification information upon which said designated and initializing is based .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (control signals) for accepting requests for network access to the NAD from a plurality of network clients (communication paths) having different operating systems .	US5249292A CLAIM 2 . The packet switching circuit of claim 1 further wherein each data stream control circuit comprises a pattern machining circuit responsive to pattern setting signals from the primary processing unit and to incoming data packets from said network interface units for identifying and receiving a packet stream which will be processed by said control circuit , a processing unit responsive control circuit for controlling , in response to control signals (network protocol programs) sent by the primary processing unit , a congestion control means , and a header stripping and prepending functions means for the data stream control circuit , and a data buffer responsive to said pattern matching circuit and the processing unit responsive control circuit for receiving and storing data and protocol elements for an incoming data packet stream and for outputting a data packet stream to a said network interface unit to be forwarded to a next network node . US5249292A CLAIM 14 . A high speed data packet switching method for switching data packet stream among communication paths (network clients, communication path) comprising the steps of receiving each packet stream from one of a plurality of networks , processing at least a first packet of each received data packet stream using a software controlled , primary processing unit , designating that performance of routine , repetitive header processing of the further packets of one of said received packet steams , said processing including packet forwarding processing to effect routing of said packet , receiving and examining by each said high speed hardware circuitry at least a portion of each packet of each said received data packet stream , determining based on said examination of said at least a portion of each packet by each of said high speed hardware circuitry , which said high speed hardware circuitry has been designated to process each further packet of each received data packet stream , receiving in said designated high speed hardware circuitry said each further packet .
US7739302B2 CLAIM 3 . The network arrangement of claim 1 , wherein the computer-executable instructions comprise distributed program modules (data buffer) .	US5249292A CLAIM 2 . The packet switching circuit of claim 1 further wherein each data stream control circuit comprises a pattern machining circuit responsive to pattern setting signals from the primary processing unit and to incoming data packets from said network interface units for identifying and receiving a packet stream which will be processed by said control circuit , a processing unit responsive control circuit for controlling , in response to control signals sent by the primary processing unit , a congestion control means , and a header stripping and prepending functions means for the data stream control circuit , and a data buffer (program modules) responsive to said pattern matching circuit and the processing unit responsive control circuit for receiving and storing data and protocol elements for an incoming data packet stream and for outputting a data packet stream to a said network interface unit to be forwarded to a next network node .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5249292A CLAIM 1 . A high speed data packet switching circuit comprising : a software controlled primary processing units , a plurality of network interface units for receiving incoming data packet streams and for transmitting outgoing data packet streams , each of said data packet streams having a selected protocol and all of the data packets in a said stream having the identical protocol , a plurality of data stream control circuits for concurrently receiving at least a portion of a header of the data packets and selectively processing the received packets only wherein each said data stream control circuit processes the data packets of one data stream having one of said selected protocol in response to previously generated electrical signals from the primary processing unit based upon header identification information (network destination) in the at least first data packet of the new data packet stream for designating and initializing one of said data stream control circuits to process a remainder of the data packets of the new data packet stream , means for interconnecting said primary processing unit , said plurality of interface units and said plurality of data stream control circuits , said primary processing unit receiving from said network interface units , and for processing , at least a first one of the data packets of a new data packet stream and having means for generating said electrical signals means in each said designated and initialized data stream control circuit for receiving and processing only those data packets which include said header identification information upon which said designated and initializing is based .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path (communication paths) to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5249292A CLAIM 1 . A high speed data packet switching circuit comprising : a software controlled primary processing units , a plurality of network interface units for receiving incoming data packet streams and for transmitting outgoing data packet streams , each of said data packet streams having a selected protocol and all of the data packets in a said stream having the identical protocol , a plurality of data stream control circuits for concurrently receiving at least a portion of a header of the data packets and selectively processing the received packets only wherein each said data stream control circuit processes the data packets of one data stream having one of said selected protocol in response to previously generated electrical signals from the primary processing unit based upon header identification information (network destination) in the at least first data packet of the new data packet stream for designating and initializing one of said data stream control circuits to process a remainder of the data packets of the new data packet stream , means for interconnecting said primary processing unit , said plurality of interface units and said plurality of data stream control circuits , said primary processing unit receiving from said network interface units , and for processing , at least a first one of the data packets of a new data packet stream and having means for generating said electrical signals means in each said designated and initialized data stream control circuit for receiving and processing only those data packets which include said header identification information upon which said designated and initializing is based . US5249292A CLAIM 14 . A high speed data packet switching method for switching data packet stream among communication paths (network clients, communication path) comprising the steps of receiving each packet stream from one of a plurality of networks , processing at least a first packet of each received data packet stream using a software controlled , primary processing unit , designating that performance of routine , repetitive header processing of the further packets of one of said received packet steams , said processing including packet forwarding processing to effect routing of said packet , receiving and examining by each said high speed hardware circuitry at least a portion of each packet of each said received data packet stream , determining based on said examination of said at least a portion of each packet by each of said high speed hardware circuitry , which said high speed hardware circuitry has been designated to process each further packet of each received data packet stream , receiving in said designated high speed hardware circuitry said each further packet .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (new data) .	US5249292A CLAIM 1 . A high speed data packet switching circuit comprising : a software controlled primary processing units , a plurality of network interface units for receiving incoming data packet streams and for transmitting outgoing data packet streams , each of said data packet streams having a selected protocol and all of the data packets in a said stream having the identical protocol , a plurality of data stream control circuits for concurrently receiving at least a portion of a header of the data packets and selectively processing the received packets only wherein each said data stream control circuit processes the data packets of one data stream having one of said selected protocol in response to previously generated electrical signals from the primary processing unit based upon header identification information in the at least first data packet of the new data (SCSI interface) packet stream for designating and initializing one of said data stream control circuits to process a remainder of the data packets of the new data packet stream , means for interconnecting said primary processing unit , said plurality of interface units and said plurality of data stream control circuits , said primary processing unit receiving from said network interface units , and for processing , at least a first one of the data packets of a new data packet stream and having means for generating said electrical signals means in each said designated and initialized data stream control circuit for receiving and processing only those data packets which include said header identification information upon which said designated and initializing is based .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (communication paths) and other devices in a manner that is in addition to any protection afforded by a firewall .	US5249292A CLAIM 1 . A high speed data packet switching circuit comprising : a software controlled primary processing units , a plurality of network interface units for receiving incoming data packet streams and for transmitting outgoing data packet streams , each of said data packet streams having a selected protocol and all of the data packets in a said stream having the identical protocol , a plurality of data stream control circuits for concurrently receiving at least a portion of a header of the data packets and selectively processing the received packets only wherein each said data stream control circuit processes the data packets of one data stream having one of said selected protocol in response to previously generated electrical signals from the primary processing unit based upon header identification information (network destination) in the at least first data packet of the new data packet stream for designating and initializing one of said data stream control circuits to process a remainder of the data packets of the new data packet stream , means for interconnecting said primary processing unit , said plurality of interface units and said plurality of data stream control circuits , said primary processing unit receiving from said network interface units , and for processing , at least a first one of the data packets of a new data packet stream and having means for generating said electrical signals means in each said designated and initialized data stream control circuit for receiving and processing only those data packets which include said header identification information upon which said designated and initializing is based . US5249292A CLAIM 14 . A high speed data packet switching method for switching data packet stream among communication paths (network clients, communication path) comprising the steps of receiving each packet stream from one of a plurality of networks , processing at least a first packet of each received data packet stream using a software controlled , primary processing unit , designating that performance of routine , repetitive header processing of the further packets of one of said received packet steams , said processing including packet forwarding processing to effect routing of said packet , receiving and examining by each said high speed hardware circuitry at least a portion of each packet of each said received data packet stream , determining based on said examination of said at least a portion of each packet by each of said high speed hardware circuitry , which said high speed hardware circuitry has been designated to process each further packet of each received data packet stream , receiving in said designated high speed hardware circuitry said each further packet .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (storage units) is further configured to manage access over a SCSI interface (new data) .	US5249292A CLAIM 1 . A high speed data packet switching circuit comprising : a software controlled primary processing units , a plurality of network interface units for receiving incoming data packet streams and for transmitting outgoing data packet streams , each of said data packet streams having a selected protocol and all of the data packets in a said stream having the identical protocol , a plurality of data stream control circuits for concurrently receiving at least a portion of a header of the data packets and selectively processing the received packets only wherein each said data stream control circuit processes the data packets of one data stream having one of said selected protocol in response to previously generated electrical signals from the primary processing unit based upon header identification information in the at least first data packet of the new data (SCSI interface) packet stream for designating and initializing one of said data stream control circuits to process a remainder of the data packets of the new data packet stream , means for interconnecting said primary processing unit , said plurality of interface units and said plurality of data stream control circuits , said primary processing unit receiving from said network interface units , and for processing , at least a first one of the data packets of a new data packet stream and having means for generating said electrical signals means in each said designated and initialized data stream control circuit for receiving and processing only those data packets which include said header identification information upon which said designated and initializing is based . US5249292A CLAIM 10 . The packet switching circuit of claim 1 wherein said software controlled primary processing unit further includes a central processing unit , a bus means ; a plurality of input storage units (managing means) for selectively receiving ones of said plurality of data streams from the network interface units and each storage unit having its output connected to said bus means , means for connecting the central processing unit to said bus means , a plurality of output storage units for selectively receiving data from said central processing unit over said bus means , and for providing said data to said network interface units , and means for controlling the input of data to said input and output storage units .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5325290A Filed: 1991-10-25 Issued: 1994-06-28 Billing system with data indexing (Original Assignee) Compucom Communications Corp (Current Assignee) CENTILLION DATA SYSTEMS LLC Lynn S. Cauffman, Jeffrey N. Thompson, John M. Cauffman
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5325290A CLAIM 2 . A system for displaying transaction information (network destination) , said system comprising : means for storing individual transaction records , said transaction records relating to individual transaction for at least one transaction customer ; first and second data processing means ; said first data processing means generating preprocessed summary reports from said transaction records and creating , from said summary reports , induces in a sequence defined by selected sort keys , said indices being adapted for preparing reports of said transaction records ; means for transferring said summary reports and indices from said first data processing means to said second data processing means ; and said second data processing means being adapted to perform additional processing on said summary reports and indices to enable display of extracts of said transaction records .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems (different operating systems) .	US5325290A CLAIM 9 . A system for preparing and presenting reports from transaction detail records , said system comprising : means for storing individual transaction detail records ; first and second data processing means employing different operating systems (different operating systems) ; information interchange media means ; said first data processing means performing preprocessing operations on said individual transaction detail records including creating , from said transaction detail records , indices adapted for rapidly preparing reports of selected records in a sequence defined by selected sort keys ; said information interchange media means transferring said selected records and indices from said first data processing means to said second data processing means ; said second data processing means being adapted to perform additional processing on said preprocessed selected records to enable display or printing or extracts from said selected records in said sequence defined by said sort keys .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5325290A CLAIM 2 . A system for displaying transaction information (network destination) , said system comprising : means for storing individual transaction records , said transaction records relating to individual transaction for at least one transaction customer ; first and second data processing means ; said first data processing means generating preprocessed summary reports from said transaction records and creating , from said summary reports , induces in a sequence defined by selected sort keys , said indices being adapted for preparing reports of said transaction records ; means for transferring said summary reports and indices from said first data processing means to said second data processing means ; and said second data processing means being adapted to perform additional processing on said summary reports and indices to enable display of extracts of said transaction records .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5325290A CLAIM 2 . A system for displaying transaction information (network destination) , said system comprising : means for storing individual transaction records , said transaction records relating to individual transaction for at least one transaction customer ; first and second data processing means ; said first data processing means generating preprocessed summary reports from said transaction records and creating , from said summary reports , induces in a sequence defined by selected sort keys , said indices being adapted for preparing reports of said transaction records ; means for transferring said summary reports and indices from said first data processing means to said second data processing means ; and said second data processing means being adapted to perform additional processing on said summary reports and indices to enable display of extracts of said transaction records .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (additional processing) , and a video codec .	US5325290A CLAIM 1 . A system for displaying information concerning a transaction between a service provider and a service customer , said system comprising : storage means for storing individual transaction records prepared by said service provider , said transaction records relating to individual transaction for at least one service customer ; first and second data processing means comprising respective computation hardware means and respective software programming means arranged for directing the activities of said computation hardware means ; said first data processing means selecting , from said storage means , records relating to transaction details for said at least one transaction customer , and performing preprocessing operations on said selected records including creating indices from said records for enabling rapid sorts of said selected records ; means for transferring said preprocessed selected records including said indices from said first data processing means to said second data processing means ; and said second data processing means being adapted to perform additional processing (storage device) on said preprocessed selected records to enable display of extracts of said selected records , said selected records being rapidly sorted utilizing said indices .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said key) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5325290A CLAIM 2 . A system for displaying transaction information (network destination) , said system comprising : means for storing individual transaction records , said transaction records relating to individual transaction for at least one transaction customer ; first and second data processing means ; said first data processing means generating preprocessed summary reports from said transaction records and creating , from said summary reports , induces in a sequence defined by selected sort keys , said indices being adapted for preparing reports of said transaction records ; means for transferring said summary reports and indices from said first data processing means to said second data processing means ; and said second data processing means being adapted to perform additional processing on said summary reports and indices to enable display of extracts of said transaction records . US5325290A CLAIM 4 . A system for preparing and presenting reports from transaction detail records , said detail records including at least one key field on which said reports are based , said system comprising : means for accumulating summary records extracted from said detail records ; means for storing said summary records and said detail records in a predetermined sequence ; means for preparing at least one indice for retrieving said detail and summary records in a sorted sequence which is different from said predetermined sequence , said sorted sequence being a function of the values of at least said key (filtering means) field of each of said detail records ; and means for presenting said detail and summary records in a sequence defined by said index .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said key) is further configured to carry out the filtering at an application layer of a network stack .	US5325290A CLAIM 4 . A system for preparing and presenting reports from transaction detail records , said detail records including at least one key field on which said reports are based , said system comprising : means for accumulating summary records extracted from said detail records ; means for storing said summary records and said detail records in a predetermined sequence ; means for preparing at least one indice for retrieving said detail and summary records in a sorted sequence which is different from said predetermined sequence , said sorted sequence being a function of the values of at least said key (filtering means) field of each of said detail records ; and means for presenting said detail and summary records in a sequence defined by said index .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (additional processing) , and a video codec .	US5325290A CLAIM 1 . A system for displaying information concerning a transaction between a service provider and a service customer , said system comprising : storage means for storing individual transaction records prepared by said service provider , said transaction records relating to individual transaction for at least one service customer ; first and second data processing means comprising respective computation hardware means and respective software programming means arranged for directing the activities of said computation hardware means ; said first data processing means selecting , from said storage means , records relating to transaction details for said at least one transaction customer , and performing preprocessing operations on said selected records including creating indices from said records for enabling rapid sorts of said selected records ; means for transferring said preprocessed selected records including said indices from said first data processing means to said second data processing means ; and said second data processing means being adapted to perform additional processing (storage device) on said preprocessed selected records to enable display of extracts of said selected records , said selected records being rapidly sorted utilizing said indices .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5321395A Filed: 1991-08-29 Issued: 1994-06-14 System providing verified information exchange between an electronic record carrier and a read/write unit (Original Assignee) US Philips Corp (Current Assignee) US Philips Corp Ronald B. Van Santbrink
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5321395A CLAIM 9 . An read/write (R/W) unit for use in an information (network destination) exchange system wherein the R/W unit receives/writes data in a data store which is included in an information carrier , the system providing verification of the exchange of data between the R/W unit and the information carrier ; said R/W unit comprising : a send section for transmitting data to the information carrier for storage in said data store ; a receive section for receiving data transmitted by the information carrier from the data store , the receive section being further adapted to produce a detection signal when the information carrier is present at a read/write location with respect to the R/W unit ; data processing means having a data input coupled to said receive section to receive said detection signal therefrom and also data received by said receive section from the information carrier , and having a data output coupled to said send section to supply data thereto ; said data processing means being adapted to (i) actuate said send section in response to reception of a detection signal from said receive section , and (ii) determine by comparison whether the data signals being received at said data input from said receive section match the data signals being supplied from said data output to said send section .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5321395A CLAIM 9 . An read/write (R/W) unit for use in an information (network destination) exchange system wherein the R/W unit receives/writes data in a data store which is included in an information carrier , the system providing verification of the exchange of data between the R/W unit and the information carrier ; said R/W unit comprising : a send section for transmitting data to the information carrier for storage in said data store ; a receive section for receiving data transmitted by the information carrier from the data store , the receive section being further adapted to produce a detection signal when the information carrier is present at a read/write location with respect to the R/W unit ; data processing means having a data input coupled to said receive section to receive said detection signal therefrom and also data received by said receive section from the information carrier , and having a data output coupled to said send section to supply data thereto ; said data processing means being adapted to (i) actuate said send section in response to reception of a detection signal from said receive section , and (ii) determine by comparison whether the data signals being received at said data input from said receive section match the data signals being supplied from said data output to said send section .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5321395A CLAIM 7 . A system as claimed in claim 1 , wherein said data processing means has a memory field for storing a first codeword , a second codeword is stored in the memory included in the information carrier , and the second codeword is transmitted to said data processing means when the information carrier is placed in said read/write position ; said data processing means being adapted to (i) compare the first and second codewords and generate a match signal if they match , and (ii) generate a new codeword for storage in said memory (storing instructions) field thereof in place of the first codeword and which is also transmitted via said first transmitting means to the memory in said information carrier for storage therein in place of the second codeword . US5321395A CLAIM 9 . An read/write (R/W) unit for use in an information (network destination) exchange system wherein the R/W unit receives/writes data in a data store which is included in an information carrier , the system providing verification of the exchange of data between the R/W unit and the information carrier ; said R/W unit comprising : a send section for transmitting data to the information carrier for storage in said data store ; a receive section for receiving data transmitted by the information carrier from the data store , the receive section being further adapted to produce a detection signal when the information carrier is present at a read/write location with respect to the R/W unit ; data processing means having a data input coupled to said receive section to receive said detection signal therefrom and also data received by said receive section from the information carrier , and having a data output coupled to said send section to supply data thereto ; said data processing means being adapted to (i) actuate said send section in response to reception of a detection signal from said receive section , and (ii) determine by comparison whether the data signals being received at said data input from said receive section match the data signals being supplied from said data output to said send section .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5321395A CLAIM 9 . An read/write (R/W) unit for use in an information (network destination) exchange system wherein the R/W unit receives/writes data in a data store which is included in an information carrier , the system providing verification of the exchange of data between the R/W unit and the information carrier ; said R/W unit comprising : a send section for transmitting data to the information carrier for storage in said data store ; a receive section for receiving data transmitted by the information carrier from the data store , the receive section being further adapted to produce a detection signal when the information carrier is present at a read/write location with respect to the R/W unit ; data processing means having a data input coupled to said receive section to receive said detection signal therefrom and also data received by said receive section from the information carrier , and having a data output coupled to said send section to supply data thereto ; said data processing means being adapted to (i) actuate said send section in response to reception of a detection signal from said receive section , and (ii) determine by comparison whether the data signals being received at said data input from said receive section match the data signals being supplied from said data output to said send section .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5262760A Filed: 1991-02-27 Issued: 1993-11-16 Modifying a graphics display image (Original Assignee) Hitachi Ltd (Current Assignee) Hitachi Ltd Kazuaki Iwamura, Junichi Nakahata, Mitsuru Fujii
US7739302B2 CLAIM 1 . A network arrangement (further data) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5262760A CLAIM 20 . A graphics display database system , comprising : means for reading a plurality of graphics display image components of a plurality of graphics display image groups from a print including said plurality of graphics display image components , each of said graphics display image groups being composed of a plurality of graphics display image components which have a predetermined common characteristic with respect to each other ; memory means for storing data corresponding to each of said plurality of graphics display image components of said graphics display image groups ; means for associating with the data for each of said plurality of graphics display image components further data (network arrangement) representing a selected visual appearance for each of said plurality of graphics display image components ; means responsive to edit instructions for editing sequentially the data corresponding to any of said plurality of graphics display image components in a selected graphics display image group ; and means responsive to instructions indicating the completion of said editing for changing further data of said any of said plurality of graphics display image components in said selected graphics display image group such that the changed further data represents a different visual appearance for said any of said plurality of graphics display image components .
US7739302B2 CLAIM 2 . The network arrangement (further data) of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5262760A CLAIM 20 . A graphics display database system , comprising : means for reading a plurality of graphics display image components of a plurality of graphics display image groups from a print including said plurality of graphics display image components , each of said graphics display image groups being composed of a plurality of graphics display image components which have a predetermined common characteristic with respect to each other ; memory means for storing data corresponding to each of said plurality of graphics display image components of said graphics display image groups ; means for associating with the data for each of said plurality of graphics display image components further data (network arrangement) representing a selected visual appearance for each of said plurality of graphics display image components ; means responsive to edit instructions for editing sequentially the data corresponding to any of said plurality of graphics display image components in a selected graphics display image group ; and means responsive to instructions indicating the completion of said editing for changing further data of said any of said plurality of graphics display image components in said selected graphics display image group such that the changed further data represents a different visual appearance for said any of said plurality of graphics display image components .
US7739302B2 CLAIM 3 . The network arrangement (further data) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5262760A CLAIM 20 . A graphics display database system , comprising : means for reading a plurality of graphics display image components of a plurality of graphics display image groups from a print including said plurality of graphics display image components , each of said graphics display image groups being composed of a plurality of graphics display image components which have a predetermined common characteristic with respect to each other ; memory means for storing data corresponding to each of said plurality of graphics display image components of said graphics display image groups ; means for associating with the data for each of said plurality of graphics display image components further data (network arrangement) representing a selected visual appearance for each of said plurality of graphics display image components ; means responsive to edit instructions for editing sequentially the data corresponding to any of said plurality of graphics display image components in a selected graphics display image group ; and means responsive to instructions indicating the completion of said editing for changing further data of said any of said plurality of graphics display image components in said selected graphics display image group such that the changed further data represents a different visual appearance for said any of said plurality of graphics display image components .
US7739302B2 CLAIM 4 . The network arrangement (further data) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5262760A CLAIM 20 . A graphics display database system , comprising : means for reading a plurality of graphics display image components of a plurality of graphics display image groups from a print including said plurality of graphics display image components , each of said graphics display image groups being composed of a plurality of graphics display image components which have a predetermined common characteristic with respect to each other ; memory means for storing data corresponding to each of said plurality of graphics display image components of said graphics display image groups ; means for associating with the data for each of said plurality of graphics display image components further data (network arrangement) representing a selected visual appearance for each of said plurality of graphics display image components ; means responsive to edit instructions for editing sequentially the data corresponding to any of said plurality of graphics display image components in a selected graphics display image group ; and means responsive to instructions indicating the completion of said editing for changing further data of said any of said plurality of graphics display image components in said selected graphics display image group such that the changed further data represents a different visual appearance for said any of said plurality of graphics display image components .
US7739302B2 CLAIM 5 . A local area network arrangement (further data) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5262760A CLAIM 20 . A graphics display database system , comprising : means for reading a plurality of graphics display image components of a plurality of graphics display image groups from a print including said plurality of graphics display image components , each of said graphics display image groups being composed of a plurality of graphics display image components which have a predetermined common characteristic with respect to each other ; memory means for storing data corresponding to each of said plurality of graphics display image components of said graphics display image groups ; means for associating with the data for each of said plurality of graphics display image components further data (network arrangement) representing a selected visual appearance for each of said plurality of graphics display image components ; means responsive to edit instructions for editing sequentially the data corresponding to any of said plurality of graphics display image components in a selected graphics display image group ; and means responsive to instructions indicating the completion of said editing for changing further data of said any of said plurality of graphics display image components in said selected graphics display image group such that the changed further data represents a different visual appearance for said any of said plurality of graphics display image components .
US7739302B2 CLAIM 6 . The network arrangement (further data) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface .	US5262760A CLAIM 20 . A graphics display database system , comprising : means for reading a plurality of graphics display image components of a plurality of graphics display image groups from a print including said plurality of graphics display image components , each of said graphics display image groups being composed of a plurality of graphics display image components which have a predetermined common characteristic with respect to each other ; memory means for storing data corresponding to each of said plurality of graphics display image components of said graphics display image groups ; means for associating with the data for each of said plurality of graphics display image components further data (network arrangement) representing a selected visual appearance for each of said plurality of graphics display image components ; means responsive to edit instructions for editing sequentially the data corresponding to any of said plurality of graphics display image components in a selected graphics display image group ; and means responsive to instructions indicating the completion of said editing for changing further data of said any of said plurality of graphics display image components in said selected graphics display image group such that the changed further data represents a different visual appearance for said any of said plurality of graphics display image components .
US7739302B2 CLAIM 7 . The network arrangement (further data) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5262760A CLAIM 20 . A graphics display database system , comprising : means for reading a plurality of graphics display image components of a plurality of graphics display image groups from a print including said plurality of graphics display image components , each of said graphics display image groups being composed of a plurality of graphics display image components which have a predetermined common characteristic with respect to each other ; memory means for storing data corresponding to each of said plurality of graphics display image components of said graphics display image groups ; means for associating with the data for each of said plurality of graphics display image components further data (network arrangement) representing a selected visual appearance for each of said plurality of graphics display image components ; means responsive to edit instructions for editing sequentially the data corresponding to any of said plurality of graphics display image components in a selected graphics display image group ; and means responsive to instructions indicating the completion of said editing for changing further data of said any of said plurality of graphics display image components in said selected graphics display image group such that the changed further data represents a different visual appearance for said any of said plurality of graphics display image components .
US7739302B2 CLAIM 8 . The network arrangement (further data) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5262760A CLAIM 20 . A graphics display database system , comprising : means for reading a plurality of graphics display image components of a plurality of graphics display image groups from a print including said plurality of graphics display image components , each of said graphics display image groups being composed of a plurality of graphics display image components which have a predetermined common characteristic with respect to each other ; memory means for storing data corresponding to each of said plurality of graphics display image components of said graphics display image groups ; means for associating with the data for each of said plurality of graphics display image components further data (network arrangement) representing a selected visual appearance for each of said plurality of graphics display image components ; means responsive to edit instructions for editing sequentially the data corresponding to any of said plurality of graphics display image components in a selected graphics display image group ; and means responsive to instructions indicating the completion of said editing for changing further data of said any of said plurality of graphics display image components in said selected graphics display image group such that the changed further data represents a different visual appearance for said any of said plurality of graphics display image components .
US7739302B2 CLAIM 9 . The network arrangement (further data) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5262760A CLAIM 20 . A graphics display database system , comprising : means for reading a plurality of graphics display image components of a plurality of graphics display image groups from a print including said plurality of graphics display image components , each of said graphics display image groups being composed of a plurality of graphics display image components which have a predetermined common characteristic with respect to each other ; memory means for storing data corresponding to each of said plurality of graphics display image components of said graphics display image groups ; means for associating with the data for each of said plurality of graphics display image components further data (network arrangement) representing a selected visual appearance for each of said plurality of graphics display image components ; means responsive to edit instructions for editing sequentially the data corresponding to any of said plurality of graphics display image components in a selected graphics display image group ; and means responsive to instructions indicating the completion of said editing for changing further data of said any of said plurality of graphics display image components in said selected graphics display image group such that the changed further data represents a different visual appearance for said any of said plurality of graphics display image components .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5262760A CLAIM 18 . An apparatus according to claim 17 , further including means for reading graphics objects corresponding to said plurality of graphics display image components from a print including said graphics objects corresponding to said plurality of graphics display image components ; and means for converting the read graphics objects of said data in said memory (storing instructions) means .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5245533A Filed: 1990-12-18 Issued: 1993-09-14 Marketing research method and system for management of manufacturer's discount coupon offers (Original Assignee) A C Nielsen Co (Current Assignee) NCH PROMOTIONAL SERVICES Inc Robert Marshall
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (predefined time period) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5245533A CLAIM 4 . A market research system as recited in claim 3 wherein said response template library generating means includes means responsive to said generated variables code for extracting coupon redemption data ; and means for calculating an average redemption value and a standard deviation value for said extracted coupon redemption data at predetermined intervals within a predefined time period (data management component) .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (central controller) .	US5245533A CLAIM 1 . A market research system for management of manufacturer' ; s discount coupon offers comprising : coupon processing means for processing coupon redemption data ; said coupon redemption data including offer identification ; manufacturer input means for providing a coupon release input ; and central controller (SCSI interface) means coupled to said coupon processing means and said manufacturer input means for receiving said coupon redemption data and said coupon release input ; said central controller means including means responsive to said received coupon redemption data for defining a knowledge database ; means responsive to said defined knowledge database for generating a response template library ; means responsive to said received coupon release input for selecting a response template from said generated response template library ; and means for transmitting said selected response template to said manufacturer .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (central controller) .	US5245533A CLAIM 1 . A market research system for management of manufacturer' ; s discount coupon offers comprising : coupon processing means for processing coupon redemption data ; said coupon redemption data including offer identification ; manufacturer input means for providing a coupon release input ; and central controller (SCSI interface) means coupled to said coupon processing means and said manufacturer input means for receiving said coupon redemption data and said coupon release input ; said central controller means including means responsive to said received coupon redemption data for defining a knowledge database ; means responsive to said defined knowledge database for generating a response template library ; means responsive to said received coupon release input for selecting a response template from said generated response template library ; and means for transmitting said selected response template to said manufacturer .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5490060A Filed: 1990-11-13 Issued: 1996-02-06 Passive data collection system for market research data (Original Assignee) Information Resources Inc (Current Assignee) Information Resources Inc John Malec, Joseph P. Moser, Scott J. Thomas, Eleanor Ting
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5490060A CLAIM 2 . A data collection method for the market research of a plurality of individual stores for the purchases of predetermined consumers forming a buying panel , wherein each store has a plurality of point-of-sale terminals which communicate data transactions in an SDLC format over a network loop to a central store computer , said method comprising : (a) passively monitoring data transactions on said network (NAD server) ; (b) assembling from said monitored data transactions data frames corresponding to respective data transactions ; (c) selecting from all of said data frames , data frames of at least one particular type ; (d) sorting said selected frames based upon an information (network destination) field which contains information indicating the beginning and the end of a respective purchasing transaction ; (e) temporarily storing said selected data frames corresponding to a respective purchasing transaction ; (f) searching said temporarily stored selected data frames for panelist identification ; and (g) storing said searched selected data frames corresponding to a respective purchasing transaction when any of them include said panelist identification .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating (nonvolatile memory) systems .	US5490060A CLAIM 2 . A data collection method for the market research of a plurality of individual stores for the purchases of predetermined consumers forming a buying panel , wherein each store has a plurality of point-of-sale terminals which communicate data transactions in an SDLC format over a network loop to a central store computer , said method comprising : (a) passively monitoring data transactions on said network (NAD server) ; (b) assembling from said monitored data transactions data frames corresponding to respective data transactions ; (c) selecting from all of said data frames , data frames of at least one particular type ; (d) sorting said selected frames based upon an information field which contains information indicating the beginning and the end of a respective purchasing transaction ; (e) temporarily storing said selected data frames corresponding to a respective purchasing transaction ; (f) searching said temporarily stored selected data frames for panelist identification ; and (g) storing said searched selected data frames corresponding to a respective purchasing transaction when any of them include said panelist identification . US5490060A CLAIM 13 . A method for electronically collecting market research information from a plurality of sales locations wherein the information is collected from each of the sales locations and transmitted to a host processor for subsequent evaluation , and wherein each of said sales locations has at least one automatic checkout system including a plurality of point-of-sale terminals communicating with a store controller over a communications network , said method comprising : passively monitoring communications between the store controller and each of said point-of-sale terminals ; separating relevant market research data from said communications ; forming market research file structures compatible with the host processor ; storing said market research file structures in nonvolatile memory (different operating, managing access) ; and periodically transferring said market research file structures to the host processor .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (central station) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5490060A CLAIM 12 . In a system for market research wherein data are gathered at a central station (electronic communication) from a plurality of individual stores in respect to transactions made by respective selected shoppers , said selected shoppers having respective identification indicia , and each of said stores having a data processing controller connected by a communications network to a plurality of transaction terminals at which input transaction data in respect to transactions with respective shoppers are entered , including transaction data corresponding to universal product codes for respective items bought and the respective identification indicia , such input transaction data being communicated to the respective controller over said communications network , and controller data from said respective controller being communicated to the respective terminals over said communications system , said controller data including controller transaction data related to the same transactions as respective input transaction data : a data acquisition and transfer system comprising means for passively coupling to a respective said communications network in a respective store to receive respective input and controller transaction data without introducing any signals into said communications network , storage means , means responsive to received transaction data corresponding to said identification indicia for storing in said storage means said received input and controller transaction data and instructions relating to each transaction made by a selected shopper to the exclusion of transaction data and instructions relating to transactions made by shoppers other than selected shoppers , means for reading out said stored transaction data from said storage means , and means for transferring said read out stored transaction data to said central station .
US7739302B2 CLAIM 10 . A system for managing access (nonvolatile memory) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5490060A CLAIM 2 . A data collection method for the market research of a plurality of individual stores for the purchases of predetermined consumers forming a buying panel , wherein each store has a plurality of point-of-sale terminals which communicate data transactions in an SDLC format over a network loop to a central store computer , said method comprising : (a) passively monitoring data transactions on said network ; (b) assembling from said monitored data transactions data frames corresponding to respective data transactions ; (c) selecting from all of said data frames , data frames of at least one particular type ; (d) sorting said selected frames based upon an information (network destination) field which contains information indicating the beginning and the end of a respective purchasing transaction ; (e) temporarily storing said selected data frames corresponding to a respective purchasing transaction ; (f) searching said temporarily stored selected data frames for panelist identification ; and (g) storing said searched selected data frames corresponding to a respective purchasing transaction when any of them include said panelist identification . US5490060A CLAIM 13 . A method for electronically collecting market research information from a plurality of sales locations wherein the information is collected from each of the sales locations and transmitted to a host processor for subsequent evaluation , and wherein each of said sales locations has at least one automatic checkout system including a plurality of point-of-sale terminals communicating with a store controller over a communications network , said method comprising : passively monitoring communications between the store controller and each of said point-of-sale terminals ; separating relevant market research data from said communications ; forming market research file structures compatible with the host processor ; storing said market research file structures in nonvolatile memory (different operating, managing access) ; and periodically transferring said market research file structures to the host processor .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (transfer system) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5490060A CLAIM 2 . A data collection method for the market research of a plurality of individual stores for the purchases of predetermined consumers forming a buying panel , wherein each store has a plurality of point-of-sale terminals which communicate data transactions in an SDLC format over a network loop to a central store computer , said method comprising : (a) passively monitoring data transactions on said network ; (b) assembling from said monitored data transactions data frames corresponding to respective data transactions ; (c) selecting from all of said data frames , data frames of at least one particular type ; (d) sorting said selected frames based upon an information (network destination) field which contains information indicating the beginning and the end of a respective purchasing transaction ; (e) temporarily storing said selected data frames corresponding to a respective purchasing transaction ; (f) searching said temporarily stored selected data frames for panelist identification ; and (g) storing said searched selected data frames corresponding to a respective purchasing transaction when any of them include said panelist identification . US5490060A CLAIM 12 . In a system for market research wherein data are gathered at a central station from a plurality of individual stores in respect to transactions made by respective selected shoppers , said selected shoppers having respective identification indicia , and each of said stores having a data processing controller connected by a communications network to a plurality of transaction terminals at which input transaction data in respect to transactions with respective shoppers are entered , including transaction data corresponding to universal product codes for respective items bought and the respective identification indicia , such input transaction data being communicated to the respective controller over said communications network , and controller data from said respective controller being communicated to the respective terminals over said communications system , said controller data including controller transaction data related to the same transactions as respective input transaction data : a data acquisition and transfer system (processing unit) comprising means for passively coupling to a respective said communications network in a respective store to receive respective input and controller transaction data without introducing any signals into said communications network , storage means , means responsive to received transaction data corresponding to said identification indicia for storing in said storage means said received input and controller transaction data and instructions relating to each transaction made by a selected shopper to the exclusion of transaction data and instructions relating to transactions made by shoppers other than selected shoppers , means for reading out said stored transaction data from said storage means , and means for transferring said read out stored transaction data to said central station .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (transfer system) to determine whether each packet arrived via an authorized network interface .	US5490060A CLAIM 12 . In a system for market research wherein data are gathered at a central station from a plurality of individual stores in respect to transactions made by respective selected shoppers , said selected shoppers having respective identification indicia , and each of said stores having a data processing controller connected by a communications network to a plurality of transaction terminals at which input transaction data in respect to transactions with respective shoppers are entered , including transaction data corresponding to universal product codes for respective items bought and the respective identification indicia , such input transaction data being communicated to the respective controller over said communications network , and controller data from said respective controller being communicated to the respective terminals over said communications system , said controller data including controller transaction data related to the same transactions as respective input transaction data : a data acquisition and transfer system (processing unit) comprising means for passively coupling to a respective said communications network in a respective store to receive respective input and controller transaction data without introducing any signals into said communications network , storage means , means responsive to received transaction data corresponding to said identification indicia for storing in said storage means said received input and controller transaction data and instructions relating to each transaction made by a selected shopper to the exclusion of transaction data and instructions relating to transactions made by shoppers other than selected shoppers , means for reading out said stored transaction data from said storage means , and means for transferring said read out stored transaction data to said central station .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (transfer system) to determine whether each packet contains an unauthorized IP address .	US5490060A CLAIM 12 . In a system for market research wherein data are gathered at a central station from a plurality of individual stores in respect to transactions made by respective selected shoppers , said selected shoppers having respective identification indicia , and each of said stores having a data processing controller connected by a communications network to a plurality of transaction terminals at which input transaction data in respect to transactions with respective shoppers are entered , including transaction data corresponding to universal product codes for respective items bought and the respective identification indicia , such input transaction data being communicated to the respective controller over said communications network , and controller data from said respective controller being communicated to the respective terminals over said communications system , said controller data including controller transaction data related to the same transactions as respective input transaction data : a data acquisition and transfer system (processing unit) comprising means for passively coupling to a respective said communications network in a respective store to receive respective input and controller transaction data without introducing any signals into said communications network , storage means , means responsive to received transaction data corresponding to said identification indicia for storing in said storage means said received input and controller transaction data and instructions relating to each transaction made by a selected shopper to the exclusion of transaction data and instructions relating to transactions made by shoppers other than selected shoppers , means for reading out said stored transaction data from said storage means , and means for transferring said read out stored transaction data to said central station .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (transfer system) to selectively generate a packet for communication to an intermediary computing (transaction records, transaction file) device , the selectively generated packet containing the request for access to the directly attached device .	US5490060A CLAIM 12 . In a system for market research wherein data are gathered at a central station from a plurality of individual stores in respect to transactions made by respective selected shoppers , said selected shoppers having respective identification indicia , and each of said stores having a data processing controller connected by a communications network to a plurality of transaction terminals at which input transaction data in respect to transactions with respective shoppers are entered , including transaction data corresponding to universal product codes for respective items bought and the respective identification indicia , such input transaction data being communicated to the respective controller over said communications network , and controller data from said respective controller being communicated to the respective terminals over said communications system , said controller data including controller transaction data related to the same transactions as respective input transaction data : a data acquisition and transfer system (processing unit) comprising means for passively coupling to a respective said communications network in a respective store to receive respective input and controller transaction data without introducing any signals into said communications network , storage means , means responsive to received transaction data corresponding to said identification indicia for storing in said storage means said received input and controller transaction data and instructions relating to each transaction made by a selected shopper to the exclusion of transaction data and instructions relating to transactions made by shoppers other than selected shoppers , means for reading out said stored transaction data from said storage means , and means for transferring said read out stored transaction data to said central station . US5490060A CLAIM 18 . A method as set forth in claim 17 wherein said step of parsing further includes the step of : parsing each transaction file (intermediary computing) by separate market research file structures . US5490060A CLAIM 32 . In a system for market research wherein data are gathered at a central station from a plurality of individual stores in respect to transactions made by respective selected shoppers , said selected shoppers having respective identification indicia : a market research data monitor including a buffer ; nonvolatile storage means for storing purchase transaction records (intermediary computing) ; programmed means for executing a communications program at a particular time of day to transfer stored purchase transaction records from said nonvolatile storage means to a central station ; programmed means for executing a real time monitor program on an interrupt basis to store in said buffer purchase transaction records of all purchases made by selected shoppers as they occur ; and programmed means for executing a data storage program when said communications program is not executing to transfer the nonvolatile storage of said purchase transaction records on a periodic basis from said buffer to said nonvolatile storage means .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (transfer system) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US5490060A CLAIM 12 . In a system for market research wherein data are gathered at a central station from a plurality of individual stores in respect to transactions made by respective selected shoppers , said selected shoppers having respective identification indicia , and each of said stores having a data processing controller connected by a communications network to a plurality of transaction terminals at which input transaction data in respect to transactions with respective shoppers are entered , including transaction data corresponding to universal product codes for respective items bought and the respective identification indicia , such input transaction data being communicated to the respective controller over said communications network , and controller data from said respective controller being communicated to the respective terminals over said communications system , said controller data including controller transaction data related to the same transactions as respective input transaction data : a data acquisition and transfer system (processing unit) comprising means for passively coupling to a respective said communications network in a respective store to receive respective input and controller transaction data without introducing any signals into said communications network , storage means , means responsive to received transaction data corresponding to said identification indicia for storing in said storage means said received input and controller transaction data and instructions relating to each transaction made by a selected shopper to the exclusion of transaction data and instructions relating to transactions made by shoppers other than selected shoppers , means for reading out said stored transaction data from said storage means , and means for transferring said read out stored transaction data to said central station .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data storage) .	US5490060A CLAIM 32 . In a system for market research wherein data are gathered at a central station from a plurality of individual stores in respect to transactions made by respective selected shoppers , said selected shoppers having respective identification indicia : a market research data monitor including a buffer ; nonvolatile storage means for storing purchase transaction records ; programmed means for executing a communications program at a particular time of day to transfer stored purchase transaction records from said nonvolatile storage means to a central station ; programmed means for executing a real time monitor program on an interrupt basis to store in said buffer purchase transaction records of all purchases made by selected shoppers as they occur ; and programmed means for executing a data storage (SCSI interface) program when said communications program is not executing to transfer the nonvolatile storage of said purchase transaction records on a periodic basis from said buffer to said nonvolatile storage means .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5490060A CLAIM 2 . A data collection method for the market research of a plurality of individual stores for the purchases of predetermined consumers forming a buying panel , wherein each store has a plurality of point-of-sale terminals which communicate data transactions in an SDLC format over a network loop to a central store computer , said method comprising : (a) passively monitoring data transactions on said network ; (b) assembling from said monitored data transactions data frames corresponding to respective data transactions ; (c) selecting from all of said data frames , data frames of at least one particular type ; (d) sorting said selected frames based upon an information (network destination) field which contains information indicating the beginning and the end of a respective purchasing transaction ; (e) temporarily storing said selected data frames corresponding to a respective purchasing transaction ; (f) searching said temporarily stored selected data frames for panelist identification ; and (g) storing said searched selected data frames corresponding to a respective purchasing transaction when any of them include said panelist identification .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (nonvolatile memory) to the NAD over a device interface if the request is allowed .	US5490060A CLAIM 13 . A method for electronically collecting market research information from a plurality of sales locations wherein the information is collected from each of the sales locations and transmitted to a host processor for subsequent evaluation , and wherein each of said sales locations has at least one automatic checkout system including a plurality of point-of-sale terminals communicating with a store controller over a communications network , said method comprising : passively monitoring communications between the store controller and each of said point-of-sale terminals ; separating relevant market research data from said communications ; forming market research file structures compatible with the host processor ; storing said market research file structures in nonvolatile memory (different operating, managing access) ; and periodically transferring said market research file structures to the host processor .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (data storage) .	US5490060A CLAIM 32 . In a system for market research wherein data are gathered at a central station from a plurality of individual stores in respect to transactions made by respective selected shoppers , said selected shoppers having respective identification indicia : a market research data monitor including a buffer ; nonvolatile storage means for storing purchase transaction records ; programmed means for executing a communications program at a particular time of day to transfer stored purchase transaction records from said nonvolatile storage means to a central station ; programmed means for executing a real time monitor program on an interrupt basis to store in said buffer purchase transaction records of all purchases made by selected shoppers as they occur ; and programmed means for executing a data storage (SCSI interface) program when said communications program is not executing to transfer the nonvolatile storage of said purchase transaction records on a periodic basis from said buffer to said nonvolatile storage means .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5161192A Filed: 1990-11-07 Issued: 1992-11-03 Repeaters for secure local area networks (Original Assignee) 3Com Technologies Ltd (Current Assignee) 3Com Ireland Steven H. Carter, Terence D. Lockyer, Christopher J. Gahan
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5161192A CLAIM 1 . A repeater for use in a local area data network for providing communication between a plurality of network connected devices connected to the repeater , which data network receives data frames of preset format , each of which includes at predetermined positions in the frame segments selected from (i) a destination address segment , a source address segment and a control segment and (ii) a destination address segment , a source address segment , a control segment and at least one further segment selected from a frame identifier segment and a protocol identifier segment , the repeater including : means for receiving incoming data frames and for retransmitting them during a time interval that begins before the complete frame of data has been received ; means for storing access rules for said network (NAD server) connected devices ; means for reading at least one of said segments of each incoming data frame and comparing each segment so read with the stored access rules to determine whether the frame is permitted or not ; and means for corrupting the frame in retransmission if the repeater determines that the frame is not permitted .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5161192A CLAIM 1 . A repeater for use in a local area data network for providing communication between a plurality of network connected devices connected to the repeater , which data network receives data frames of preset format , each of which includes at predetermined positions in the frame segments selected from (i) a destination address segment , a source address segment and a control segment and (ii) a destination address segment , a source address segment , a control segment and at least one further segment selected from a frame identifier segment and a protocol identifier segment , the repeater including : means for receiving incoming data frames and for retransmitting them during a time interval that begins before the complete frame of data has been received ; means for storing access rules for said network (NAD server) connected devices ; means for reading at least one of said segments of each incoming data frame and comparing each segment so read with the stored access rules to determine whether the frame is permitted or not ; and means for corrupting the frame in retransmission if the repeater determines that the frame is not permitted .
US7739302B2 CLAIM 5 . A local area (local area) network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5161192A CLAIM 1 . A repeater for use in a local area (local area) data network for providing communication between a plurality of network connected devices connected to the repeater , which data network receives data frames of preset format , each of which includes at predetermined positions in the frame segments selected from (i) a destination address (IP addresses) segment , a source address (IP addresses) segment and a control segment and (ii) a destination address segment , a source address segment , a control segment and at least one further segment selected from a frame identifier segment and a protocol identifier segment , the repeater including : means for receiving incoming data frames and for retransmitting them during a time interval that begins before the complete frame of data has been received ; means for storing access rules for said network connected devices ; means for reading at least one of said segments of each incoming data frame and comparing each segment so read with the stored access rules to determine whether the frame is permitted or not ; and means for corrupting the frame in retransmission if the repeater determines that the frame is not permitted .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (binary digit) .	US5161192A CLAIM 3 . A repeater as claimed in claim 1 in which the said means for corrupting the data frame comprises means for overwriting the data frame with a series of binary digit (application layer) s selected from all 1' ; s , all 0' ; s , cyclically repeated sequences and pseudo-random sequences .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (binary digit) of a network stack .	US5161192A CLAIM 3 . A repeater as claimed in claim 1 in which the said means for corrupting the data frame comprises means for overwriting the data frame with a series of binary digit (application layer) s selected from all 1' ; s , all 0' ; s , cyclically repeated sequences and pseudo-random sequences .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5223699A Filed: 1990-11-05 Issued: 1993-06-29 Recording and billing system (Original Assignee) Nokia Bell Labs (Current Assignee) Nokia Bell Labs ; AT&T Corp Lorraine Flynn, Chester J. Oldakowski, Jr.
US7739302B2 CLAIM 1 . A network arrangement (first codes) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5223699A CLAIM 1 . A method of billing for usage of a telephone network , comprising the steps of : (a) assigning to an authorized user of said telephone network , a first authorization/billing code , and a second , associated authorization/billing code , said first code being indicative of authorization to use said telephone network , said first code having a format which is accepted as a valid authorization code for use of said telephone network and said second code having a format different from the format of said first authorization code which is accepted as a valid authorization code for obtaining other goods and services ; (b) storing information including said first code in a first database and storing information including said second code in a second data (data packet) base ; (c) responsive to the application to said telephone network by said authorized user of information defining said first authorization code indicative of a desire to use said telephone network , verifying the validity of said first authorization code , said verification step including : (i) communicating said first code , via said telephone network , to said first database , and (ii) analyzing said first code to determine its validity based upon said stored information in said first database ; (d) responsive to said verifying step , permitting the desired use of said telephone network by said user based upon a determination of the validity of said first authorization code ; (e) transmitting , after said telephone network is used , call billing information regarding said usage to said second database , said call billing information including said first code but not said second code assigned to said user ; (f) identifying , in said second database , said second code associated with said first code included in said call billing information , and (g) billing the user that was authorized to use said second authorization code , for both said telephone network usage and for any other goods and services obtained by use of said second authorization code . US5223699A CLAIM 3 . A method of joint billing for usage of first and second services , comprising the steps of : (a) storing in a first processor , information including first codes (network arrangement) assigned to authorized users of said first services , and storing in a second processor information including second codes assigned to authorized users of said second services , said first codes having a first format that is accepted as valid authorization to use said first services and said second codes having a second format different from said first format that is accepted as valid authorization to use said second services , each of said first codes corresponding to at least one of said second codes ; (b) allowing use of said first services by a particular user by verifying , at the time said first services are used , the validity of a particular one of said first codes , said verification step including : (i) communicating said particular first code to said first processor , and (ii) comparing said particular first code with said stored information to determine the validity of said particular first code ; (c) allowing use of said second services by said particular user by verifying , at the time said second services are used , the validity of a particular one of said second codes , said verification step including : (i) communicating said particular second code to said second processor , and (ii) comparing said particular second code with said stored information to determine the validity of said particular second code ; (d) transmitting , after said first service is used , billing information regarding usage of said first service by said particular user to a third processor , said billing information including said particular first code ; (e) transmitting , after said second service is used , billing information regarding usage of said second service by said particular user to said third processor , said billing information including said second code ; (f) retrieving in said third processor , billing information associated with said particular first code and with the corresponding at least one of said second codes ; and (g) combining billing information obtained in said retrieving step so as to create a single record for billing said particular authorized user for usage of both said first service and said second service .
US7739302B2 CLAIM 2 . The network arrangement (first codes) of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating (processor information) systems .	US5223699A CLAIM 3 . A method of joint billing for usage of first and second services , comprising the steps of : (a) storing in a first processor , information including first codes (network arrangement) assigned to authorized users of said first services , and storing in a second processor information (different operating) including second codes assigned to authorized users of said second services , said first codes having a first format that is accepted as valid authorization to use said first services and said second codes having a second format different from said first format that is accepted as valid authorization to use said second services , each of said first codes corresponding to at least one of said second codes ; (b) allowing use of said first services by a particular user by verifying , at the time said first services are used , the validity of a particular one of said first codes , said verification step including : (i) communicating said particular first code to said first processor , and (ii) comparing said particular first code with said stored information to determine the validity of said particular first code ; (c) allowing use of said second services by said particular user by verifying , at the time said second services are used , the validity of a particular one of said second codes , said verification step including : (i) communicating said particular second code to said second processor , and (ii) comparing said particular second code with said stored information to determine the validity of said particular second code ; (d) transmitting , after said first service is used , billing information regarding usage of said first service by said particular user to a third processor , said billing information including said particular first code ; (e) transmitting , after said second service is used , billing information regarding usage of said second service by said particular user to said third processor , said billing information including said second code ; (f) retrieving in said third processor , billing information associated with said particular first code and with the corresponding at least one of said second codes ; and (g) combining billing information obtained in said retrieving step so as to create a single record for billing said particular authorized user for usage of both said first service and said second service .
US7739302B2 CLAIM 3 . The network arrangement (first codes) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5223699A CLAIM 3 . A method of joint billing for usage of first and second services , comprising the steps of : (a) storing in a first processor , information including first codes (network arrangement) assigned to authorized users of said first services , and storing in a second processor information including second codes assigned to authorized users of said second services , said first codes having a first format that is accepted as valid authorization to use said first services and said second codes having a second format different from said first format that is accepted as valid authorization to use said second services , each of said first codes corresponding to at least one of said second codes ; (b) allowing use of said first services by a particular user by verifying , at the time said first services are used , the validity of a particular one of said first codes , said verification step including : (i) communicating said particular first code to said first processor , and (ii) comparing said particular first code with said stored information to determine the validity of said particular first code ; (c) allowing use of said second services by said particular user by verifying , at the time said second services are used , the validity of a particular one of said second codes , said verification step including : (i) communicating said particular second code to said second processor , and (ii) comparing said particular second code with said stored information to determine the validity of said particular second code ; (d) transmitting , after said first service is used , billing information regarding usage of said first service by said particular user to a third processor , said billing information including said particular first code ; (e) transmitting , after said second service is used , billing information regarding usage of said second service by said particular user to said third processor , said billing information including said second code ; (f) retrieving in said third processor , billing information associated with said particular first code and with the corresponding at least one of said second codes ; and (g) combining billing information obtained in said retrieving step so as to create a single record for billing said particular authorized user for usage of both said first service and said second service .
US7739302B2 CLAIM 4 . The network arrangement (first codes) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5223699A CLAIM 1 . A method of billing for usage of a telephone network , comprising the steps of : (a) assigning to an authorized user of said telephone network , a first authorization/billing code , and a second , associated authorization/billing code , said first code being indicative of authorization to use said telephone network , said first code having a format which is accepted as a valid authorization code for use of said telephone network and said second code having a format different from the format of said first authorization code which is accepted as a valid authorization code for obtaining other goods and services ; (b) storing information including said first code in a first database and storing information including said second code in a second data (data packet) base ; (c) responsive to the application to said telephone network by said authorized user of information defining said first authorization code indicative of a desire to use said telephone network , verifying the validity of said first authorization code , said verification step including : (i) communicating said first code , via said telephone network , to said first database , and (ii) analyzing said first code to determine its validity based upon said stored information in said first database ; (d) responsive to said verifying step , permitting the desired use of said telephone network by said user based upon a determination of the validity of said first authorization code ; (e) transmitting , after said telephone network is used , call billing information regarding said usage to said second database , said call billing information including said first code but not said second code assigned to said user ; (f) identifying , in said second database , said second code associated with said first code included in said call billing information , and (g) billing the user that was authorized to use said second authorization code , for both said telephone network usage and for any other goods and services obtained by use of said second authorization code . US5223699A CLAIM 3 . A method of joint billing for usage of first and second services , comprising the steps of : (a) storing in a first processor , information including first codes (network arrangement) assigned to authorized users of said first services , and storing in a second processor information including second codes assigned to authorized users of said second services , said first codes having a first format that is accepted as valid authorization to use said first services and said second codes having a second format different from said first format that is accepted as valid authorization to use said second services , each of said first codes corresponding to at least one of said second codes ; (b) allowing use of said first services by a particular user by verifying , at the time said first services are used , the validity of a particular one of said first codes , said verification step including : (i) communicating said particular first code to said first processor , and (ii) comparing said particular first code with said stored information to determine the validity of said particular first code ; (c) allowing use of said second services by said particular user by verifying , at the time said second services are used , the validity of a particular one of said second codes , said verification step including : (i) communicating said particular second code to said second processor , and (ii) comparing said particular second code with said stored information to determine the validity of said particular second code ; (d) transmitting , after said first service is used , billing information regarding usage of said first service by said particular user to a third processor , said billing information including said particular first code ; (e) transmitting , after said second service is used , billing information regarding usage of said second service by said particular user to said third processor , said billing information including said second code ; (f) retrieving in said third processor , billing information associated with said particular first code and with the corresponding at least one of said second codes ; and (g) combining billing information obtained in said retrieving step so as to create a single record for billing said particular authorized user for usage of both said first service and said second service .
US7739302B2 CLAIM 5 . A local area network arrangement (first codes) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5223699A CLAIM 1 . A method of billing for usage of a telephone network , comprising the steps of : (a) assigning to an authorized user of said telephone network , a first authorization/billing code , and a second , associated authorization/billing code , said first code being indicative of authorization to use said telephone network , said first code having a format which is accepted as a valid authorization code for use of said telephone network and said second code having a format different from the format of said first authorization code which is accepted as a valid authorization code for obtaining other goods and services ; (b) storing information including said first code in a first database and storing information including said second code in a second data (data packet) base ; (c) responsive to the application to said telephone network by said authorized user of information defining said first authorization code indicative of a desire to use said telephone network , verifying the validity of said first authorization code , said verification step including : (i) communicating said first code , via said telephone network , to said first database , and (ii) analyzing said first code to determine its validity based upon said stored information in said first database ; (d) responsive to said verifying step , permitting the desired use of said telephone network by said user based upon a determination of the validity of said first authorization code ; (e) transmitting , after said telephone network is used , call billing information regarding said usage to said second database , said call billing information including said first code but not said second code assigned to said user ; (f) identifying , in said second database , said second code associated with said first code included in said call billing information , and (g) billing the user that was authorized to use said second authorization code , for both said telephone network usage and for any other goods and services obtained by use of said second authorization code . US5223699A CLAIM 3 . A method of joint billing for usage of first and second services , comprising the steps of : (a) storing in a first processor , information including first codes (network arrangement) assigned to authorized users of said first services , and storing in a second processor information including second codes assigned to authorized users of said second services , said first codes having a first format that is accepted as valid authorization to use said first services and said second codes having a second format different from said first format that is accepted as valid authorization to use said second services , each of said first codes corresponding to at least one of said second codes ; (b) allowing use of said first services by a particular user by verifying , at the time said first services are used , the validity of a particular one of said first codes , said verification step including : (i) communicating said particular first code to said first processor , and (ii) comparing said particular first code with said stored information to determine the validity of said particular first code ; (c) allowing use of said second services by said particular user by verifying , at the time said second services are used , the validity of a particular one of said second codes , said verification step including : (i) communicating said particular second code to said second processor , and (ii) comparing said particular second code with said stored information to determine the validity of said particular second code ; (d) transmitting , after said first service is used , billing information regarding usage of said first service by said particular user to a third processor , said billing information including said particular first code ; (e) transmitting , after said second service is used , billing information regarding usage of said second service by said particular user to said third processor , said billing information including said second code ; (f) retrieving in said third processor , billing information associated with said particular first code and with the corresponding at least one of said second codes ; and (g) combining billing information obtained in said retrieving step so as to create a single record for billing said particular authorized user for usage of both said first service and said second service .
US7739302B2 CLAIM 6 . The network arrangement (first codes) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data) arrived via an authorized network interface .	US5223699A CLAIM 1 . A method of billing for usage of a telephone network , comprising the steps of : (a) assigning to an authorized user of said telephone network , a first authorization/billing code , and a second , associated authorization/billing code , said first code being indicative of authorization to use said telephone network , said first code having a format which is accepted as a valid authorization code for use of said telephone network and said second code having a format different from the format of said first authorization code which is accepted as a valid authorization code for obtaining other goods and services ; (b) storing information including said first code in a first database and storing information including said second code in a second data (data packet) base ; (c) responsive to the application to said telephone network by said authorized user of information defining said first authorization code indicative of a desire to use said telephone network , verifying the validity of said first authorization code , said verification step including : (i) communicating said first code , via said telephone network , to said first database , and (ii) analyzing said first code to determine its validity based upon said stored information in said first database ; (d) responsive to said verifying step , permitting the desired use of said telephone network by said user based upon a determination of the validity of said first authorization code ; (e) transmitting , after said telephone network is used , call billing information regarding said usage to said second database , said call billing information including said first code but not said second code assigned to said user ; (f) identifying , in said second database , said second code associated with said first code included in said call billing information , and (g) billing the user that was authorized to use said second authorization code , for both said telephone network usage and for any other goods and services obtained by use of said second authorization code . US5223699A CLAIM 3 . A method of joint billing for usage of first and second services , comprising the steps of : (a) storing in a first processor , information including first codes (network arrangement) assigned to authorized users of said first services , and storing in a second processor information including second codes assigned to authorized users of said second services , said first codes having a first format that is accepted as valid authorization to use said first services and said second codes having a second format different from said first format that is accepted as valid authorization to use said second services , each of said first codes corresponding to at least one of said second codes ; (b) allowing use of said first services by a particular user by verifying , at the time said first services are used , the validity of a particular one of said first codes , said verification step including : (i) communicating said particular first code to said first processor , and (ii) comparing said particular first code with said stored information to determine the validity of said particular first code ; (c) allowing use of said second services by said particular user by verifying , at the time said second services are used , the validity of a particular one of said second codes , said verification step including : (i) communicating said particular second code to said second processor , and (ii) comparing said particular second code with said stored information to determine the validity of said particular second code ; (d) transmitting , after said first service is used , billing information regarding usage of said first service by said particular user to a third processor , said billing information including said particular first code ; (e) transmitting , after said second service is used , billing information regarding usage of said second service by said particular user to said third processor , said billing information including said second code ; (f) retrieving in said third processor , billing information associated with said particular first code and with the corresponding at least one of said second codes ; and (g) combining billing information obtained in said retrieving step so as to create a single record for billing said particular authorized user for usage of both said first service and said second service .
US7739302B2 CLAIM 7 . The network arrangement (first codes) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5223699A CLAIM 3 . A method of joint billing for usage of first and second services , comprising the steps of : (a) storing in a first processor , information including first codes (network arrangement) assigned to authorized users of said first services , and storing in a second processor information including second codes assigned to authorized users of said second services , said first codes having a first format that is accepted as valid authorization to use said first services and said second codes having a second format different from said first format that is accepted as valid authorization to use said second services , each of said first codes corresponding to at least one of said second codes ; (b) allowing use of said first services by a particular user by verifying , at the time said first services are used , the validity of a particular one of said first codes , said verification step including : (i) communicating said particular first code to said first processor , and (ii) comparing said particular first code with said stored information to determine the validity of said particular first code ; (c) allowing use of said second services by said particular user by verifying , at the time said second services are used , the validity of a particular one of said second codes , said verification step including : (i) communicating said particular second code to said second processor , and (ii) comparing said particular second code with said stored information to determine the validity of said particular second code ; (d) transmitting , after said first service is used , billing information regarding usage of said first service by said particular user to a third processor , said billing information including said particular first code ; (e) transmitting , after said second service is used , billing information regarding usage of said second service by said particular user to said third processor , said billing information including said second code ; (f) retrieving in said third processor , billing information associated with said particular first code and with the corresponding at least one of said second codes ; and (g) combining billing information obtained in said retrieving step so as to create a single record for billing said particular authorized user for usage of both said first service and said second service .
US7739302B2 CLAIM 8 . The network arrangement (first codes) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5223699A CLAIM 3 . A method of joint billing for usage of first and second services , comprising the steps of : (a) storing in a first processor , information including first codes (network arrangement) assigned to authorized users of said first services , and storing in a second processor information including second codes assigned to authorized users of said second services , said first codes having a first format that is accepted as valid authorization to use said first services and said second codes having a second format different from said first format that is accepted as valid authorization to use said second services , each of said first codes corresponding to at least one of said second codes ; (b) allowing use of said first services by a particular user by verifying , at the time said first services are used , the validity of a particular one of said first codes , said verification step including : (i) communicating said particular first code to said first processor , and (ii) comparing said particular first code with said stored information to determine the validity of said particular first code ; (c) allowing use of said second services by said particular user by verifying , at the time said second services are used , the validity of a particular one of said second codes , said verification step including : (i) communicating said particular second code to said second processor , and (ii) comparing said particular second code with said stored information to determine the validity of said particular second code ; (d) transmitting , after said first service is used , billing information regarding usage of said first service by said particular user to a third processor , said billing information including said particular first code ; (e) transmitting , after said second service is used , billing information regarding usage of said second service by said particular user to said third processor , said billing information including said second code ; (f) retrieving in said third processor , billing information associated with said particular first code and with the corresponding at least one of said second codes ; and (g) combining billing information obtained in said retrieving step so as to create a single record for billing said particular authorized user for usage of both said first service and said second service .
US7739302B2 CLAIM 9 . The network arrangement (first codes) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5223699A CLAIM 1 . A method of billing for usage of a telephone network , comprising the steps of : (a) assigning to an authorized user of said telephone network , a first authorization/billing code , and a second , associated authorization/billing code , said first code being indicative of authorization to use said telephone network , said first code having a format which is accepted as a valid authorization code for use of said telephone network and said second code having a format different from the format of said first authorization code which is accepted as a valid authorization code for obtaining other goods and services ; (b) storing information including said first code in a first database and storing information including said second code in a second data (data packet) base ; (c) responsive to the application to said telephone network by said authorized user of information defining said first authorization code indicative of a desire to use said telephone network , verifying the validity of said first authorization code , said verification step including : (i) communicating said first code , via said telephone network , to said first database , and (ii) analyzing said first code to determine its validity based upon said stored information in said first database ; (d) responsive to said verifying step , permitting the desired use of said telephone network by said user based upon a determination of the validity of said first authorization code ; (e) transmitting , after said telephone network is used , call billing information regarding said usage to said second database , said call billing information including said first code but not said second code assigned to said user ; (f) identifying , in said second database , said second code associated with said first code included in said call billing information , and (g) billing the user that was authorized to use said second authorization code , for both said telephone network usage and for any other goods and services obtained by use of said second authorization code . US5223699A CLAIM 3 . A method of joint billing for usage of first and second services , comprising the steps of : (a) storing in a first processor , information including first codes (network arrangement) assigned to authorized users of said first services , and storing in a second processor information including second codes assigned to authorized users of said second services , said first codes having a first format that is accepted as valid authorization to use said first services and said second codes having a second format different from said first format that is accepted as valid authorization to use said second services , each of said first codes corresponding to at least one of said second codes ; (b) allowing use of said first services by a particular user by verifying , at the time said first services are used , the validity of a particular one of said first codes , said verification step including : (i) communicating said particular first code to said first processor , and (ii) comparing said particular first code with said stored information to determine the validity of said particular first code ; (c) allowing use of said second services by said particular user by verifying , at the time said second services are used , the validity of a particular one of said second codes , said verification step including : (i) communicating said particular second code to said second processor , and (ii) comparing said particular second code with said stored information to determine the validity of said particular second code ; (d) transmitting , after said first service is used , billing information regarding usage of said first service by said particular user to a third processor , said billing information including said particular first code ; (e) transmitting , after said second service is used , billing information regarding usage of said second service by said particular user to said third processor , said billing information including said second code ; (f) retrieving in said third processor , billing information associated with said particular first code and with the corresponding at least one of said second codes ; and (g) combining billing information obtained in said retrieving step so as to create a single record for billing said particular authorized user for usage of both said first service and said second service .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5223699A CLAIM 1 . A method of billing for usage of a telephone network , comprising the steps of : (a) assigning to an authorized user of said telephone network , a first authorization/billing code , and a second , associated authorization/billing code , said first code being indicative of authorization to use said telephone network , said first code having a format which is accepted as a valid authorization code for use of said telephone network and said second code having a format different from the format of said first authorization code which is accepted as a valid authorization code for obtaining other goods and services ; (b) storing information including said first code in a first database and storing information including said second code in a second data (data packet) base ; (c) responsive to the application to said telephone network by said authorized user of information defining said first authorization code indicative of a desire to use said telephone network , verifying the validity of said first authorization code , said verification step including : (i) communicating said first code , via said telephone network , to said first database , and (ii) analyzing said first code to determine its validity based upon said stored information in said first database ; (d) responsive to said verifying step , permitting the desired use of said telephone network by said user based upon a determination of the validity of said first authorization code ; (e) transmitting , after said telephone network is used , call billing information regarding said usage to said second database , said call billing information including said first code but not said second code assigned to said user ; (f) identifying , in said second database , said second code associated with said first code included in said call billing information , and (g) billing the user that was authorized to use said second authorization code , for both said telephone network usage and for any other goods and services obtained by use of said second authorization code .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5223699A CLAIM 1 . A method of billing for usage of a telephone network , comprising the steps of : (a) assigning to an authorized user of said telephone network , a first authorization/billing code , and a second , associated authorization/billing code , said first code being indicative of authorization to use said telephone network , said first code having a format which is accepted as a valid authorization code for use of said telephone network and said second code having a format different from the format of said first authorization code which is accepted as a valid authorization code for obtaining other goods and services ; (b) storing information including said first code in a first database and storing information including said second code in a second data (data packet) base ; (c) responsive to the application to said telephone network by said authorized user of information defining said first authorization code indicative of a desire to use said telephone network , verifying the validity of said first authorization code , said verification step including : (i) communicating said first code , via said telephone network , to said first database , and (ii) analyzing said first code to determine its validity based upon said stored information in said first database ; (d) responsive to said verifying step , permitting the desired use of said telephone network by said user based upon a determination of the validity of said first authorization code ; (e) transmitting , after said telephone network is used , call billing information regarding said usage to said second database , said call billing information including said first code but not said second code assigned to said user ; (f) identifying , in said second database , said second code associated with said first code included in said call billing information , and (g) billing the user that was authorized to use said second authorization code , for both said telephone network usage and for any other goods and services obtained by use of said second authorization code .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5223699A CLAIM 1 . A method of billing for usage of a telephone network , comprising the steps of : (a) assigning to an authorized user of said telephone network , a first authorization/billing code , and a second , associated authorization/billing code , said first code being indicative of authorization to use said telephone network , said first code having a format which is accepted as a valid authorization code for use of said telephone network and said second code having a format different from the format of said first authorization code which is accepted as a valid authorization code for obtaining other goods and services ; (b) storing information including said first code in a first database and storing information including said second code in a second data (data packet) base ; (c) responsive to the application to said telephone network by said authorized user of information defining said first authorization code indicative of a desire to use said telephone network , verifying the validity of said first authorization code , said verification step including : (i) communicating said first code , via said telephone network , to said first database , and (ii) analyzing said first code to determine its validity based upon said stored information in said first database ; (d) responsive to said verifying step , permitting the desired use of said telephone network by said user based upon a determination of the validity of said first authorization code ; (e) transmitting , after said telephone network is used , call billing information regarding said usage to said second database , said call billing information including said first code but not said second code assigned to said user ; (f) identifying , in said second database , said second code associated with said first code included in said call billing information , and (g) billing the user that was authorized to use said second authorization code , for both said telephone network usage and for any other goods and services obtained by use of said second authorization code .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5159592A Filed: 1990-10-29 Issued: 1992-10-27 Network address management for a wired network supporting wireless communication to a plurality of mobile users (Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp Charles E. Perkins
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface (wireless Local Area Network) .	US5159592A CLAIM 13 . In a data communications network comprised of a wired network and a wireless network , apparatus for managing the bidirectional transmission of information between the wired network and at least one mobile communication unit in wireless communications with the wired network over the wireless network , the data communications network being characterized in that users of the data communications network are each assigned a unique network address , comprising : local gateway means , coupled between a wireless Local Area Network (network interface) (LAN) and the wired network , for communicating with a mobile communication unit ; and global gateway means coupled to the local gateway means and to remote users of the data communications network , the global gateway means including means for maintaining a plurality of network addresses , means for receiving a request for an assignment of a network address from the mobile communication unit , means for assigning one of the plurality of network addresses to the requesting mobile communication unit ; and means for routing data received from a remote user , the data having an address corresponding to the assigned network address , to the mobile communication unit having the assigned address .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface (wireless Local Area Network) coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5159592A CLAIM 13 . In a data communications network comprised of a wired network and a wireless network , apparatus for managing the bidirectional transmission of information between the wired network and at least one mobile communication unit in wireless communications with the wired network over the wireless network , the data communications network being characterized in that users of the data communications network are each assigned a unique network address , comprising : local gateway means , coupled between a wireless Local Area Network (network interface) (LAN) and the wired network , for communicating with a mobile communication unit ; and global gateway means coupled to the local gateway means and to remote users of the data communications network , the global gateway means including means for maintaining a plurality of network addresses , means for receiving a request for an assignment of a network address from the mobile communication unit , means for assigning one of the plurality of network addresses to the requesting mobile communication unit ; and means for routing data received from a remote user , the data having an address corresponding to the assigned network address , to the mobile communication unit having the assigned address .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit to determine whether each packet arrived via an authorized network interface (wireless Local Area Network) .	US5159592A CLAIM 13 . In a data communications network comprised of a wired network and a wireless network , apparatus for managing the bidirectional transmission of information between the wired network and at least one mobile communication unit in wireless communications with the wired network over the wireless network , the data communications network being characterized in that users of the data communications network are each assigned a unique network address , comprising : local gateway means , coupled between a wireless Local Area Network (network interface) (LAN) and the wired network , for communicating with a mobile communication unit ; and global gateway means coupled to the local gateway means and to remote users of the data communications network , the global gateway means including means for maintaining a plurality of network addresses , means for receiving a request for an assignment of a network address from the mobile communication unit , means for assigning one of the plurality of network addresses to the requesting mobile communication unit ; and means for routing data received from a remote user , the data having an address corresponding to the assigned network address , to the mobile communication unit having the assigned address .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (mobile communications) device , the selectively generated packet containing the request for access to the directly attached device .	US5159592A CLAIM 19 . In a data communications network comprised of a wired network and a wireless network , a method for managing the bidirectional transmission of information between the wired network and at least one mobile communication unit in wireless communication with the wired network over the wireless network , the data communications network being characterized in that users of the data communications network are each assigned a unique network address , comprising the steps of : maintaining a plurality of the unique network addresses with a global gateway means , the global gateway means being bidirectionally coupled to a local gateway means , through the wired network , and also to remote users of the data communications network , the local gateway means being coupled between the wireless and the wired network ; receiving , at the global gateway means , a request for an assignment of the network address from a mobile communication unit ; in response to the received request , assigning one of the plurality of network addresses to the requesting mobile communication unit ; and in response to a message received from a remote user , the message having an address that corresponds to the assigned network address , routing the message from the global gateway to the local gateway means , and from the local gateway means to the wireless network for reception by the mobile communications (intermediary computing) unit having the assigned network address .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (unique identifiers) .	US5159592A CLAIM 10 . A method as set forth in claim 9 wherein the step of assigning assigns a single network address to a plurality of mobile communication units , the assigned network address including , for each of the plurality of mobile communication units , the respective one of the unique identifiers (application layer) so as to differentiate the plurality of mobile communication units one from another .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (unique identifiers) of a network stack .	US5159592A CLAIM 10 . A method as set forth in claim 9 wherein the step of assigning assigns a single network address to a plurality of mobile communication units , the assigned network address including , for each of the plurality of mobile communication units , the respective one of the unique identifiers (application layer) so as to differentiate the plurality of mobile communication units one from another .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5124984A Filed: 1990-08-07 Issued: 1992-06-23 Access controller for local area network (Original Assignee) Concord Communications LLC (Current Assignee) Concord Communications LLC Ferdinand Engel
US7739302B2 CLAIM 1 . A network arrangement (ink layer) comprising : a network client (network access, work layer) and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (data packet) for network access (network access, work layer) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5124984A CLAIM 6 . An access controller as in claim 5 wherein said network (NAD server) includes another access controller connected to the physical medium , said another access controller includes means for transmitting an access termination signal , and wherein said access controller additionally comprises : means for shutting down the access controller for a predetermined period of time if an access controller identification signal transmitted by said another access controller is detected on the medium . US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link layer (network arrangement) packets . US5124984A CLAIM 11 . An access controller as in claim 1 wherein the means for detecting packets detects network layer (network access, network client, providing network access) packets . US5124984A CLAIM 15 . A network access (network access, network client, providing network access) controller comprising : an interface circuit , connected to transmit and detect data packet (data packet) s on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted .
US7739302B2 CLAIM 2 . The network arrangement (ink layer) of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access (network access, work layer) to the NAD from a plurality of network clients having different operating systems .	US5124984A CLAIM 6 . An access controller as in claim 5 wherein said network (NAD server) includes another access controller connected to the physical medium , said another access controller includes means for transmitting an access termination signal , and wherein said access controller additionally comprises : means for shutting down the access controller for a predetermined period of time if an access controller identification signal transmitted by said another access controller is detected on the medium . US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link layer (network arrangement) packets . US5124984A CLAIM 11 . An access controller as in claim 1 wherein the means for detecting packets detects network layer (network access, network client, providing network access) packets . US5124984A CLAIM 15 . A network access (network access, network client, providing network access) controller comprising : an interface circuit , connected to transmit and detect data packets on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted .
US7739302B2 CLAIM 3 . The network arrangement (ink layer) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link layer (network arrangement) packets .
US7739302B2 CLAIM 4 . The network arrangement (ink layer) of claim 1 , wherein the step of determining whether the request for network access (network access, work layer) to the NAD is authorized comprises determining whether information in the header of a received data packet (data packet) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link layer (network arrangement) packets . US5124984A CLAIM 11 . An access controller as in claim 1 wherein the means for detecting packets detects network layer (network access, network client, providing network access) packets . US5124984A CLAIM 15 . A network access (network access, network client, providing network access) controller comprising : an interface circuit , connected to transmit and detect data packet (data packet) s on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted .
US7739302B2 CLAIM 5 . A local area network arrangement (ink layer) comprising a network client (network access, work layer) and at least one network attached device (NAD) disposed in electronic communication (exchanging data) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (network access, work layer) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (data packet) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address, source address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link layer (network arrangement) packets . US5124984A CLAIM 11 . An access controller as in claim 1 wherein the means for detecting packets detects network layer (network access, network client, providing network access) packets . US5124984A CLAIM 15 . A network access (network access, network client, providing network access) controller comprising : an interface circuit , connected to transmit and detect data packet (data packet) s on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted . US5124984A CLAIM 18 . An access controller as in claim 1 additionally comprising : means for detecting a station address indicated by a destination field in the detected packet , and wherein the access termination signal transmitted by the access controller is a packet having a source address (IP addresses) field set equal to the destination field in the detected packet , and a field indicating that the station specified by the destination field in the detected packet is not able to receive packets . US5124984A CLAIM 32 . A method as in claim 22 wherein the detected packet includes a source address field and a destination address (IP addresses) field , and the step of transmitting an access termination signal includes the steps of transmitting a connection termination packet to a station indicated by the source address field ; and transmitting a connection termination packet to a station indicated by the destination address field . US5124984A CLAIM 40 . A method for preventing unauthorized accesses to a communication medium shared by a plurality of network stations which communicate by exchanging data (electronic communication) packets , the steps of the method performed by an access controller station which masquerades as one of the stations indicated as a destination address in an unauthorized access , the method comprising the steps of : detecting information which indicates the type of data packet presently being communicated on the medium ; comparing the detected data protocol type to a list of authorized data protocol types , to determine if the protocol type presently being communicated on the medium is unauthorized ; and transmitting a reply packet on the medium , the reply packet appearing as a legitimate response by an intended destination station indicated by the detected packet , while terminating the unauthorized access and allowing other authorized accesses to continue .
US7739302B2 CLAIM 6 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (data packet) arrived via an authorized network interface .	US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link layer (network arrangement) packets . US5124984A CLAIM 15 . A network access controller comprising : an interface circuit , connected to transmit and detect data packet (data packet) s on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted .
US7739302B2 CLAIM 7 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link layer (network arrangement) packets .
US7739302B2 CLAIM 8 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link layer (network arrangement) packets .
US7739302B2 CLAIM 9 . The network arrangement (ink layer) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (data packet) to the proper port ; and at the proper port , provide the requested network access (network access, work layer) to the NAD .	US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link layer (network arrangement) packets . US5124984A CLAIM 11 . An access controller as in claim 1 wherein the means for detecting packets detects network layer (network access, network client, providing network access) packets . US5124984A CLAIM 15 . A network access (network access, network client, providing network access) controller comprising : an interface circuit , connected to transmit and detect data packet (data packet) s on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (network access, work layer) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (data packet) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5124984A CLAIM 11 . An access controller as in claim 1 wherein the means for detecting packets detects network layer (network access, network client, providing network access) packets . US5124984A CLAIM 15 . A network access (network access, network client, providing network access) controller comprising : an interface circuit , connected to transmit and detect data packet (data packet) s on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (network access, work layer) to the NAD is only available through the server .	US5124984A CLAIM 11 . An access controller as in claim 1 wherein the means for detecting packets detects network layer (network access, network client, providing network access) packets . US5124984A CLAIM 15 . A network access (network access, network client, providing network access) controller comprising : an interface circuit , connected to transmit and detect data packets on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (data packet) containing the request for network access (network access, work layer) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5124984A CLAIM 11 . An access controller as in claim 1 wherein the means for detecting packets detects network layer (network access, network client, providing network access) packets . US5124984A CLAIM 15 . A network access (network access, network client, providing network access) controller comprising : an interface circuit , connected to transmit and detect data packet (data packet) s on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted .
US7739302B2 CLAIM 17 . The apparatus of claim 12 , wherein the denying and allowing of the requests for access to the directly attached device are performed at an application layer (data link) .	US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link (application layer) layer packets .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (communication protocol) .	US5124984A CLAIM 41 . A method for preventing a selected attempted communication by a first station with a second station within a network of stations connected by a physical medium , where the communication is being attempted in accordance with a packet-type communication protocol (network protocols) which provides a mechanism for effecting termination of the communication , said method comprising the steps of : detecting the presence on the medium of a packet representing said selected attempted communication ; and preventing said selected attempted communication by said first station by originating on said physical medium an access prevention signal in accordance with said communication terminating mechanism , while allowing other communications by said first station to continue .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (communication protocol) is TCP/IP .	US5124984A CLAIM 41 . A method for preventing a selected attempted communication by a first station with a second station within a network of stations connected by a physical medium , where the communication is being attempted in accordance with a packet-type communication protocol (network protocols) which provides a mechanism for effecting termination of the communication , said method comprising the steps of : detecting the presence on the medium of a packet representing said selected attempted communication ; and preventing said selected attempted communication by said first station by originating on said physical medium an access prevention signal in accordance with said communication terminating mechanism , while allowing other communications by said first station to continue .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (data packet) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5124984A CLAIM 15 . A network access controller comprising : an interface circuit , connected to transmit and detect data packet (data packet) s on a physical medium shared by a plurality of network stations ; a memory , having stored therein data which represents a list of authorized network access types ; and processor means , connected to the interface circuit and the memory , for receiving a detected packet from the interface circuit , and for comparing the detected packet with the list of authorized network protocol types , to determine whether the detected packet indicates an unauthorized access , and , if the detected packet indicates an unauthorized access , for causing the interface circuit to transmit an access termination signal on the physical medium , the access termination signal selectively terminating the unauthorized access while allowing other authorized accesses to be attempted .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer (data link) of a network stack .	US5124984A CLAIM 9 . An access controller as in claim 1 wherein the means for detecting packets detects data link (application layer) layer packets .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5287269A Filed: 1990-07-09 Issued: 1994-02-15 Apparatus and method for accessing events, areas and activities (Original Assignee) Boardwalk Starcity Corp (Current Assignee) Cardtronics Inc John Dorrough, Steven M. Renfrow
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data, said time) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data (data packet, filtering means) buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal . US5287269A CLAIM 18 . An access control system according to claim 14 wherein said credit allocation means allows each customer to allocate each said payment among said credit units , said time (data packet, filtering means) interval credit and event credits , said credit input means generating a third credit signal having third credit data representative of a selected event , said comptroller processor means creating a third credit sub-account in response to the third credit signal for a respective customer account file and including means for prioritizing debits among each of said sub-accounts .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems (authorizing access) .	US5287269A CLAIM 19 . In a facility wherein customers are permitted and denied access to activities that have debit charge associated therewith , a method of controlling access to the activities comprising the steps of : providing a plurality of access cards available for acquisition by a prospective customer , each of the access cards having means for receiving a customer account file identifier encoded thereon ; encoding said access cards as encoded access cards such that there is a unique customer account file identifier for each of said encoded access cards ; issuing encoded access cards to prospective customers for use by said customers in authorizing access (network clients having different operating systems) to selected ones of said activities ; creating customer account files in a central comptroller processor such that there is a unique customer account file corresponding to each of the encoded access cards that are used to authorize access to the activities ; crediting each of the unique customer account files upon receipt of payment from the respective customer who has been issued the respective encoded access card , each said customer being able to allocate said payment to at least two different types of credit , each of aid customer account files being created to have credit sub-accounts in one-to-one correspondence with the different types of credit for which the respective said customer has allocated said payment ; and providing an access control station associated with each of the activities , each said access control station including means for inputting into said comptroller processor the account file identifier corresponding to the encoded access card that is used to access a selected activity and the debit charge corresponding to the selected activity , said comptroller processor operative in response to the account file identifier to open the corresponding customer account file and to review whether any of the respective sub-accounts have sufficient credit to authorize access to the selected activity , said comptroller processor issuing to the access control station an approval signal when sufficient credit is available in the respective customer account file and issuing to the access control station a disapproval signal when insufficient credit is available in the respective customer account file said access control stations responsive respectively to the approval signal and the disapproval signal to grant and deny the respective customer access to the activity .
US7739302B2 CLAIM 3 . The network arrangement of claim 1 , wherein the computer-executable instructions comprise distributed program modules (data buffer) .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer (program modules) operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (second data, said time) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data (data packet, filtering means) buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal . US5287269A CLAIM 18 . An access control system according to claim 14 wherein said credit allocation means allows each customer to allocate each said payment among said credit units , said time (data packet, filtering means) interval credit and event credits , said credit input means generating a third credit signal having third credit data representative of a selected event , said comptroller processor means creating a third credit sub-account in response to the third credit signal for a respective customer account file and including means for prioritizing debits among each of said sub-accounts .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data, said time) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data (data packet, filtering means) buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal . US5287269A CLAIM 18 . An access control system according to claim 14 wherein said credit allocation means allows each customer to allocate each said payment among said credit units , said time (data packet, filtering means) interval credit and event credits , said credit input means generating a third credit signal having third credit data representative of a selected event , said comptroller processor means creating a third credit sub-account in response to the third credit signal for a respective customer account file and including means for prioritizing debits among each of said sub-accounts .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data, said time) arrived via an authorized network interface .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data (data packet, filtering means) buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal . US5287269A CLAIM 18 . An access control system according to claim 14 wherein said credit allocation means allows each customer to allocate each said payment among said credit units , said time (data packet, filtering means) interval credit and event credits , said credit input means generating a third credit signal having third credit data representative of a selected event , said comptroller processor means creating a third credit sub-account in response to the third credit signal for a respective customer account file and including means for prioritizing debits among each of said sub-accounts .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data, said time) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data (data packet, filtering means) buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal . US5287269A CLAIM 18 . An access control system according to claim 14 wherein said credit allocation means allows each customer to allocate each said payment among said credit units , said time (data packet, filtering means) interval credit and event credits , said credit input means generating a third credit signal having third credit data representative of a selected event , said comptroller processor means creating a third credit sub-account in response to the third credit signal for a respective customer account file and including means for prioritizing debits among each of said sub-accounts .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data, said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data (data packet, filtering means) buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal . US5287269A CLAIM 18 . An access control system according to claim 14 wherein said credit allocation means allows each customer to allocate each said payment among said credit units , said time (data packet, filtering means) interval credit and event credits , said credit input means generating a third credit signal having third credit data representative of a selected event , said comptroller processor means creating a third credit sub-account in response to the third credit signal for a respective customer account file and including means for prioritizing debits among each of said sub-accounts .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data, said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data (data packet, filtering means) buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal . US5287269A CLAIM 18 . An access control system according to claim 14 wherein said credit allocation means allows each customer to allocate each said payment among said credit units , said time (data packet, filtering means) interval credit and event credits , said credit input means generating a third credit signal having third credit data representative of a selected event , said comptroller processor means creating a third credit sub-account in response to the third credit signal for a respective customer account file and including means for prioritizing debits among each of said sub-accounts .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (second data, said time) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (second data, said time) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data (data packet, filtering means) buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal . US5287269A CLAIM 18 . An access control system according to claim 14 wherein said credit allocation means allows each customer to allocate each said payment among said credit units , said time (data packet, filtering means) interval credit and event credits , said credit input means generating a third credit signal having third credit data representative of a selected event , said comptroller processor means creating a third credit sub-account in response to the third credit signal for a respective customer account file and including means for prioritizing debits among each of said sub-accounts .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (second data, said time) is further configured to carry out the filtering at an application layer of a network stack .	US5287269A CLAIM 8 . An access control system according to claim 1 wherein said credit stations each include a credit processor having a first data buffer operative to receive and retain the account file identifier on the selected access card in response to said first account file signal and operative to receive and retain said credit data in response to said credit data signal , wherein said debit station each include a debit processor having a second data (data packet, filtering means) buffer operative to receive and retain the account file identifier on the selected access card in response to said second account file signal . US5287269A CLAIM 18 . An access control system according to claim 14 wherein said credit allocation means allows each customer to allocate each said payment among said credit units , said time (data packet, filtering means) interval credit and event credits , said credit input means generating a third credit signal having third credit data representative of a selected event , said comptroller processor means creating a third credit sub-account in response to the third credit signal for a respective customer account file and including means for prioritizing debits among each of said sub-accounts .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5149945A Filed: 1990-07-05 Issued: 1992-09-22 Method and coupler for interfacing a portable data carrier with a host processor (Original Assignee) Micro Card Tech Inc (Current Assignee) MICRO CARD TECHNOLOGIES Inc A CORP OF TX ; CP8 Technologies ; Bull CP8 ; Micro Card Tech Inc Jerry W. Johnson, John M. Taskett
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (control signals, other port) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5149945A CLAIM 9 . A coupler as set forth in claim 6 further including means for interfacing multiple portable data carriers with the receiver transmitter by which communications of each portable data carrier and the receiver transmitter are combined with the communications of each other port (network protocol programs, electronic communication) able data carrier . US5149945A CLAIM 13 . A coupler for interfacing a portable data carrier with the receiver transmitter as set forth in claim 12 , further including means for translating asynchronous data from the portable data carrier to the input/output data terminal means and means responsive to the connection of said data carrier to the input/output terminal means for generating control signals (network protocol programs, electronic communication) to enable translation of data from the data carrier to the host processor and data from the host processor to the data carrier and generation of a framing error signal upon detection of an error in the translated data .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (control signals, other port) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5149945A CLAIM 9 . A coupler as set forth in claim 6 further including means for interfacing multiple portable data carriers with the receiver transmitter by which communications of each portable data carrier and the receiver transmitter are combined with the communications of each other port (network protocol programs, electronic communication) able data carrier . US5149945A CLAIM 13 . A coupler for interfacing a portable data carrier with the receiver transmitter as set forth in claim 12 , further including means for translating asynchronous data from the portable data carrier to the input/output data terminal means and means responsive to the connection of said data carrier to the input/output terminal means for generating control signals (network protocol programs, electronic communication) to enable translation of data from the data carrier to the host processor and data from the host processor to the data carrier and generation of a framing error signal upon detection of an error in the translated data .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (bit error) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5149945A CLAIM 3 . A method as set forth in claim 1 , further including comparing the received and transmitted characters of the data to detect multiple bit error (receiving requests) s .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5309437A Filed: 1990-06-29 Issued: 1994-05-03 Bridge-like internet protocol router (Original Assignee) Digital Equipment Corp (Current Assignee) Enterasys Networks Inc Radia J. Perlman, G. Paul Koning
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (work layer) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (IP packets) for network access (work layer) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5309437A CLAIM 8 . A bridge-like IP router as defined in claim 4 , wherein the bridge-like means includes : an ARP database associating each network layer (network client, network access, providing network access) address in attached extended LAN segments with a corresponding data link layer address ; and means for updating the ARP database by sending ARP messages directed to specific network layer addresses and processing ARP replies that contain the corresponding data link layer addresses . US5309437A CLAIM 15 . A method of operation of a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of protocols known as TCP/IP , the method comprising the steps of : configuring an extended local area network (LAN) to include a plurality of extended LAN segments connected by bridge-like IP routers (BLIPs) ; receiving a packet of data at a BLIP ; determining whether the packet has been transmitted under TCP/IP protocols ; processing non-TCP/IP packets (data packet) in the manner of a conventional bridge ; and processing TCP/IP traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (work layer) to the NAD from a plurality of network clients having different operating systems .	US5309437A CLAIM 8 . A bridge-like IP router as defined in claim 4 , wherein the bridge-like means includes : an ARP database associating each network layer (network client, network access, providing network access) address in attached extended LAN segments with a corresponding data link layer address ; and means for updating the ARP database by sending ARP messages directed to specific network layer addresses and processing ARP replies that contain the corresponding data link layer addresses .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (work layer) to the NAD is authorized comprises determining whether information in the header of a received data packet (IP packets) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5309437A CLAIM 8 . A bridge-like IP router as defined in claim 4 , wherein the bridge-like means includes : an ARP database associating each network layer (network client, network access, providing network access) address in attached extended LAN segments with a corresponding data link layer address ; and means for updating the ARP database by sending ARP messages directed to specific network layer addresses and processing ARP replies that contain the corresponding data link layer addresses . US5309437A CLAIM 15 . A method of operation of a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of protocols known as TCP/IP , the method comprising the steps of : configuring an extended local area network (LAN) to include a plurality of extended LAN segments connected by bridge-like IP routers (BLIPs) ; receiving a packet of data at a BLIP ; determining whether the packet has been transmitted under TCP/IP protocols ; processing non-TCP/IP packets (data packet) in the manner of a conventional bridge ; and processing TCP/IP traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (work layer) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (work layer) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (IP packets) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (local area networks, address information) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5309437A CLAIM 1 . For use in a configuration of interconnected local area networks (IP addresses) (LANs) handling message traffic in accordance with a set of inter-network protocols that use a network addressing scheme , a bridge-like IP router (BLIP) , comprising : multiple ports for attaching the BLIP to multiple segments of an extended LAN ; means for distinguishing received message traffic that uses the inter-network protocols from other message traffic that does not use the protocols ; bridge means for processing the other message traffic exactly in the manner of a conventional bridge , using unique station addresses to determine how to forward the received message traffic ; and bridge-like means for processing the inter-network protocol traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP , using network addresses and network segment addresses , instead of unique station addresses , to determine how to forward the message traffic . US5309437A CLAIM 2 . A bridge-like IP router as defined in claim 1 , and further comprising : means for processing address resolution messages requesting destination address information (IP addresses) . US5309437A CLAIM 8 . A bridge-like IP router as defined in claim 4 , wherein the bridge-like means includes : an ARP database associating each network layer (network client, network access, providing network access) address in attached extended LAN segments with a corresponding data link layer address ; and means for updating the ARP database by sending ARP messages directed to specific network layer addresses and processing ARP replies that contain the corresponding data link layer addresses . US5309437A CLAIM 15 . A method of operation of a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of protocols known as TCP/IP , the method comprising the steps of : configuring an extended local area network (LAN) to include a plurality of extended LAN segments connected by bridge-like IP routers (BLIPs) ; receiving a packet of data at a BLIP ; determining whether the packet has been transmitted under TCP/IP protocols ; processing non-TCP/IP packets (data packet) in the manner of a conventional bridge ; and processing TCP/IP traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (IP packets) arrived via an authorized network interface .	US5309437A CLAIM 15 . A method of operation of a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of protocols known as TCP/IP , the method comprising the steps of : configuring an extended local area network (LAN) to include a plurality of extended LAN segments connected by bridge-like IP routers (BLIPs) ; receiving a packet of data at a BLIP ; determining whether the packet has been transmitted under TCP/IP protocols ; processing non-TCP/IP packets (data packet) in the manner of a conventional bridge ; and processing TCP/IP traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (IP packets) to the proper port ; and at the proper port , provide the requested network access (work layer) to the NAD .	US5309437A CLAIM 8 . A bridge-like IP router as defined in claim 4 , wherein the bridge-like means includes : an ARP database associating each network layer (network client, network access, providing network access) address in attached extended LAN segments with a corresponding data link layer address ; and means for updating the ARP database by sending ARP messages directed to specific network layer addresses and processing ARP replies that contain the corresponding data link layer addresses . US5309437A CLAIM 15 . A method of operation of a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of protocols known as TCP/IP , the method comprising the steps of : configuring an extended local area network (LAN) to include a plurality of extended LAN segments connected by bridge-like IP routers (BLIPs) ; receiving a packet of data at a BLIP ; determining whether the packet has been transmitted under TCP/IP protocols ; processing non-TCP/IP packets (data packet) in the manner of a conventional bridge ; and processing TCP/IP traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (work layer) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (IP packets) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5309437A CLAIM 8 . A bridge-like IP router as defined in claim 4 , wherein the bridge-like means includes : an ARP database associating each network layer (network client, network access, providing network access) address in attached extended LAN segments with a corresponding data link layer address ; and means for updating the ARP database by sending ARP messages directed to specific network layer addresses and processing ARP replies that contain the corresponding data link layer addresses . US5309437A CLAIM 15 . A method of operation of a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of protocols known as TCP/IP , the method comprising the steps of : configuring an extended local area network (LAN) to include a plurality of extended LAN segments connected by bridge-like IP routers (BLIPs) ; receiving a packet of data at a BLIP ; determining whether the packet has been transmitted under TCP/IP protocols ; processing non-TCP/IP packets (data packet) in the manner of a conventional bridge ; and processing TCP/IP traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (work layer) to the NAD is only available through the server .	US5309437A CLAIM 8 . A bridge-like IP router as defined in claim 4 , wherein the bridge-like means includes : an ARP database associating each network layer (network client, network access, providing network access) address in attached extended LAN segments with a corresponding data link layer address ; and means for updating the ARP database by sending ARP messages directed to specific network layer addresses and processing ARP replies that contain the corresponding data link layer addresses .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (IP packets) containing the request for network access (work layer) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5309437A CLAIM 8 . A bridge-like IP router as defined in claim 4 , wherein the bridge-like means includes : an ARP database associating each network layer (network client, network access, providing network access) address in attached extended LAN segments with a corresponding data link layer address ; and means for updating the ARP database by sending ARP messages directed to specific network layer addresses and processing ARP replies that contain the corresponding data link layer addresses . US5309437A CLAIM 15 . A method of operation of a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of protocols known as TCP/IP , the method comprising the steps of : configuring an extended local area network (LAN) to include a plurality of extended LAN segments connected by bridge-like IP routers (BLIPs) ; receiving a packet of data at a BLIP ; determining whether the packet has been transmitted under TCP/IP protocols ; processing non-TCP/IP packets (data packet) in the manner of a conventional bridge ; and processing TCP/IP traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (network addressing, network protocols) .	US5309437A CLAIM 1 . For use in a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of inter-network protocols (network protocols) that use a network addressing (network protocols) scheme , a bridge-like IP router (BLIP) , comprising : multiple ports for attaching the BLIP to multiple segments of an extended LAN ; means for distinguishing received message traffic that uses the inter-network protocols from other message traffic that does not use the protocols ; bridge means for processing the other message traffic exactly in the manner of a conventional bridge , using unique station addresses to determine how to forward the received message traffic ; and bridge-like means for processing the inter-network protocol traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP , using network addresses and network segment addresses , instead of unique station addresses , to determine how to forward the message traffic .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (network addressing, network protocols) is TCP/IP .	US5309437A CLAIM 1 . For use in a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of inter-network protocols (network protocols) that use a network addressing (network protocols) scheme , a bridge-like IP router (BLIP) , comprising : multiple ports for attaching the BLIP to multiple segments of an extended LAN ; means for distinguishing received message traffic that uses the inter-network protocols from other message traffic that does not use the protocols ; bridge means for processing the other message traffic exactly in the manner of a conventional bridge , using unique station addresses to determine how to forward the received message traffic ; and bridge-like means for processing the inter-network protocol traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP , using network addresses and network segment addresses , instead of unique station addresses , to determine how to forward the message traffic .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (IP packets) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5309437A CLAIM 15 . A method of operation of a configuration of interconnected local area networks (LANs) handling message traffic in accordance with a set of protocols known as TCP/IP , the method comprising the steps of : configuring an extended local area network (LAN) to include a plurality of extended LAN segments connected by bridge-like IP routers (BLIPs) ; receiving a packet of data at a BLIP ; determining whether the packet has been transmitted under TCP/IP protocols ; processing non-TCP/IP packets (data packet) in the manner of a conventional bridge ; and processing TCP/IP traffic in a manner analogous to a bridge , wherein a message packet received from an extended LAN segment attached to the BLIP is forwarded if necessary to at least one other extended LAN segment attached to the BLIP .

US5204961A

Filed: 1990-06-25 Issued: 1993-04-20

Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols

(Original Assignee) Digital Equipment Corp (Current Assignee) DIGITAL Corp A MA CORP ; Hewlett Packard Development Co LP

Douglas C. Barlow

US5204961A
CLAIM 1 . In a computer network having a multiplicity of computers coupled thereto , message transmission apparatus comprising : trust realm defining means for storing information denoting which ones of said computers are members of predefined trust realms ;
wherein for each predefined trust realm there is a corresponding predefined security protocol , enforced by all of each said predefined trust realm' ;
s members , for protecting confidentiality of data transmitted between said members of said each predefined trust realm ;
and security apparatus in each of a plurality of said computers , comprising : a trusted computing base which enforces a predefined security policy in said computer and which defines a security level for each set of data stored therein ;
authentication means for authenticating and validating messages sent to another computer via said network (NAD server) ;
each said message comprising data having an associated label denoting how said trusted computing base is to enforce security policy with respect to said message ;
trust realm service means , coupled to said trusted computing base , authentication means and trust realm defining means , for preparing a specified message for transmission to a specified other computer system , including means for obtaining trust realm information stored by said trust realm defining means , verifying that both said computer system and said specified computer system are members of at least one common trust realm , and selecting a trust realm from among said at least one common trust realm , authenticating said message and said label associated with said message , and transmitting to said specified other computer a protocol data unit including said authenticated message and label , and an identifier that identifies said selected trust realm ;
said trust realm service means further including : means for receiving protocol data units transmitted by other ones of said computers via said network , means for validating the message and label in each protocol data unit received by said computer , and means for processing said label and said message in said received protocol data unit in accordance with the predefined security protocol corresponding to the selected trust realm identified by said identifier in said received protocol data unit .

US7739302B2
CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs (received protocol data units) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5226120A Filed: 1990-05-21 Issued: 1993-07-06 Apparatus and method of monitoring the status of a local area network (Original Assignee) SynOptics Communications Inc (Current Assignee) Nortel Networks Ltd Brian Brown, Shabbir A. Chowdhury
US7739302B2 CLAIM 1 . A network arrangement (electrical back) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (same time) , an IP address of a network destination (light source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5226120A CLAIM 1 . Apparatus for monitoring the status of a star configured local area network having hubs , with a hub including a chassis for receiving a plurality of modules of varying type , each of the modules having at least one port for connecting a data terminal device to the hub , said apparatus comprising : means for generating a topology of said network (NAD server) and for receiving topology data from a reporting hub wherein said topology data comprises addresses of other hubs which originated messages received by said reporting hub over a particular port of said reporting hub and an indentifier of said particular port ; location means for producing location data indicative of the location of each of the modules and each of the at least one port associated with the modules in the hub chassis ; type means for producing type data indicative of the type of each of the modules and each of the at least one port associated with the modules in the hub ; indicator means for indicating status information about each of said modules and for indicating status information about said at least one port associated with each of said modules , said indicator means also for isolating said status information for one particular module and associated at least one port , said indicator means coupled to said location means and also coupled to said type means ; modification means for modifying port status of each of said at least one port associated with each of said modules , said modification means responsive to a user input , said modification means coupled to said indicator means ; and display means for producing an image of the hub utilizing said location data , said status information and said type data , with the image depicting the location of the modules in the hub and the type of modules , said display means coupled to said indicator means . US5226120A CLAIM 7 . The apparatus of claim 2 wherein said indicator means of one type of the modules includes a front panel which has a light source (network destination) which indicates the status of the module and the status of said at least one port associated with each of said modules and wherein said set of graphic data include data which represents an image of the light source . US5226120A CLAIM 13 . A method of automatically determining the topology of a network of interconnected hubs which utilize contention control , with each of the hubs having modules and associated at least three data ports , each of which is for coupling the hub in a star configuration to either a data terminal device or another hub of the network , said method comprising the following steps : transmitting from each of the hubs a message over the network which originates from the hub and which contains an address identifying an associated hub ; transmitting from each of the hubs a message over the network which was received by said associated hub from another hub on the network which originated the received message ; identifying , at each of the hubs , which of the data ports of said associated hub has received one of the messages transmitted by another hub of the network ; receiving topology data from each of the hubs , with the topology data identifying a particular one of the data ports of a particular reporting hub and receiving addresses of the other ones of the hubs which originated messages received by said particular reporting hub over the particular port ; determining the overall topology of the network utilizing said combining each of said received topology data ; and displaying said overall topology on a display device , said step of displaying including displaying multiple hubs , modules and associated ports on said display device at the same time (network source) . US5226120A CLAIM 24 . The apparatus of claim 23 wherein said hub includes a chassis having an electrical back (network arrangement) plane for interconnecting said modules and said modules may be inserted in said chassis in any one of predetermined locations along said backplane , with said monitoring means determining said physical location by sensing the predetermined location where said modules are inserted .
US7739302B2 CLAIM 2 . The network arrangement (electrical back) of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs (other port) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5226120A CLAIM 1 . Apparatus for monitoring the status of a star configured local area network having hubs , with a hub including a chassis for receiving a plurality of modules of varying type , each of the modules having at least one port for connecting a data terminal device to the hub , said apparatus comprising : means for generating a topology of said network (NAD server) and for receiving topology data from a reporting hub wherein said topology data comprises addresses of other hubs which originated messages received by said reporting hub over a particular port of said reporting hub and an indentifier of said particular port ; location means for producing location data indicative of the location of each of the modules and each of the at least one port associated with the modules in the hub chassis ; type means for producing type data indicative of the type of each of the modules and each of the at least one port associated with the modules in the hub ; indicator means for indicating status information about each of said modules and for indicating status information about said at least one port associated with each of said modules , said indicator means also for isolating said status information for one particular module and associated at least one port , said indicator means coupled to said location means and also coupled to said type means ; modification means for modifying port status of each of said at least one port associated with each of said modules , said modification means responsive to a user input , said modification means coupled to said indicator means ; and display means for producing an image of the hub utilizing said location data , said status information and said type data , with the image depicting the location of the modules in the hub and the type of modules , said display means coupled to said indicator means . US5226120A CLAIM 24 . The apparatus of claim 23 wherein said hub includes a chassis having an electrical back (network arrangement) plane for interconnecting said modules and said modules may be inserted in said chassis in any one of predetermined locations along said backplane , with said monitoring means determining said physical location by sensing the predetermined location where said modules are inserted .
US7739302B2 CLAIM 3 . The network arrangement (electrical back) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US5226120A CLAIM 24 . The apparatus of claim 23 wherein said hub includes a chassis having an electrical back (network arrangement) plane for interconnecting said modules and said modules may be inserted in said chassis in any one of predetermined locations along said backplane , with said monitoring means determining said physical location by sensing the predetermined location where said modules are inserted .
US7739302B2 CLAIM 4 . The network arrangement (electrical back) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source (same time) , destination , and route of the data packet .	US5226120A CLAIM 13 . A method of automatically determining the topology of a network of interconnected hubs which utilize contention control , with each of the hubs having modules and associated at least three data ports , each of which is for coupling the hub in a star configuration to either a data terminal device or another hub of the network , said method comprising the following steps : transmitting from each of the hubs a message over the network which originates from the hub and which contains an address identifying an associated hub ; transmitting from each of the hubs a message over the network which was received by said associated hub from another hub on the network which originated the received message ; identifying , at each of the hubs , which of the data ports of said associated hub has received one of the messages transmitted by another hub of the network ; receiving topology data from each of the hubs , with the topology data identifying a particular one of the data ports of a particular reporting hub and receiving addresses of the other ones of the hubs which originated messages received by said particular reporting hub over the particular port ; determining the overall topology of the network utilizing said combining each of said received topology data ; and displaying said overall topology on a display device , said step of displaying including displaying multiple hubs , modules and associated ports on said display device at the same time (network source) . US5226120A CLAIM 24 . The apparatus of claim 23 wherein said hub includes a chassis having an electrical back (network arrangement) plane for interconnecting said modules and said modules may be inserted in said chassis in any one of predetermined locations along said backplane , with said monitoring means determining said physical location by sensing the predetermined location where said modules are inserted .
US7739302B2 CLAIM 5 . A local area network arrangement (electrical back) comprising a network client and at least one network attached device (NAD) disposed in electronic communication (other port) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (same time) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5226120A CLAIM 13 . A method of automatically determining the topology of a network of interconnected hubs which utilize contention control , with each of the hubs having modules and associated at least three data ports , each of which is for coupling the hub in a star configuration to either a data terminal device or another hub of the network , said method comprising the following steps : transmitting from each of the hubs a message over the network which originates from the hub and which contains an address identifying an associated hub ; transmitting from each of the hubs a message over the network which was received by said associated hub from another hub on the network which originated the received message ; identifying , at each of the hubs , which of the data ports of said associated hub has received one of the messages transmitted by another hub of the network ; receiving topology data from each of the hubs , with the topology data identifying a particular one of the data ports of a particular reporting hub and receiving addresses of the other ones of the hubs which originated messages received by said particular reporting hub over the particular port ; determining the overall topology of the network utilizing said combining each of said received topology data ; and displaying said overall topology on a display device , said step of displaying including displaying multiple hubs , modules and associated ports on said display device at the same time (network source) . US5226120A CLAIM 24 . The apparatus of claim 23 wherein said hub includes a chassis having an electrical back (network arrangement) plane for interconnecting said modules and said modules may be inserted in said chassis in any one of predetermined locations along said backplane , with said monitoring means determining said physical location by sensing the predetermined location where said modules are inserted .
US7739302B2 CLAIM 6 . The network arrangement (electrical back) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface .	US5226120A CLAIM 24 . The apparatus of claim 23 wherein said hub includes a chassis having an electrical back (network arrangement) plane for interconnecting said modules and said modules may be inserted in said chassis in any one of predetermined locations along said backplane , with said monitoring means determining said physical location by sensing the predetermined location where said modules are inserted .
US7739302B2 CLAIM 7 . The network arrangement (electrical back) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US5226120A CLAIM 24 . The apparatus of claim 23 wherein said hub includes a chassis having an electrical back (network arrangement) plane for interconnecting said modules and said modules may be inserted in said chassis in any one of predetermined locations along said backplane , with said monitoring means determining said physical location by sensing the predetermined location where said modules are inserted .
US7739302B2 CLAIM 8 . The network arrangement (electrical back) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US5226120A CLAIM 24 . The apparatus of claim 23 wherein said hub includes a chassis having an electrical back (network arrangement) plane for interconnecting said modules and said modules may be inserted in said chassis in any one of predetermined locations along said backplane , with said monitoring means determining said physical location by sensing the predetermined location where said modules are inserted .
US7739302B2 CLAIM 9 . The network arrangement (electrical back) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information (identifying means) identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5226120A CLAIM 17 . Apparatus for automatically determining the topology of a local area network of interconnected hubs which utilize contention control , with each of the hubs having at least three data ports , each of which is for coupling the hub in a star configuration to either a data terminal device or another hub in the local area network , said apparatus also for modifying status information with associated with said ports of said interconnected hubs , said apparatus comprising : transmit means at each of the hubs for transmitting hub messages over the local area network , said transmit means including originate means for transmitting said hub messages which originate at an associated hub which contain an identifying address of said associated hub ; repeat means for transmitting said hub messages received by said associated hub over the local area network which originated from other ones of said hubs of the network , said repeat means comprising a timing unit for retiming data to account for transmission distortion , port identifying means (header contains information) at each of the hubs for identifying which of said data ports of said associated hub has received one of the said hub messages transmitted by another of said hubs of the local area network ; control means coupled to said local area network for receiving topology data reported from each of said hubs , said topology data reported for each data port of a particular reporting hub , said topology data identifying a particular one of said data ports of said particular reporting hub and said topology data identifying addresses associated with the other data ports of said hubs which originated network messages received by said particular reporting hub over said particular one of said data ports ; processing means for determining the overall topology of the local area network by utilizing and combining said received topology data from each of said reporting hubs ; status indicator means for indicating status information of said data ports of each of said hubs in said overall topology , said status indicator means also for isolating a particular data port status information ; modification means for changing said status information of said data ports of each of said hubs , said modification means coupled to said status indicator means and responsive to a user input device ; and display means for displaying said overall topology in a graphic image format on a display device US5226120A CLAIM 24 . The apparatus of claim 23 wherein said hub includes a chassis having an electrical back (network arrangement) plane for interconnecting said modules and said modules may be inserted in said chassis in any one of predetermined locations along said backplane , with said monitoring means determining said physical location by sensing the predetermined location where said modules are inserted .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (same time) , an IP address of a network destination (light source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5226120A CLAIM 7 . The apparatus of claim 2 wherein said indicator means of one type of the modules includes a front panel which has a light source (network destination) which indicates the status of the module and the status of said at least one port associated with each of said modules and wherein said set of graphic data include data which represents an image of the light source . US5226120A CLAIM 13 . A method of automatically determining the topology of a network of interconnected hubs which utilize contention control , with each of the hubs having modules and associated at least three data ports , each of which is for coupling the hub in a star configuration to either a data terminal device or another hub of the network , said method comprising the following steps : transmitting from each of the hubs a message over the network which originates from the hub and which contains an address identifying an associated hub ; transmitting from each of the hubs a message over the network which was received by said associated hub from another hub on the network which originated the received message ; identifying , at each of the hubs , which of the data ports of said associated hub has received one of the messages transmitted by another hub of the network ; receiving topology data from each of the hubs , with the topology data identifying a particular one of the data ports of a particular reporting hub and receiving addresses of the other ones of the hubs which originated messages received by said particular reporting hub over the particular port ; determining the overall topology of the network utilizing said combining each of said received topology data ; and displaying said overall topology on a display device , said step of displaying including displaying multiple hubs , modules and associated ports on said display device at the same time (network source) .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface (following steps) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (same time) , an IP address of a network destination (light source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5226120A CLAIM 7 . The apparatus of claim 2 wherein said indicator means of one type of the modules includes a front panel which has a light source (network destination) which indicates the status of the module and the status of said at least one port associated with each of said modules and wherein said set of graphic data include data which represents an image of the light source . US5226120A CLAIM 12 . A method of monitoring the status of a star configured network having hubs , with a hub including a chassis for receiving a plurality of modules of varying type , with each of the modules having at least one port for connecting a data terminal device to the hub , said method comprising the following steps (device interface, storage device) : generating a topology of said network by receiving topology data from a reporting hub wherein said topology data comprises addresses of other hubs which originated messages received by said reporting hub over a particular port of said reporting hub and an indentifier of said particular port ; generating and reporting by a hub location data indicative of the location of each of the modules and ports in the hub chassis ; generating and reporting by the hub type data indicative of the type data indicative of the type of each of the modules and ports in the hub ; and producing an image of the hub utilizing said location data and said type data , with the image depicting the location of the modules in the hub and the type of modules in the hub . US5226120A CLAIM 13 . A method of automatically determining the topology of a network of interconnected hubs which utilize contention control , with each of the hubs having modules and associated at least three data ports , each of which is for coupling the hub in a star configuration to either a data terminal device or another hub of the network , said method comprising the following steps : transmitting from each of the hubs a message over the network which originates from the hub and which contains an address identifying an associated hub ; transmitting from each of the hubs a message over the network which was received by said associated hub from another hub on the network which originated the received message ; identifying , at each of the hubs , which of the data ports of said associated hub has received one of the messages transmitted by another hub of the network ; receiving topology data from each of the hubs , with the topology data identifying a particular one of the data ports of a particular reporting hub and receiving addresses of the other ones of the hubs which originated messages received by said particular reporting hub over the particular port ; determining the overall topology of the network utilizing said combining each of said received topology data ; and displaying said overall topology on a display device , said step of displaying including displaying multiple hubs , modules and associated ports on said display device at the same time (network source) .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (following steps) .	US5226120A CLAIM 12 . A method of monitoring the status of a star configured network having hubs , with a hub including a chassis for receiving a plurality of modules of varying type , with each of the modules having at least one port for connecting a data terminal device to the hub , said method comprising the following steps (device interface, storage device) : generating a topology of said network by receiving topology data from a reporting hub wherein said topology data comprises addresses of other hubs which originated messages received by said reporting hub over a particular port of said reporting hub and an indentifier of said particular port ; generating and reporting by a hub location data indicative of the location of each of the modules and ports in the hub chassis ; generating and reporting by the hub type data indicative of the type data indicative of the type of each of the modules and ports in the hub ; and producing an image of the hub utilizing said location data and said type data , with the image depicting the location of the modules in the hub and the type of modules in the hub .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (following steps) comprises a SCSI interface .	US5226120A CLAIM 12 . A method of monitoring the status of a star configured network having hubs , with a hub including a chassis for receiving a plurality of modules of varying type , with each of the modules having at least one port for connecting a data terminal device to the hub , said method comprising the following steps (device interface, storage device) : generating a topology of said network by receiving topology data from a reporting hub wherein said topology data comprises addresses of other hubs which originated messages received by said reporting hub over a particular port of said reporting hub and an indentifier of said particular port ; generating and reporting by a hub location data indicative of the location of each of the modules and ports in the hub chassis ; generating and reporting by the hub type data indicative of the type data indicative of the type of each of the modules and ports in the hub ; and producing an image of the hub utilizing said location data and said type data , with the image depicting the location of the modules in the hub and the type of modules in the hub .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (following steps) , and a video codec .	US5226120A CLAIM 12 . A method of monitoring the status of a star configured network having hubs , with a hub including a chassis for receiving a plurality of modules of varying type , with each of the modules having at least one port for connecting a data terminal device to the hub , said method comprising the following steps (device interface, storage device) : generating a topology of said network by receiving topology data from a reporting hub wherein said topology data comprises addresses of other hubs which originated messages received by said reporting hub over a particular port of said reporting hub and an indentifier of said particular port ; generating and reporting by a hub location data indicative of the location of each of the modules and ports in the hub chassis ; generating and reporting by the hub type data indicative of the type data indicative of the type of each of the modules and ports in the hub ; and producing an image of the hub utilizing said location data and said type data , with the image depicting the location of the modules in the hub and the type of modules in the hub .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source (same time) , an IP address of a network destination (light source) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5226120A CLAIM 7 . The apparatus of claim 2 wherein said indicator means of one type of the modules includes a front panel which has a light source (network destination) which indicates the status of the module and the status of said at least one port associated with each of said modules and wherein said set of graphic data include data which represents an image of the light source . US5226120A CLAIM 13 . A method of automatically determining the topology of a network of interconnected hubs which utilize contention control , with each of the hubs having modules and associated at least three data ports , each of which is for coupling the hub in a star configuration to either a data terminal device or another hub of the network , said method comprising the following steps : transmitting from each of the hubs a message over the network which originates from the hub and which contains an address identifying an associated hub ; transmitting from each of the hubs a message over the network which was received by said associated hub from another hub on the network which originated the received message ; identifying , at each of the hubs , which of the data ports of said associated hub has received one of the messages transmitted by another hub of the network ; receiving topology data from each of the hubs , with the topology data identifying a particular one of the data ports of a particular reporting hub and receiving addresses of the other ones of the hubs which originated messages received by said particular reporting hub over the particular port ; determining the overall topology of the network utilizing said combining each of said received topology data ; and displaying said overall topology on a display device , said step of displaying including displaying multiple hubs , modules and associated ports on said display device at the same time (network source) .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (following steps) if the request is allowed .	US5226120A CLAIM 12 . A method of monitoring the status of a star configured network having hubs , with a hub including a chassis for receiving a plurality of modules of varying type , with each of the modules having at least one port for connecting a data terminal device to the hub , said method comprising the following steps (device interface, storage device) : generating a topology of said network by receiving topology data from a reporting hub wherein said topology data comprises addresses of other hubs which originated messages received by said reporting hub over a particular port of said reporting hub and an indentifier of said particular port ; generating and reporting by a hub location data indicative of the location of each of the modules and ports in the hub chassis ; generating and reporting by the hub type data indicative of the type data indicative of the type of each of the modules and ports in the hub ; and producing an image of the hub utilizing said location data and said type data , with the image depicting the location of the modules in the hub and the type of modules in the hub .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (following steps) , and a video codec .	US5226120A CLAIM 12 . A method of monitoring the status of a star configured network having hubs , with a hub including a chassis for receiving a plurality of modules of varying type , with each of the modules having at least one port for connecting a data terminal device to the hub , said method comprising the following steps (device interface, storage device) : generating a topology of said network by receiving topology data from a reporting hub wherein said topology data comprises addresses of other hubs which originated messages received by said reporting hub over a particular port of said reporting hub and an indentifier of said particular port ; generating and reporting by a hub location data indicative of the location of each of the modules and ports in the hub chassis ; generating and reporting by the hub type data indicative of the type data indicative of the type of each of the modules and ports in the hub ; and producing an image of the hub utilizing said location data and said type data , with the image depicting the location of the modules in the hub and the type of modules in the hub .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4972504A Filed: 1990-03-20 Issued: 1990-11-20 Marketing research system and method for obtaining retail data on a real time basis (Original Assignee) A C Nielsen Co (Current Assignee) Nielsen Company US LLC James N. Daniel, Jr., Thomas F. Busyn, Brent T. Batterman
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client (central location) and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4972504A CLAIM 30 . A method of collecting market research data from a plurality of cooperating retail stores , each store of said plurality of stores having at least one Point-Of-Sale scanner and a scanner controller and a store digital data communications loop interconnecting said scanner and said scanner controller , said method comprising the steps of disposing non-invasive sensor means in each of said stores for monitoring and for detecting in a substantially totally passive manner with respect to said scanner and said scanner controller and said store loop digital data present on said store loop , said detected digital data being representative of retail sales transactions in said store , detecting said digital data present in said store loop , storing information in response to the detection of said digital data in a memory , said memory being separate from said scanner and said scanner controller in said store , said sensor means and said memory operating responsive to the normal retail sales operations of said scanner and said scanner controller in said retail store and transmitting said information from said retail store to a remote central location (network client, data management component) , said transmitted information for processing , storage and use by market researchers .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client (central location) and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (central location) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4972504A CLAIM 30 . A method of collecting market research data from a plurality of cooperating retail stores , each store of said plurality of stores having at least one Point-Of-Sale scanner and a scanner controller and a store digital data communications loop interconnecting said scanner and said scanner controller , said method comprising the steps of disposing non-invasive sensor means in each of said stores for monitoring and for detecting in a substantially totally passive manner with respect to said scanner and said scanner controller and said store loop digital data present on said store loop , said detected digital data being representative of retail sales transactions in said store , detecting said digital data present in said store loop , storing information in response to the detection of said digital data in a memory , said memory being separate from said scanner and said scanner controller in said store , said sensor means and said memory operating responsive to the normal retail sales operations of said scanner and said scanner controller in said retail store and transmitting said information from said retail store to a remote central location (network client, data management component) , said transmitted information for processing , storage and use by market researchers .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (processing unit) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US4972504A CLAIM 17 . A market research system comprising a plurality of cooperating retail stores in a market research test area , each of said stores having at least partially automated first means for processing retail sales transactions in said store , non-invasive automated second means disposed in each of said stores for monitoring said first means in a substantially totally passive manner and for collecting market research data based on said retail sales transactions , said second means including sensor means for monitoring said first means , said sensor means including an antenna , said second means further including microprocessor means for processing and storing retail sales transaction data detected by said antenna , said microprocessor means being otherwise adapted to process and store said retail sales transaction data independently of said first means , and said microprocessor including a central processing unit (processing unit) , variable memory means and retail sales transaction data storage means , said second means further including adapter means for adapting said second means to a particular first means in said store in which said second means is disposed for enabling said microprocessor to process said retail sales transaction data detected by said antenna , and automated third means remotely located from said plurality of retail stores for receiving said market research data from said plurality of retail stores and for storing said market research data for subsequent use by market researchers , said first means operating independently of said second means , and said first means generating first electrical signals relating to said retail sales transactions , wherein said antenna is physically disposed in the vicinity of said first means for enabling at least portions of said first electrical signals to be detected by said antenna , and wherein said second means further comprises interface means disposed between said sensor means and said adapter means for supplying electrical power to said sensor means and for supplying second electrical signals representative of said first electrical signals to said adapter means . US4972504A CLAIM 28 . A retail store data collection system for use in a retail store having at least one Point-Of-Sale scanner and a scanner controller interconnected by a store data communications loop comprising : sensor means disposed in the vicinity of a portion of said store loop for monitoring and for detecting data signals present on said store loop , memory means coupled to said sensor means for storing information in response to the detection of said data signals by said sensor means , and said sensor means and said memory (storing instructions) means operating responsive to said scanner and scanner controller and without requiring any responsive operation by said scanner and said scanner controller and without requiring any modification of said scanner and said scanner controller .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (processing unit) to determine whether each packet arrived via an authorized network interface .	US4972504A CLAIM 17 . A market research system comprising a plurality of cooperating retail stores in a market research test area , each of said stores having at least partially automated first means for processing retail sales transactions in said store , non-invasive automated second means disposed in each of said stores for monitoring said first means in a substantially totally passive manner and for collecting market research data based on said retail sales transactions , said second means including sensor means for monitoring said first means , said sensor means including an antenna , said second means further including microprocessor means for processing and storing retail sales transaction data detected by said antenna , said microprocessor means being otherwise adapted to process and store said retail sales transaction data independently of said first means , and said microprocessor including a central processing unit (processing unit) , variable memory means and retail sales transaction data storage means , said second means further including adapter means for adapting said second means to a particular first means in said store in which said second means is disposed for enabling said microprocessor to process said retail sales transaction data detected by said antenna , and automated third means remotely located from said plurality of retail stores for receiving said market research data from said plurality of retail stores and for storing said market research data for subsequent use by market researchers , said first means operating independently of said second means , and said first means generating first electrical signals relating to said retail sales transactions , wherein said antenna is physically disposed in the vicinity of said first means for enabling at least portions of said first electrical signals to be detected by said antenna , and wherein said second means further comprises interface means disposed between said sensor means and said adapter means for supplying electrical power to said sensor means and for supplying second electrical signals representative of said first electrical signals to said adapter means .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether each packet contains an unauthorized IP address .	US4972504A CLAIM 17 . A market research system comprising a plurality of cooperating retail stores in a market research test area , each of said stores having at least partially automated first means for processing retail sales transactions in said store , non-invasive automated second means disposed in each of said stores for monitoring said first means in a substantially totally passive manner and for collecting market research data based on said retail sales transactions , said second means including sensor means for monitoring said first means , said sensor means including an antenna , said second means further including microprocessor means for processing and storing retail sales transaction data detected by said antenna , said microprocessor means being otherwise adapted to process and store said retail sales transaction data independently of said first means , and said microprocessor including a central processing unit (processing unit) , variable memory means and retail sales transaction data storage means , said second means further including adapter means for adapting said second means to a particular first means in said store in which said second means is disposed for enabling said microprocessor to process said retail sales transaction data detected by said antenna , and automated third means remotely located from said plurality of retail stores for receiving said market research data from said plurality of retail stores and for storing said market research data for subsequent use by market researchers , said first means operating independently of said second means , and said first means generating first electrical signals relating to said retail sales transactions , wherein said antenna is physically disposed in the vicinity of said first means for enabling at least portions of said first electrical signals to be detected by said antenna , and wherein said second means further comprises interface means disposed between said sensor means and said adapter means for supplying electrical power to said sensor means and for supplying second electrical signals representative of said first electrical signals to said adapter means .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (processing unit) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US4972504A CLAIM 17 . A market research system comprising a plurality of cooperating retail stores in a market research test area , each of said stores having at least partially automated first means for processing retail sales transactions in said store , non-invasive automated second means disposed in each of said stores for monitoring said first means in a substantially totally passive manner and for collecting market research data based on said retail sales transactions , said second means including sensor means for monitoring said first means , said sensor means including an antenna , said second means further including microprocessor means for processing and storing retail sales transaction data detected by said antenna , said microprocessor means being otherwise adapted to process and store said retail sales transaction data independently of said first means , and said microprocessor including a central processing unit (processing unit) , variable memory means and retail sales transaction data storage means , said second means further including adapter means for adapting said second means to a particular first means in said store in which said second means is disposed for enabling said microprocessor to process said retail sales transaction data detected by said antenna , and automated third means remotely located from said plurality of retail stores for receiving said market research data from said plurality of retail stores and for storing said market research data for subsequent use by market researchers , said first means operating independently of said second means , and said first means generating first electrical signals relating to said retail sales transactions , wherein said antenna is physically disposed in the vicinity of said first means for enabling at least portions of said first electrical signals to be detected by said antenna , and wherein said second means further comprises interface means disposed between said sensor means and said adapter means for supplying electrical power to said sensor means and for supplying second electrical signals representative of said first electrical signals to said adapter means .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (processing unit) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US4972504A CLAIM 17 . A market research system comprising a plurality of cooperating retail stores in a market research test area , each of said stores having at least partially automated first means for processing retail sales transactions in said store , non-invasive automated second means disposed in each of said stores for monitoring said first means in a substantially totally passive manner and for collecting market research data based on said retail sales transactions , said second means including sensor means for monitoring said first means , said sensor means including an antenna , said second means further including microprocessor means for processing and storing retail sales transaction data detected by said antenna , said microprocessor means being otherwise adapted to process and store said retail sales transaction data independently of said first means , and said microprocessor including a central processing unit (processing unit) , variable memory means and retail sales transaction data storage means , said second means further including adapter means for adapting said second means to a particular first means in said store in which said second means is disposed for enabling said microprocessor to process said retail sales transaction data detected by said antenna , and automated third means remotely located from said plurality of retail stores for receiving said market research data from said plurality of retail stores and for storing said market research data for subsequent use by market researchers , said first means operating independently of said second means , and said first means generating first electrical signals relating to said retail sales transactions , wherein said antenna is physically disposed in the vicinity of said first means for enabling at least portions of said first electrical signals to be detected by said antenna , and wherein said second means further comprises interface means disposed between said sensor means and said adapter means for supplying electrical power to said sensor means and for supplying second electrical signals representative of said first electrical signals to said adapter means .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data storage) .	US4972504A CLAIM 12 . A market research system as recited in claim 1 wherein said third means comprises automated central processing means for processing said market research data and data storage (SCSI interface) means for storing said market research data .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means (pass filter) for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (pass filter) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US4972504A CLAIM 19 . A market research system as recited in claim 18 wherein said sensor means includes high pass filter (filtering means, filtering comprises means) means for suppressing spurious signals and impedance matching means for interconnecting said antenna and said high pass filter means .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (detecting data) is further configured to manage access over a SCSI interface (data storage) .	US4972504A CLAIM 12 . A market research system as recited in claim 1 wherein said third means comprises automated central processing means for processing said market research data and data storage (SCSI interface) means for storing said market research data . US4972504A CLAIM 28 . A retail store data collection system for use in a retail store having at least one Point-Of-Sale scanner and a scanner controller interconnected by a store data communications loop comprising : sensor means disposed in the vicinity of a portion of said store loop for monitoring and for detecting data (managing means) signals present on said store loop , memory means coupled to said sensor means for storing information in response to the detection of said data signals by said sensor means , and said sensor means and said memory means operating responsive to said scanner and scanner controller and without requiring any responsive operation by said scanner and said scanner controller and without requiring any modification of said scanner and said scanner controller .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (pass filter) is further configured to carry out the filtering at an application layer of a network stack .	US4972504A CLAIM 19 . A market research system as recited in claim 18 wherein said sensor means includes high pass filter (filtering means, filtering comprises means) means for suppressing spurious signals and impedance matching means for interconnecting said antenna and said high pass filter means .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5030807A Filed: 1990-01-16 Issued: 1991-07-09 System for reading and writing data from and into remote tags (Original Assignee) Amtech Corp (Current Assignee) Intermec IP Corp Jeremy A. Landt, Alfred R. Koelle
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (transmitted data) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5030807A CLAIM 4 . A system for identifying , for writing data into and for reading data out of remote objects which may be in motion relative to the interrogator , comprising : an interrogator for sending an RF signal to said remote object , said signal including data intended to be received and stored by said remote object ; at least one remote object capable , upon receipt of said RF signal , of backscatter-modulating said RF signal and returning a backscatter-modulated signal to said interrogator , said backscatter-modulated signal being modulated with data indicating (1) the identity and other data stored in said remote object and (2) its ability or inability to receive and store transmitted data (network protocol programs) from said interrogator ; and said interrogator having the capability (1) to recognize the said identity and other data stored in said remote object from said returned backscatter-modulated signal and (2) to transmit data to said remote object only if (i) said interrogator has data to be transmitted to that identified remote object , and (ii) said backscatter-modulated returned signal indicates the ability of said remote object to receive and store transmitted data , whereby data may be selectively transmitted to and received and stored by a remote object having data storage capability only after such remote object has been identified as the correct remote object to receive such data .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (sufficient strength) device , the selectively generated packet containing the request for access to the directly attached device .	US5030807A CLAIM 10 . The tag of claim 9 further characterized by having the capability , upon receipt of said RF signal , of backscatter-modulating said RF signal and returning a signal modulated with data indicating (1) the identity and other data stored in said remote object and (2) whether or not the received RF signal is of sufficient strength (intermediary computing) so that the tag is able to receive and store transmitted data from said interrogator .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data storage) .	US5030807A CLAIM 4 . A system for identifying , for writing data into and for reading data out of remote objects which may be in motion relative to the interrogator , comprising : an interrogator for sending an RF signal to said remote object , said signal including data intended to be received and stored by said remote object ; at least one remote object capable , upon receipt of said RF signal , of backscatter-modulating said RF signal and returning a backscatter-modulated signal to said interrogator , said backscatter-modulated signal being modulated with data indicating (1) the identity and other data stored in said remote object and (2) its ability or inability to receive and store transmitted data from said interrogator ; and said interrogator having the capability (1) to recognize the said identity and other data stored in said remote object from said returned backscatter-modulated signal and (2) to transmit data to said remote object only if (i) said interrogator has data to be transmitted to that identified remote object , and (ii) said backscatter-modulated returned signal indicates the ability of said remote object to receive and store transmitted data , whereby data may be selectively transmitted to and received and stored by a remote object having data storage (SCSI interface) capability only after such remote object has been identified as the correct remote object to receive such data .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (data storage) .	US5030807A CLAIM 4 . A system for identifying , for writing data into and for reading data out of remote objects which may be in motion relative to the interrogator , comprising : an interrogator for sending an RF signal to said remote object , said signal including data intended to be received and stored by said remote object ; at least one remote object capable , upon receipt of said RF signal , of backscatter-modulating said RF signal and returning a backscatter-modulated signal to said interrogator , said backscatter-modulated signal being modulated with data indicating (1) the identity and other data stored in said remote object and (2) its ability or inability to receive and store transmitted data from said interrogator ; and said interrogator having the capability (1) to recognize the said identity and other data stored in said remote object from said returned backscatter-modulated signal and (2) to transmit data to said remote object only if (i) said interrogator has data to be transmitted to that identified remote object , and (ii) said backscatter-modulated returned signal indicates the ability of said remote object to receive and store transmitted data , whereby data may be selectively transmitted to and received and stored by a remote object having data storage (SCSI interface) capability only after such remote object has been identified as the correct remote object to receive such data .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5131020A Filed: 1989-12-29 Issued: 1992-07-14 Method of and system for providing continually updated traffic or other information to telephonically and other communications-linked customers (Original Assignee) SmartRoutes Systems LP (Current Assignee) Fleet National Bank ; SmartRoutes Systems LP John P. Liebesny, Sheldon Apsell, John Mahon, Paul J. Bouchard
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests (information request) for network access to the NAD from a plurality of network clients having different operating systems .	US5131020A CLAIM 1 . In a method of information telephone channel communication between a central station and a plurality of callers , in which the steps are performed of collecting , updating and storing information useful for said callers on a real-time and continual basis for different categories of information ; responding to the telephone dialing of the station on the caller' ; s telephone keyboard and the entering on said keyboard of a code for the category of interest specified by the caller , by telephonically transmitting back from the station storage to such caller a report of the information request (accepting requests) ed by the caller and in the particular category specified by the caller ; the improvement comprising the caller' ; s controlling by further keyboard entry of both a request for automatic updating of significant changes in the information within said specific particular category and other caller-specified categories and of the setting of variable caller-selected time periods following said report ; responding to such caller requests by storing the caller' ; s telephone number and causing the station to call back said caller' ; s telephone number to deliver such update of significant changes should they occur in that category(ies) within that caller requested time period following said report .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said key) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5131020A CLAIM 1 . In a method of information telephone channel communication between a central station and a plurality of callers , in which the steps are performed of collecting , updating and storing information useful for said callers on a real-time and continual basis for different categories of information ; responding to the telephone dialing of the station on the caller' ; s telephone keyboard and the entering on said key (filtering means) board of a code for the category of interest specified by the caller , by telephonically transmitting back from the station storage to such caller a report of the information requested by the caller and in the particular category specified by the caller ; the improvement comprising the caller' ; s controlling by further keyboard entry of both a request for automatic updating of significant changes in the information within said specific particular category and other caller-specified categories and of the setting of variable caller-selected time periods following said report ; responding to such caller requests by storing the caller' ; s telephone number and causing the station to call back said caller' ; s telephone number to deliver such update of significant changes should they occur in that category(ies) within that caller requested time period following said report .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said key) is further configured to carry out the filtering at an application layer of a network stack .	US5131020A CLAIM 1 . In a method of information telephone channel communication between a central station and a plurality of callers , in which the steps are performed of collecting , updating and storing information useful for said callers on a real-time and continual basis for different categories of information ; responding to the telephone dialing of the station on the caller' ; s telephone keyboard and the entering on said key (filtering means) board of a code for the category of interest specified by the caller , by telephonically transmitting back from the station storage to such caller a report of the information requested by the caller and in the particular category specified by the caller ; the improvement comprising the caller' ; s controlling by further keyboard entry of both a request for automatic updating of significant changes in the information within said specific particular category and other caller-specified categories and of the setting of variable caller-selected time periods following said report ; responding to such caller requests by storing the caller' ; s telephone number and causing the station to call back said caller' ; s telephone number to deliver such update of significant changes should they occur in that category(ies) within that caller requested time period following said report .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5019697A Filed: 1989-05-25 Issued: 1991-05-28 Data collection system using memory card (Original Assignee) TPS Electronics (Current Assignee) POSTMAN JOEL Joel R. Postman
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said format) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5019697A CLAIM 6 . An encoder/decoder circuit for providing an interface between a keyboard and a computer having a keyboard connector comprising ; a microprocessor coupled to said computer for receiving data formatted by said computer and for encoding and decoding said format (data packet) ted data that is stored on a memory card ; a socket for accepting said memory card coupled to said encoder/decoder circuit ; an electronic switch for directing data signals from said keyboard to said keyboard connector ; said microprocessor being connected to said electronic switch for controlling the functioning of said switch , said microprocessor being connected to said memory socket for transfer of data signals to and from said memory card ; and a program memory coupled to said microprocessor for controlling the operation of said microprocessor .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said format) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US5019697A CLAIM 6 . An encoder/decoder circuit for providing an interface between a keyboard and a computer having a keyboard connector comprising ; a microprocessor coupled to said computer for receiving data formatted by said computer and for encoding and decoding said format (data packet) ted data that is stored on a memory card ; a socket for accepting said memory card coupled to said encoder/decoder circuit ; an electronic switch for directing data signals from said keyboard to said keyboard connector ; said microprocessor being connected to said electronic switch for controlling the functioning of said switch , said microprocessor being connected to said memory socket for transfer of data signals to and from said memory card ; and a program memory coupled to said microprocessor for controlling the operation of said microprocessor .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said format) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5019697A CLAIM 6 . An encoder/decoder circuit for providing an interface between a keyboard and a computer having a keyboard connector comprising ; a microprocessor coupled to said computer for receiving data formatted by said computer and for encoding and decoding said format (data packet) ted data that is stored on a memory card ; a socket for accepting said memory card coupled to said encoder/decoder circuit ; an electronic switch for directing data signals from said keyboard to said keyboard connector ; said microprocessor being connected to said electronic switch for controlling the functioning of said switch , said microprocessor being connected to said memory socket for transfer of data signals to and from said memory card ; and a program memory coupled to said microprocessor for controlling the operation of said microprocessor .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said format) arrived via an authorized network interface .	US5019697A CLAIM 6 . An encoder/decoder circuit for providing an interface between a keyboard and a computer having a keyboard connector comprising ; a microprocessor coupled to said computer for receiving data formatted by said computer and for encoding and decoding said format (data packet) ted data that is stored on a memory card ; a socket for accepting said memory card coupled to said encoder/decoder circuit ; an electronic switch for directing data signals from said keyboard to said keyboard connector ; said microprocessor being connected to said electronic switch for controlling the functioning of said switch , said microprocessor being connected to said memory socket for transfer of data signals to and from said memory card ; and a program memory coupled to said microprocessor for controlling the operation of said microprocessor .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said format) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US5019697A CLAIM 6 . An encoder/decoder circuit for providing an interface between a keyboard and a computer having a keyboard connector comprising ; a microprocessor coupled to said computer for receiving data formatted by said computer and for encoding and decoding said format (data packet) ted data that is stored on a memory card ; a socket for accepting said memory card coupled to said encoder/decoder circuit ; an electronic switch for directing data signals from said keyboard to said keyboard connector ; said microprocessor being connected to said electronic switch for controlling the functioning of said switch , said microprocessor being connected to said memory socket for transfer of data signals to and from said memory card ; and a program memory coupled to said microprocessor for controlling the operation of said microprocessor .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said format) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5019697A CLAIM 6 . An encoder/decoder circuit for providing an interface between a keyboard and a computer having a keyboard connector comprising ; a microprocessor coupled to said computer for receiving data formatted by said computer and for encoding and decoding said format (data packet) ted data that is stored on a memory card ; a socket for accepting said memory card coupled to said encoder/decoder circuit ; an electronic switch for directing data signals from said keyboard to said keyboard connector ; said microprocessor being connected to said electronic switch for controlling the functioning of said switch , said microprocessor being connected to said memory socket for transfer of data signals to and from said memory card ; and a program memory coupled to said microprocessor for controlling the operation of said microprocessor .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said format) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5019697A CLAIM 1 . A data collection system for processing and storing information that is recorded electrically on an identification card having a semiconductor memory chip embedded therein comprising : a data processor having an input terminal for receiving data ; a keyboard for generating a data signal in response to actuation by an operator ; an encoder/decoder circuit coupled to the output of said keyboard for receiving said generated data signal , said encoder/decoder circuit having an interface for coupling said circuit to said data processor input terminal ; means formed with said encoder/decoder circuit for receiving said identification card so that electrical connection is made between said memory (storing instructions) chip and said encoder/decoder circuit . US5019697A CLAIM 6 . An encoder/decoder circuit for providing an interface between a keyboard and a computer having a keyboard connector comprising ; a microprocessor coupled to said computer for receiving data formatted by said computer and for encoding and decoding said format (data packet) ted data that is stored on a memory card ; a socket for accepting said memory card coupled to said encoder/decoder circuit ; an electronic switch for directing data signals from said keyboard to said keyboard connector ; said microprocessor being connected to said electronic switch for controlling the functioning of said switch , said microprocessor being connected to said memory socket for transfer of data signals to and from said memory card ; and a program memory coupled to said microprocessor for controlling the operation of said microprocessor .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (said format) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said key) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5019697A CLAIM 1 . A data collection system for processing and storing information that is recorded electrically on an identification card having a semiconductor memory chip embedded therein comprising : a data processor having an input terminal for receiving data ; a keyboard for generating a data signal in response to actuation by an operator ; an encoder/decoder circuit coupled to the output of said key (filtering means) board for receiving said generated data signal , said encoder/decoder circuit having an interface for coupling said circuit to said data processor input terminal ; means formed with said encoder/decoder circuit for receiving said identification card so that electrical connection is made between said memory chip and said encoder/decoder circuit . US5019697A CLAIM 6 . An encoder/decoder circuit for providing an interface between a keyboard and a computer having a keyboard connector comprising ; a microprocessor coupled to said computer for receiving data formatted by said computer and for encoding and decoding said format (data packet) ted data that is stored on a memory card ; a socket for accepting said memory card coupled to said encoder/decoder circuit ; an electronic switch for directing data signals from said keyboard to said keyboard connector ; said microprocessor being connected to said electronic switch for controlling the functioning of said switch , said microprocessor being connected to said memory socket for transfer of data signals to and from said memory card ; and a program memory coupled to said microprocessor for controlling the operation of said microprocessor .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said key) is further configured to carry out the filtering at an application layer of a network stack .	US5019697A CLAIM 1 . A data collection system for processing and storing information that is recorded electrically on an identification card having a semiconductor memory chip embedded therein comprising : a data processor having an input terminal for receiving data ; a keyboard for generating a data signal in response to actuation by an operator ; an encoder/decoder circuit coupled to the output of said key (filtering means) board for receiving said generated data signal , said encoder/decoder circuit having an interface for coupling said circuit to said data processor input terminal ; means formed with said encoder/decoder circuit for receiving said identification card so that electrical connection is made between said memory chip and said encoder/decoder circuit .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5113499A Filed: 1989-04-28 Issued: 1992-05-12 Telecommunication access management system for a packet switching network (Original Assignee) Sprint International Communications Corp (Current Assignee) Sprint International Communications Corp Richard C. Ankney, Ronald P. Bonica, Douglas E. Kay, Patricia A. Pashayan, Roy L. Spitzer
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (instruction signals) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US5113499A CLAIM 1 . A system for managing access to data among users and host computers in a public data communications network applied to provide data communications paths between and among the users and the host computers via communication links and transmit nodes of the network , in which the nature and degree of access by or to each user and host computer is designated in advance by respective ones of the plurality of network customers who maintain the host computers and who allow authorized user access thereto , said system comprising a multiplicity of potential user stations , a multiplicity of host computers for compiling and furnishing data on request of users and other host computers , a multiplicity of switch means operatively associated with respective ones of said user stations and said host computers , and located at points of entry to said data communications paths of said network (NAD server) remote from said respective ones of said user stations and said host computers , for establishing and disconnecting a communication path through the network between a user station and a host computer to which access is requested by said user station for a communication session therewith , and access management means operatively associated with each of said switch means for examining requests for establishing a data communications path through said network between a user station and a host computer received by the associated one of said switch means for validation of said requests and for granting and denying the respective requests by issuance of corresponding instruction signals (executable instructions, computer executable instructions) to said switch means , according to the nature and degree of access designated by the respective network customer . US5113499A CLAIM 7 . A method for upgrading security in a public data communications network to assure that the dictates of each network customer are followed with respect to accessibility by network users via terminals to host computers maintained by the respective network customer , said method comprising installing at points of entry to data communications links of said network a plurality of switch means for operative association with respective user terminals and host computers but physically remote therefrom , to establish connection and disconnection of data communications link through the network among user terminals and host computers on demand by authorized users , installing in association with said network an access management host computer and relational database designating authorized users and their attributes and destination addresses to which the various users are authorized access based on said dictates of the network customers , for analyzing requests for access among said users and host computers and issuing instructions respecting establishment of connections and disconnections to the respective switch means based on information (network destination) contained in said relational database , and providing a data link between said access management host computer and each of said switch means for communication of access requests and responsive instructions therebetween .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs (plural access) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US5113499A CLAIM 1 . A system for managing access to data among users and host computers in a public data communications network applied to provide data communications paths between and among the users and the host computers via communication links and transmit nodes of the network , in which the nature and degree of access by or to each user and host computer is designated in advance by respective ones of the plurality of network customers who maintain the host computers and who allow authorized user access thereto , said system comprising a multiplicity of potential user stations , a multiplicity of host computers for compiling and furnishing data on request of users and other host computers , a multiplicity of switch means operatively associated with respective ones of said user stations and said host computers , and located at points of entry to said data communications paths of said network (NAD server) remote from said respective ones of said user stations and said host computers , for establishing and disconnecting a communication path through the network between a user station and a host computer to which access is requested by said user station for a communication session therewith , and access management means operatively associated with each of said switch means for examining requests for establishing a data communications path through said network between a user station and a host computer received by the associated one of said switch means for validation of said requests and for granting and denying the respective requests by issuance of corresponding instruction signals to said switch means , according to the nature and degree of access designated by the respective network customer . US5113499A CLAIM 8 . In a security access management system for a packet switched data communications network adapted to selectively provide transmission paths for communication sessions between a multiplicity of data terminal equipments (DTEs) located outside the network via communication links and transit nodes within the network through a plurality of packet switches each located at a respective one of a plurality of entry points to the network and associated with one or more of the DTEs for routing packets therefrom and thereto at that entry point , according to the destination DTE address and source DTE authorization information contained within the packets assembled for transmission from a source DTE , and wherein the extent of access between and among a group of the DTEs associated with a particular customer of the network is mandated by that customer such that different DTEs within the same group may be authorized for different levels of access to destinations within the group , the improvement comprising : plural access (network protocol programs) management means each respectively operatively associated with a packet switch at an entry point of the network , each access management means including : administrative means for examining source DTE authorization information contained within packets received at the associated packet switch for transmission through the network to destination addresses for the packets , database means maintained by the administrative means for storing information relating to pre-assigned levels of authorization of the source DTEs using the respective entry point of the network for access to specified destinations , and validation means responsive to comparison of the DTE source authorization information contained in a packet under examination by the administrative means to the pre-assigned level of authorization for that source DTE for granting or denying access thereby through the associated packet switch to the destination address with which a communication session is requested .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (one source) with each other over a same network , the NAD comprising ; a data management component (information representative) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (destination address) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5113499A CLAIM 3 . The access management system according to claim 1 , wherein said network is a packet switching network , said user stations have respective packet assemblers/disassemblers operatively associated therewith , and said digital signals are generated in the form of packets containing information representative (data management component) of the attributes of the user respecting nature and degree of authorization . US5113499A CLAIM 4 . The access management system according to claim 1 , wherein said access management means includes validation host computer means coupled to an associated one of said switch means for validating requests for access received thereby , administrative host computer means coupled to the validation host computer means for monitoring the respective requests , and relational database means associated with said validation host computer means and said administrative host computer means for storing information regarding authorized users , user attributes including identification data and passwords , and destination address (IP addresses) es to which users shall have access . US5113499A CLAIM 10 . The improvement of claim 9 , wherein the pre-assigned levels of authorization of the source DTEs within the information stored by the database means includes authorization for at least one source (electronic communication) DTE using the respective entry point to have access to a specified destination address for multiple communications sessions therewith , and for at least some of the other source DTEs using that same entry point to the network to have access for only a single communication session with the specified destination address .
US7739302B2 CLAIM 10 . A system for managing access (managing access) from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US5113499A CLAIM 1 . A system for managing access (managing access) to data among users and host computers in a public data communications network applied to provide data communications paths between and among the users and the host computers via communication links and transmit nodes of the network , in which the nature and degree of access by or to each user and host computer is designated in advance by respective ones of the plurality of network customers who maintain the host computers and who allow authorized user access thereto , said system comprising a multiplicity of potential user stations , a multiplicity of host computers for compiling and furnishing data on request of users and other host computers , a multiplicity of switch means operatively associated with respective ones of said user stations and said host computers , and located at points of entry to said data communications paths of said network remote from said respective ones of said user stations and said host computers , for establishing and disconnecting a communication path through the network between a user station and a host computer to which access is requested by said user station for a communication session therewith , and access management means operatively associated with each of said switch means for examining requests for establishing a data communications path through said network between a user station and a host computer received by the associated one of said switch means for validation of said requests and for granting and denying the respective requests by issuance of corresponding instruction signals to said switch means , according to the nature and degree of access designated by the respective network customer . US5113499A CLAIM 7 . A method for upgrading security in a public data communications network to assure that the dictates of each network customer are followed with respect to accessibility by network users via terminals to host computers maintained by the respective network customer , said method comprising installing at points of entry to data communications links of said network a plurality of switch means for operative association with respective user terminals and host computers but physically remote therefrom , to establish connection and disconnection of data communications link through the network among user terminals and host computers on demand by authorized users , installing in association with said network an access management host computer and relational database designating authorized users and their attributes and destination addresses to which the various users are authorized access based on said dictates of the network customers , for analyzing requests for access among said users and host computers and issuing instructions respecting establishment of connections and disconnections to the respective switch means based on information (network destination) contained in said relational database , and providing a data link between said access management host computer and each of said switch means for communication of access requests and responsive instructions therebetween .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path (multiple communications, communication path) to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5113499A CLAIM 1 . A system for managing access to data among users and host computers in a public data communications network applied to provide data communications paths between and among the users and the host computers via communication links and transmit nodes of the network , in which the nature and degree of access by or to each user and host computer is designated in advance by respective ones of the plurality of network customers who maintain the host computers and who allow authorized user access thereto , said system comprising a multiplicity of potential user stations , a multiplicity of host computers for compiling and furnishing data on request of users and other host computers , a multiplicity of switch means operatively associated with respective ones of said user stations and said host computers , and located at points of entry to said data communications paths of said network remote from said respective ones of said user stations and said host computers , for establishing and disconnecting a communication path (communication path) through the network between a user station and a host computer to which access is requested by said user station for a communication session therewith , and access management means operatively associated with each of said switch means for examining requests for establishing a data communications path through said network between a user station and a host computer received by the associated one of said switch means for validation of said requests and for granting and denying the respective requests by issuance of corresponding instruction signals to said switch means , according to the nature and degree of access designated by the respective network customer . US5113499A CLAIM 7 . A method for upgrading security in a public data communications network to assure that the dictates of each network customer are followed with respect to accessibility by network users via terminals to host computers maintained by the respective network customer , said method comprising installing at points of entry to data communications links of said network a plurality of switch means for operative association with respective user terminals and host computers but physically remote therefrom , to establish connection and disconnection of data communications link through the network among user terminals and host computers on demand by authorized users , installing in association with said network an access management host computer and relational database designating authorized users and their attributes and destination addresses to which the various users are authorized access based on said dictates of the network customers , for analyzing requests for access among said users and host computers and issuing instructions respecting establishment of connections and disconnections to the respective switch means based on information (network destination) contained in said relational database , and providing a data link between said access management host computer and each of said switch means for communication of access requests and responsive instructions therebetween . US5113499A CLAIM 10 . The improvement of claim 9 , wherein the pre-assigned levels of authorization of the source DTEs within the information stored by the database means includes authorization for at least one source DTE using the respective entry point to have access to a specified destination address for multiple communications (communication path) sessions therewith , and for at least some of the other source DTEs using that same entry point to the network to have access for only a single communication session with the specified destination address .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (data communications link) .	US5113499A CLAIM 7 . A method for upgrading security in a public data communications network to assure that the dictates of each network customer are followed with respect to accessibility by network users via terminals to host computers maintained by the respective network customer , said method comprising installing at points of entry to data communications link (network protocols) s of said network a plurality of switch means for operative association with respective user terminals and host computers but physically remote therefrom , to establish connection and disconnection of data communications link through the network among user terminals and host computers on demand by authorized users , installing in association with said network an access management host computer and relational database designating authorized users and their attributes and destination addresses to which the various users are authorized access based on said dictates of the network customers , for analyzing requests for access among said users and host computers and issuing instructions respecting establishment of connections and disconnections to the respective switch means based on information contained in said relational database , and providing a data link between said access management host computer and each of said switch means for communication of access requests and responsive instructions therebetween .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (data communications link) is TCP/IP .	US5113499A CLAIM 7 . A method for upgrading security in a public data communications network to assure that the dictates of each network customer are followed with respect to accessibility by network users via terminals to host computers maintained by the respective network customer , said method comprising installing at points of entry to data communications link (network protocols) s of said network a plurality of switch means for operative association with respective user terminals and host computers but physically remote therefrom , to establish connection and disconnection of data communications link through the network among user terminals and host computers on demand by authorized users , installing in association with said network an access management host computer and relational database designating authorized users and their attributes and destination addresses to which the various users are authorized access based on said dictates of the network customers , for analyzing requests for access among said users and host computers and issuing instructions respecting establishment of connections and disconnections to the respective switch means based on information contained in said relational database , and providing a data link between said access management host computer and each of said switch means for communication of access requests and responsive instructions therebetween .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device , and a video codec (respective entry) .	US5113499A CLAIM 8 . In a security access management system for a packet switched data communications network adapted to selectively provide transmission paths for communication sessions between a multiplicity of data terminal equipments (DTEs) located outside the network via communication links and transit nodes within the network through a plurality of packet switches each located at a respective one of a plurality of entry points to the network and associated with one or more of the DTEs for routing packets therefrom and thereto at that entry point , according to the destination DTE address and source DTE authorization information contained within the packets assembled for transmission from a source DTE , and wherein the extent of access between and among a group of the DTEs associated with a particular customer of the network is mandated by that customer such that different DTEs within the same group may be authorized for different levels of access to destinations within the group , the improvement comprising : plural access management means each respectively operatively associated with a packet switch at an entry point of the network , each access management means including : administrative means for examining source DTE authorization information contained within packets received at the associated packet switch for transmission through the network to destination addresses for the packets , database means maintained by the administrative means for storing information relating to pre-assigned levels of authorization of the source DTEs using the respective entry (video codec) point of the network for access to specified destinations , and validation means responsive to comparison of the DTE source authorization information contained in a packet under examination by the administrative means to the pre-assigned level of authorization for that source DTE for granting or denying access thereby through the associated packet switch to the destination address with which a communication session is requested .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5113499A CLAIM 7 . A method for upgrading security in a public data communications network to assure that the dictates of each network customer are followed with respect to accessibility by network users via terminals to host computers maintained by the respective network customer , said method comprising installing at points of entry to data communications links of said network a plurality of switch means for operative association with respective user terminals and host computers but physically remote therefrom , to establish connection and disconnection of data communications link through the network among user terminals and host computers on demand by authorized users , installing in association with said network an access management host computer and relational database designating authorized users and their attributes and destination addresses to which the various users are authorized access based on said dictates of the network customers , for analyzing requests for access among said users and host computers and issuing instructions respecting establishment of connections and disconnections to the respective switch means based on information (network destination) contained in said relational database , and providing a data link between said access management host computer and each of said switch means for communication of access requests and responsive instructions therebetween .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access (managing access) to the NAD over a device interface if the request is allowed .	US5113499A CLAIM 1 . A system for managing access (managing access) to data among users and host computers in a public data communications network applied to provide data communications paths between and among the users and the host computers via communication links and transmit nodes of the network , in which the nature and degree of access by or to each user and host computer is designated in advance by respective ones of the plurality of network customers who maintain the host computers and who allow authorized user access thereto , said system comprising a multiplicity of potential user stations , a multiplicity of host computers for compiling and furnishing data on request of users and other host computers , a multiplicity of switch means operatively associated with respective ones of said user stations and said host computers , and located at points of entry to said data communications paths of said network remote from said respective ones of said user stations and said host computers , for establishing and disconnecting a communication path through the network between a user station and a host computer to which access is requested by said user station for a communication session therewith , and access management means operatively associated with each of said switch means for examining requests for establishing a data communications path through said network between a user station and a host computer received by the associated one of said switch means for validation of said requests and for granting and denying the respective requests by issuance of corresponding instruction signals to said switch means , according to the nature and degree of access designated by the respective network customer .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer of a network stack (various user) .	US5113499A CLAIM 7 . A method for upgrading security in a public data communications network to assure that the dictates of each network customer are followed with respect to accessibility by network users via terminals to host computers maintained by the respective network customer , said method comprising installing at points of entry to data communications links of said network a plurality of switch means for operative association with respective user terminals and host computers but physically remote therefrom , to establish connection and disconnection of data communications link through the network among user terminals and host computers on demand by authorized users , installing in association with said network an access management host computer and relational database designating authorized users and their attributes and destination addresses to which the various user (network stack) s are authorized access based on said dictates of the network customers , for analyzing requests for access among said users and host computers and issuing instructions respecting establishment of connections and disconnections to the respective switch means based on information contained in said relational database , and providing a data link between said access management host computer and each of said switch means for communication of access requests and responsive instructions therebetween .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device , and a video codec (respective entry) .	US5113499A CLAIM 8 . In a security access management system for a packet switched data communications network adapted to selectively provide transmission paths for communication sessions between a multiplicity of data terminal equipments (DTEs) located outside the network via communication links and transit nodes within the network through a plurality of packet switches each located at a respective one of a plurality of entry points to the network and associated with one or more of the DTEs for routing packets therefrom and thereto at that entry point , according to the destination DTE address and source DTE authorization information contained within the packets assembled for transmission from a source DTE , and wherein the extent of access between and among a group of the DTEs associated with a particular customer of the network is mandated by that customer such that different DTEs within the same group may be authorized for different levels of access to destinations within the group , the improvement comprising : plural access management means each respectively operatively associated with a packet switch at an entry point of the network , each access management means including : administrative means for examining source DTE authorization information contained within packets received at the associated packet switch for transmission through the network to destination addresses for the packets , database means maintained by the administrative means for storing information relating to pre-assigned levels of authorization of the source DTEs using the respective entry (video codec) point of the network for access to specified destinations , and validation means responsive to comparison of the DTE source authorization information contained in a packet under examination by the administrative means to the pre-assigned level of authorization for that source DTE for granting or denying access thereby through the associated packet switch to the destination address with which a communication session is requested .

US5142622A

Filed: 1989-01-31 Issued: 1992-08-25

System for interconnecting applications across different networks of data processing systems by mapping protocols across different network domains

(Original Assignee) International Business Machines Corp (Current Assignee) Cisco Technology Inc

Gary L. Owens

US7739302B2
CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ;

a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions (intermediate data) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ;

and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .

US5142622A
CLAIM 3 . A system for communicating between a first data processing system in a first network domain and a second data processing system in a second network domain , wherein said first network domain has a network protocol architecture different from said second network domain , said system comprising : at least one communication end point object in a layer of said first data processing system ;
an intermediate data (computer executable instructions) processing system having at least one communication end point object in a layer of said intermediate data processing system ;
at least one communication end point object in a layer of said second data processing system ;
means , in said intermediate data processing system , for establishing automatically routed connections in said layer of said first data processing system , said layer of said second data processing system and said intermediate data processing system and comprising means for mapping protocols between said first and second network domain , said first and second processing systems each including means for executing respective application programs ;
and means for communicating through said automatically routed connections between said first data processing system in said first network domain and said second data processing system in said second network domain .

US7739302B2
CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (socket connection) with each other over a same network , the NAD comprising ;

a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .

US5142622A
CLAIM 6 . A system for communicating between a first data processing system in a first network domain and a second data processing system in a second network domain , wherein said first network domain has a network protocol architecture different from said second network domain , said system comprising : at least one socket in a socket layer of said first data processing system in said first network domain ;
at least one socket in a socket layer of said second data processing system in said second network domain ;
means , independently of an application running on either of said data processing systems , for establishing in said socket layer of said first data processing system and in said socket layer of said second data processing system an automatically routed socket connection (electronic communication) between said first data processing system and said second data processing system and comprising means for mapping addresses between said first and second network domain ;
and means for communicating through said socket connection between said first data processing system and said second data processing system .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5136707A Filed: 1988-10-28 Issued: 1992-08-04 Reliable database administration arrangement (Original Assignee) Nokia Bell Labs (Current Assignee) Nokia Bell Labs ; AT&T Information Systems Inc ; AT&T Corp Frederick P. Block, Norman C. Chan
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (requested data) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US5136707A CLAIM 24 . An apparatus comprising : means for modifying a database having a plurality of modifiable portions ; means for storing records of modifications made to the database portions ; means for occasionally generating and storing boot copies of the database portions ; and means responsive to a request from a requester for a database portion , for sending to the requester the stored boot copy of the requested data (storing instructions) base portion and the stored records of modifications that have been made to the requested database portion since the stored boot copy was generated .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (other node) device , the selectively generated packet containing the request for access to the directly attached device .	US5136707A CLAIM 19 . The method of claim 16 in an apparatus having a first node including the database and a plurality of other node (intermediary computing, intermediary computing device) s including cache copies of the database portions , the method further comprising the step of : in response to modifying a database portion , notifying the node at which a cache copy of the database portion is located of the modification .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests (corresponding database) over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US5136707A CLAIM 4 . An apparatus comprising : a database having a plurality of modifiable portions having a first format ; a plurality of storage means connected to the database , each corresponding with a different one of the database portions , each for storing records of modifications made to the corresponding database (receiving requests) portion ; memory means connected to the database for storing a plurality of boot copies of the database portions , each boot copy corresponding with a different one of the database portions and having a second format different from the first format ; means connected to the plurality of storage means and responsive to modification of a database portion , for making a record of the modification in the storage means corresponding to the modified database portion ; and means connected to the plurality of storage means and to the memory means , responsive to a request from a requester for a cache copy of a database portion , for sending to the requester the boot copy of the requested portion and the modifications presently recorded in the storage means corresponding to the requested portion .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US5088052A Filed: 1988-07-15 Issued: 1992-02-11 System for graphically representing and manipulating data stored in databases (Original Assignee) Digital Equipment Corp (Current Assignee) Hewlett Packard Development Co LP Howard A. Spielman, C. J. Considine
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (database records) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US5088052A CLAIM 7 . A system for graphically representing and manipulating data stored in a plurality of databases and for retrieving said data from said databases in response to receipt of a data retrieval request from a user , said system comprising : an input screen display generated in response to receipt of said data retrieval request , wherein said input screen display is divided into a plurality of sections all of which are displayed simultaneously and from which the user can select various data retrieval identifiers ; means for selecting at least one of said data retrieval identifiers from said input screen display wherein said selected data retrieval identifiers are used to augment said data retrieval request ; a processor for executing said data retrieval request in response to selection of said data retrieval identifiers , said processor further used for retrieving data from said database as called for by said data retrieval identifiers and for processing said retrieved data as called for by said data retrieval identifiers to generate processed data ; and an output screen display for displaying said processed data , wherein said output screen display replaces said input screen display ; wherien said data retrieval identifiers comprise : a . data identifiers displayed in a first of said sections of said input display screen for selection by a user , each of said data identifiers corresponding to at least one of said databases and at least one record and one field in said database , said processor using said data identifiers to retrieve the contents of said record and field in said database ; b . function identifiers displayed in a second of said sections of said input display screen for selection by the user , said processor using said function identifiers to process said contents of said database records (data management component) and fields for display ; c . measure identifiers displayed in a third of said sections of said input display screen for selection by a user , said processor using said measure selection criteria to specify certain values or ranges of values to limit the data retrieved and displayed by said data retrieval request ; and d . analysis identifiers displayed in a fourth of said sections of said input display screen for selection by a user , said processor using said analysis identifiers to determine display characteristics of said processed data as it is displayed on said output screen .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (determining characteristics) , and a video codec .	US5088052A CLAIM 5 . A system as defined in claim 1 wherein said input screen further comprises analysis selection criteria identifiers for selection by a user , said analysis criteria determining characteristics (storage device) of said processed data displayed on said output screen .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (determining characteristics) , and a video codec .	US5088052A CLAIM 5 . A system as defined in claim 1 wherein said input screen further comprises analysis selection criteria identifiers for selection by a user , said analysis criteria determining characteristics (storage device) of said processed data displayed on said output screen .

US4806743A

Filed: 1987-11-16 Issued: 1989-02-21

Installation for managing the "visitor" resource at a trade show, or fair, or the like

(Original Assignee) Thenery Jean Jacques (Current Assignee) THENERY JEAN JACQUES

Jean-Jacques Thenery

US7739302B2
CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ;

a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (respective memory) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .

US4806743A
CLAIM 1 . In an organization comprising a plurality of serving entities and a plurality of persons liable to come into contact with said serving entities , an installation for making a plurality of subfiles taken from a global file containing information relating to each person , each subfile being associated with a corresponding serving entity and being based on contacts made between said people and said serving entities , the installation comprising : input means for making the individual records of said global file using information provided by each person ;
association and delivery means for associating an identification number with each record and for delivering to each person personal badge including a medium on which said identification number is encoded ;
a plurality of read and data transfer units respectively associated with each of the serving entities and suitable for recording in respective memory (IP addresses) units the identification numbers read from the badges of each of the persons making contact with the respective serving entities ;
and means for making said plurality of subfiles on the basis of the contents of said memory units and of said global file .

US7739302B2
CLAIM 12 . An apparatus , comprising : a processing unit ;

a network interface coupled to the processing unit and to a network ;

an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ;

and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ;

deny requests for access to the directly attached device that are determined to be unauthorized ;

allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .

US4806743A
CLAIM 1 . In an organization comprising a plurality of serving entities and a plurality of persons liable to come into contact with said serving entities , an installation for making a plurality of subfiles taken from a global file containing information relating to each person , each subfile being associated with a corresponding serving entity and being based on contacts made between said people and said serving entities , the installation comprising : input means for making the individual records of said global file using information provided by each person ;
association and delivery means for associating an identification number with each record and for delivering to each person personal badge including a medium on which said identification number is encoded ;
a plurality of read and data transfer units respectively associated with each of the serving entities and suitable for recording in respective memory units the identification numbers read from the badges of each of the persons making contact with the respective serving entities ;
and means for making said plurality of subfiles on the basis of the contents of said memory (storing instructions) units and of said global file .

US4823373A

Filed: 1987-10-16 Issued: 1989-04-18

Line switching control system for mobile communication

(Original Assignee) Oki Electric Industry Co Ltd (Current Assignee) Canon Inc

Chusei Takahashi, Tadashi Amakasu, Hiroshi Etoh

US7739302B2
CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (control signals) for accepting requests for network access to the NAD from a plurality of network clients having different operating (function key) systems .

US4823373A
CLAIM 2 . A line switching control system according to claim 1 , wherein said input means comprises a key switch composed of a plurality of dial keys and a plurality of function key (different operating) s .

US4823373A
CLAIM 3 . A line switching control system used in a mobile telephone set including a transmitter/receiver unit , a control unit which comprises a handset and a cradle , and a data modem , comprising : (a) a key switch means combined with said handset for inputting line switching information ;
(b) a common data bus for electrically connecting said transmitter/receiver unit , said control unit , and said modem ;
(c) signal lines for electrically connecting said transmitter/receiver unit , said control unit , and said data modem , said signal lines including at least one signal line for transmitting an audio frequency signal ;
(d) a first control means provided in said control unit for detecting said line switching information and generating a predetermined data pattern in response to said detection of said line switching information ;
(e) a second control means provided in said data modem for detecting said predetermined data pattern sent from said first control means via said common data bus , said second control means via said common data bus , said second detection of said predetermined data pattern ;
and (f) a switching means provided in said data modem for effecting switching , in response to said control signals (network protocol programs) , between a first mode in which said signal lines from said transmitter/receiver unit are electrically connected to said data modem and a second mode in which said signal lines are electrically connected to said control unit .

US7739302B2
CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access (predetermined data pattern) to a proper port over the directly attached device interface .

US4823373A
CLAIM 3 . A line switching control system used in a mobile telephone set including a transmitter/receiver unit , a control unit which comprises a handset and a cradle , and a data modem , comprising : (a) a key switch means combined with said handset for inputting line switching information ;
(b) a common data bus for electrically connecting said transmitter/receiver unit , said control unit , and said modem ;
(c) signal lines for electrically connecting said transmitter/receiver unit , said control unit , and said data modem , said signal lines including at least one signal line for transmitting an audio frequency signal ;
(d) a first control means provided in said control unit for detecting said line switching information and generating a predetermined data pattern (requests contain information to gain access) in response to said detection of said line switching information ;
(e) a second control means provided in said data modem for detecting said predetermined data pattern sent from said first control means via said common data bus , said second control means via said common data bus , said second detection of said predetermined data pattern ;
and (f) a switching means provided in said data modem for effecting switching , in response to said control signals , between a first mode in which said signal lines from said transmitter/receiver unit are electrically connected to said data modem and a second mode in which said signal lines are electrically connected to said control unit .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4799153A Filed: 1987-09-17 Issued: 1989-01-17 Method and apparatus for enhancing security of communications in a packet-switched data communications system (Original Assignee) TELENET COMMUNICATIONS CORP (Current Assignee) Sprint International Communications Corp J. David Hann, Theodore S. Holdahl, James C. P. Lum
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said format) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4799153A CLAIM 1 . In a packet-switched data communications system having a network with at least one data entry and display terminal for system users and at least one host data processor having a stored database for communicating with said terminal via plural data transmission paths of said network (NAD server) , wherein communication and processing of data is accomplished according to a pre-established protocol and data format and with preprogrammed software and wherein any user may obtain access from a terminal to the database associated with a selected processor for a data communications session therewith , the security improvement comprising : a terminal security means introduced into said system in data communicative relationship with said terminal and said network for generating an initial data packet including data identifing an authorized user and the address of the processor with the database to be accessed , in advance of at least one additional data packet containing message data to be processed by the addressed processor , said intial data packet generated in said format (data packet) and compatible with said protocol but incompatible with said programmed software for processing by the addressed processor , said terminal security means including means responsive to user-initiated data entry seeking access from a terminal for detecting whether the data entry includes user identify data , and means responsive to said detection for transmitting said initial data packet and said at least one additional data packet to the addressed processor via said network ; and a host security means introduced into said system in data communicative relationship with said network to intercept and process said initial data packet for allowing or denying the requested access according to whether any user identity data contained in the intercepted initial data packet designates the initiating user as authorized or unauthorized , respectively , to obtain the requested access , said incompatibility of said initial data packet rendering it and immediately following data packets unsuitable for processing by the addressed processor , whereby neither data contained in the initial data packet nor the message data contained in additional data packets immediately following said initial data packet can be processed by the addressed processor should said host security means fail for any reason to intercept said initial data packet , said host security means including means for processing the intercepted initial data packet to detect any such user identity data contained therein , means responsive to detected user identity data for authenticating the authorization of the user therefrom , and means responsive to authentication of user authorization for generating an artificial data packet in place of said initial data packet , to render the immediately following data packets compatible with both said protocol and said preprogrammed software to enable the addressed processor to process the message data contained in said at least one additional data packet and to provide the requested access for a communications session with the authorized user .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems (enable access) .	US4799153A CLAIM 5 . The improvement according to claim 1 , wherein said host security means further includes means responsive to said authentication of user authorization for rendering said host security mean transparent throughout the duration of the respective communications session , whereby an authorized user may communicate with the addressed processor from the terminal via said network (NAD server) without intervention of said host security means during such communications session . US4799153A CLAIM 6 . The improvement according to claim 1 , wherein user access in said data communications system further requires entry of a prescribed data password at a terminal to enable access (network clients having different operating systems) to the database associated with a selected processor , and wherein the functions performed by said terminal security means and said host security means as recited in claim 1 provide an added security measure in said system to the security offered by transmission of the entered password via the network to the addressed processor for comparison with the prescribed data password thereat .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said format) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses (packet including data, address data) contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4799153A CLAIM 8 . The method according to claim 7 , further including providing each authorized user with pre-encoded media configured for insertion into the terminal to initiate data entry from the terminal and identify the user as authorized , and suppressing the display of user identity data and host processor address data (IP addresses) at said terminal .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	GB2187009A Filed: 1987-02-20 Issued: 1987-08-26 A knowledge-based system having a plurality of processors (Original Assignee) Hitachi Ltd (Current Assignee) Hitachi Ltd Shoichi Masui, Shunichi Tano, Seiji Sakaguchi, Motohisa Funabashi
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said transmission) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source (third memory) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	GB2187009A CLAIM 1 CLAIMS that effect , to said transmission (data packet) linethrough said 70 communcation means ; 1 . Aknowledge-based system , including : said message management means including : Mtransmission line means fortransmitting a (f) third memory (network source) means ; and message ; (g) second processor means for storing the re (b) message management means connected to quest messages delivered by said knowledge pro- said transmission line means ; and 75 cessorsto said transmission line , in said third (c) a plurality of knowledge processorswhich are memory means and for processing the reply mes connected to said transmission line means and each sages delivered by said knowledge processors to of which includes a knowledge base for storing said transmission line , in correspondence with the knowledge information and executes a reasoning request messages stored in said third memory processfor replying to a request from a user by utiliz- 80 means , wherein when a replyto one request mes ing the knowledge information ; sage has satisfied a predetermined condition , said wherein when each said knowledge processor second processor means gives the replyto said cannot resolve the requestfrom the userwith the knowledge processor having issued the request . knowledge information stored in said knowledge 3 . Aknowledge-based system according to claim base of its own , it sends said transmission line 85 2 , wherein means a request message for asking at least one each said reasoning processor sends a request other knowledge processorforthe resolution of the message to the plurality of other knowledge pro request , and when it has received a request message cessors , and when said second processor means has from any other knowledge processor , itforwards a received one reply message reporting the resolution reply message indicating a result of a reasoning pro- 90 of a requestfrom said transmission line or has re cess forthe request , to said message management ceived as to one request , reply messasges reporting meansthrough said transmission line means ; and to the effectthat it cannot be resolved , from all the wherein said message management means manknowledge processors having received request mes agesthe replymessage receivedfrom said know- sages , itgives a message for affording the reasoned ledge processor , in correspondence with the request 95 result , to a sending source ofthe request . messages already received and stored , and when a 4 . Aknowledge-based system according to claim status of a replyto one request has satisfied a pred- 3 , wherein said transmission line is a loop transmis etermined condition , if forwards the reply message sion line which serially connects said respective to said knowledge processor having issued the reknowledge processors and the message control quest . 100 means .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said transmission) containing the request for network access is complete , the information relating to at least one of the network source (third memory) , destination , and route of the data packet .	GB2187009A CLAIM 1 CLAIMS that effect , to said transmission (data packet) linethrough said 70 communcation means ; 1 . Aknowledge-based system , including : said message management means including : Mtransmission line means fortransmitting a (f) third memory (network source) means ; and message ; (g) second processor means for storing the re (b) message management means connected to quest messages delivered by said knowledge pro- said transmission line means ; and 75 cessorsto said transmission line , in said third (c) a plurality of knowledge processorswhich are memory means and for processing the reply mes connected to said transmission line means and each sages delivered by said knowledge processors to of which includes a knowledge base for storing said transmission line , in correspondence with the knowledge information and executes a reasoning request messages stored in said third memory processfor replying to a request from a user by utiliz- 80 means , wherein when a replyto one request mes ing the knowledge information ; sage has satisfied a predetermined condition , said wherein when each said knowledge processor second processor means gives the replyto said cannot resolve the requestfrom the userwith the knowledge processor having issued the request . knowledge information stored in said knowledge 3 . Aknowledge-based system according to claim base of its own , it sends said transmission line 85 2 , wherein means a request message for asking at least one each said reasoning processor sends a request other knowledge processorforthe resolution of the message to the plurality of other knowledge pro request , and when it has received a request message cessors , and when said second processor means has from any other knowledge processor , itforwards a received one reply message reporting the resolution reply message indicating a result of a reasoning pro- 90 of a requestfrom said transmission line or has re cess forthe request , to said message management ceived as to one request , reply messasges reporting meansthrough said transmission line means ; and to the effectthat it cannot be resolved , from all the wherein said message management means manknowledge processors having received request mes agesthe replymessage receivedfrom said know- sages , itgives a message for affording the reasoned ledge processor , in correspondence with the request 95 result , to a sending source ofthe request . messages already received and stored , and when a 4 . Aknowledge-based system according to claim status of a replyto one request has satisfied a pred- 3 , wherein said transmission line is a loop transmis etermined condition , if forwards the reply message sion line which serially connects said respective to said knowledge processor having issued the reknowledge processors and the message control quest . 100 means .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said transmission) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source (third memory) , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	GB2187009A CLAIM 1 CLAIMS that effect , to said transmission (data packet) linethrough said 70 communcation means ; 1 . Aknowledge-based system , including : said message management means including : Mtransmission line means fortransmitting a (f) third memory (network source) means ; and message ; (g) second processor means for storing the re (b) message management means connected to quest messages delivered by said knowledge pro- said transmission line means ; and 75 cessorsto said transmission line , in said third (c) a plurality of knowledge processorswhich are memory means and for processing the reply mes connected to said transmission line means and each sages delivered by said knowledge processors to of which includes a knowledge base for storing said transmission line , in correspondence with the knowledge information and executes a reasoning request messages stored in said third memory processfor replying to a request from a user by utiliz- 80 means , wherein when a replyto one request mes ing the knowledge information ; sage has satisfied a predetermined condition , said wherein when each said knowledge processor second processor means gives the replyto said cannot resolve the requestfrom the userwith the knowledge processor having issued the request . knowledge information stored in said knowledge 3 . Aknowledge-based system according to claim base of its own , it sends said transmission line 85 2 , wherein means a request message for asking at least one each said reasoning processor sends a request other knowledge processorforthe resolution of the message to the plurality of other knowledge pro request , and when it has received a request message cessors , and when said second processor means has from any other knowledge processor , itforwards a received one reply message reporting the resolution reply message indicating a result of a reasoning pro- 90 of a requestfrom said transmission line or has re cess forthe request , to said message management ceived as to one request , reply messasges reporting meansthrough said transmission line means ; and to the effectthat it cannot be resolved , from all the wherein said message management means manknowledge processors having received request mes agesthe replymessage receivedfrom said know- sages , itgives a message for affording the reasoned ledge processor , in correspondence with the request 95 result , to a sending source ofthe request . messages already received and stored , and when a 4 . Aknowledge-based system according to claim status of a replyto one request has satisfied a pred- 3 , wherein said transmission line is a loop transmis etermined condition , if forwards the reply message sion line which serially connects said respective to said knowledge processor having issued the reknowledge processors and the message control quest . 100 means .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said transmission) arrived via an authorized network interface .	GB2187009A CLAIM 1 CLAIMS that effect , to said transmission (data packet) linethrough said 70 communcation means ; 1 . Aknowledge-based system , including : said message management means including : Mtransmission line means fortransmitting a (f) third memory means ; and message ; (g) second processor means for storing the re (b) message management means connected to quest messages delivered by said knowledge pro- said transmission line means ; and 75 cessorsto said transmission line , in said third (c) a plurality of knowledge processorswhich are memory means and for processing the reply mes connected to said transmission line means and each sages delivered by said knowledge processors to of which includes a knowledge base for storing said transmission line , in correspondence with the knowledge information and executes a reasoning request messages stored in said third memory processfor replying to a request from a user by utiliz- 80 means , wherein when a replyto one request mes ing the knowledge information ; sage has satisfied a predetermined condition , said wherein when each said knowledge processor second processor means gives the replyto said cannot resolve the requestfrom the userwith the knowledge processor having issued the request . knowledge information stored in said knowledge 3 . Aknowledge-based system according to claim base of its own , it sends said transmission line 85 2 , wherein means a request message for asking at least one each said reasoning processor sends a request other knowledge processorforthe resolution of the message to the plurality of other knowledge pro request , and when it has received a request message cessors , and when said second processor means has from any other knowledge processor , itforwards a received one reply message reporting the resolution reply message indicating a result of a reasoning pro- 90 of a requestfrom said transmission line or has re cess forthe request , to said message management ceived as to one request , reply messasges reporting meansthrough said transmission line means ; and to the effectthat it cannot be resolved , from all the wherein said message management means manknowledge processors having received request mes agesthe replymessage receivedfrom said know- sages , itgives a message for affording the reasoned ledge processor , in correspondence with the request 95 result , to a sending source ofthe request . messages already received and stored , and when a 4 . Aknowledge-based system according to claim status of a replyto one request has satisfied a pred- 3 , wherein said transmission line is a loop transmis etermined condition , if forwards the reply message sion line which serially connects said respective to said knowledge processor having issued the reknowledge processors and the message control quest . 100 means .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said transmission) to the proper port ; and at the proper port , provide the requested network access to the NAD .	GB2187009A CLAIM 1 CLAIMS that effect , to said transmission (data packet) linethrough said 70 communcation means ; 1 . Aknowledge-based system , including : said message management means including : Mtransmission line means fortransmitting a (f) third memory means ; and message ; (g) second processor means for storing the re (b) message management means connected to quest messages delivered by said knowledge pro- said transmission line means ; and 75 cessorsto said transmission line , in said third (c) a plurality of knowledge processorswhich are memory means and for processing the reply mes connected to said transmission line means and each sages delivered by said knowledge processors to of which includes a knowledge base for storing said transmission line , in correspondence with the knowledge information and executes a reasoning request messages stored in said third memory processfor replying to a request from a user by utiliz- 80 means , wherein when a replyto one request mes ing the knowledge information ; sage has satisfied a predetermined condition , said wherein when each said knowledge processor second processor means gives the replyto said cannot resolve the requestfrom the userwith the knowledge processor having issued the request . knowledge information stored in said knowledge 3 . Aknowledge-based system according to claim base of its own , it sends said transmission line 85 2 , wherein means a request message for asking at least one each said reasoning processor sends a request other knowledge processorforthe resolution of the message to the plurality of other knowledge pro request , and when it has received a request message cessors , and when said second processor means has from any other knowledge processor , itforwards a received one reply message reporting the resolution reply message indicating a result of a reasoning pro- 90 of a requestfrom said transmission line or has re cess forthe request , to said message management ceived as to one request , reply messasges reporting meansthrough said transmission line means ; and to the effectthat it cannot be resolved , from all the wherein said message management means manknowledge processors having received request mes agesthe replymessage receivedfrom said know- sages , itgives a message for affording the reasoned ledge processor , in correspondence with the request 95 result , to a sending source ofthe request . messages already received and stored , and when a 4 . Aknowledge-based system according to claim status of a replyto one request has satisfied a pred- 3 , wherein said transmission line is a loop transmis etermined condition , if forwards the reply message sion line which serially connects said respective to said knowledge processor having issued the reknowledge processors and the message control quest . 100 means .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said transmission) containing the request for network access includes at least one of an IP address of a network source (third memory) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	GB2187009A CLAIM 2 . Aknowledge-based system comprising a 5 . Aknowledge-based system constructed sub plurality of knowledge processors each of . which perstantially as herein described with reference to and forms a reasoning operation in compliance with a re- as illustrated in the accompanying drawings . questfrom a user , and message management means connected with said respective knowledge pro cessorsthrough a transmission line , each said know ledge processor including : Printed for Her Majesty' ; s Stationery Office by Croydon Printing Company (UK) Ltd , 7187 , D8991685 . (a) interface means for conversation with the user ; Published byThe Patent Office , 25 Southampton Buildings , London , WC2A lAY , (b) communication meansfor sending and receiv- from which copies maybe obtained . ing messagesto and from said transmission (data packet) line ; (c) first memory meansforstoring knowledge in formation ; (d) second memory meansforstoring a first re quest applied from said user inter-face means , and a second request applied from any other knowledge processor through said communication means ; and (e) a reasoning processorwhich reads out an un resolved requestfrom said second memory means and performs a reasoning process for resolving the request by applying the knowledge information , and which delivers a reply message to the user interface when the resolved request isthe first request and to said communication means when the resolved re quest isthe second request , wherein when said reasoning processor cannot resolve the first request or a third request generated by itself in the course of the reasoning , with the knowledge information sto red in said first memory , it delivers a request mes sage for asking any other knowledge processor or processors for resolving the first or third request , to
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said transmission) containing the request for network access includes at least one of an IP address of a network source (third memory) , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	GB2187009A CLAIM 2 . Aknowledge-based system comprising a 5 . Aknowledge-based system constructed sub plurality of knowledge processors each of . which perstantially as herein described with reference to and forms a reasoning operation in compliance with a re- as illustrated in the accompanying drawings . questfrom a user , and message management means connected with said respective knowledge pro cessorsthrough a transmission line , each said know ledge processor including : Printed for Her Majesty' ; s Stationery Office by Croydon Printing Company (UK) Ltd , 7187 , D8991685 . (a) interface means for conversation with the user ; Published byThe Patent Office , 25 Southampton Buildings , London , WC2A lAY , (b) communication meansfor sending and receiv- from which copies maybe obtained . ing messagesto and from said transmission (data packet) line ; (c) first memory meansforstoring knowledge in formation ; (d) second memory meansforstoring a first re quest applied from said user inter-face means , and a second request applied from any other knowledge processor through said communication means ; and (e) a reasoning processorwhich reads out an un resolved requestfrom said second memory means and performs a reasoning process for resolving the request by applying the knowledge information , and which delivers a reply message to the user interface when the resolved request isthe first request and to said communication means when the resolved re quest isthe second request , wherein when said reasoning processor cannot resolve the first request or a third request generated by itself in the course of the reasoning , with the knowledge information sto red in said first memory , it delivers a request mes sage for asking any other knowledge processor or processors for resolving the first or third request , to
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit to selectively generate a packet for communication to an intermediary computing (third request) device , the selectively generated packet containing the request for access to the directly attached device .	GB2187009A CLAIM 2 . Aknowledge-based system comprising a 5 . Aknowledge-based system constructed sub plurality of knowledge processors each of . which perstantially as herein described with reference to and forms a reasoning operation in compliance with a re- as illustrated in the accompanying drawings . questfrom a user , and message management means connected with said respective knowledge pro cessorsthrough a transmission line , each said know ledge processor including : Printed for Her Majesty' ; s Stationery Office by Croydon Printing Company (UK) Ltd , 7187 , D8991685 . (a) interface means for conversation with the user ; Published byThe Patent Office , 25 Southampton Buildings , London , WC2A lAY , (b) communication meansfor sending and receiv- from which copies maybe obtained . ing messagesto and from said transmission line ; (c) first memory meansforstoring knowledge in formation ; (d) second memory meansforstoring a first re quest applied from said user inter-face means , and a second request applied from any other knowledge processor through said communication means ; and (e) a reasoning processorwhich reads out an un resolved requestfrom said second memory means and performs a reasoning process for resolving the request by applying the knowledge information , and which delivers a reply message to the user interface when the resolved request isthe first request and to said communication means when the resolved re quest isthe second request , wherein when said reasoning processor cannot resolve the first request or a third request (intermediary computing) generated by itself in the course of the reasoning , with the knowledge information sto red in said first memory , it delivers a request mes sage for asking any other knowledge processor or processors for resolving the first or third request , to
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source (third memory) , an IP address of a network destination , and a route of the data packet (said transmission) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	GB2187009A CLAIM 2 . Aknowledge-based system comprising a 5 . Aknowledge-based system constructed sub plurality of knowledge processors each of . which perstantially as herein described with reference to and forms a reasoning operation in compliance with a re- as illustrated in the accompanying drawings . questfrom a user , and message management means connected with said respective knowledge pro cessorsthrough a transmission line , each said know ledge processor including : Printed for Her Majesty' ; s Stationery Office by Croydon Printing Company (UK) Ltd , 7187 , D8991685 . (a) interface means for conversation with the user ; Published byThe Patent Office , 25 Southampton Buildings , London , WC2A lAY , (b) communication meansfor sending and receiv- from which copies maybe obtained . ing messagesto and from said transmission (data packet) line ; (c) first memory meansforstoring knowledge in formation ; (d) second memory meansforstoring a first re quest applied from said user inter-face means , and a second request applied from any other knowledge processor through said communication means ; and (e) a reasoning processorwhich reads out an un resolved requestfrom said second memory means and performs a reasoning process for resolving the request by applying the knowledge information , and which delivers a reply message to the user interface when the resolved request isthe first request and to said communication means when the resolved re quest isthe second request , wherein when said reasoning processor cannot resolve the first request or a third request generated by itself in the course of the reasoning , with the knowledge information sto red in said first memory , it delivers a request mes sage for asking any other knowledge processor or processors for resolving the first or third request , to

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4893248A Filed: 1987-02-06 Issued: 1990-01-09 Monitoring and reporting system for remote terminals (Original Assignee) Access Corp (Current Assignee) DIGEQUIP SECURITY INDUSTRIES Inc ; NATIONAL RURAL TELECOMMUNICATIONS COOPERATIVE W. Hampton Pitts, Ronald G. Thomas
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said transmission) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4893248A CLAIM 44 . A system for monitoring events occurring at a plurality of remote terminals and reporting event data indicative thereof over transmission lines to a host computer disposed at a central station , said monitoring system comprising : (a) a plurality of said remote terminals , each comprised of : (1) means for monitoring said events to provide event data indicative thereof ; (2) memory means connected to said monitoring means for storing said event data therefrom ; and (3) transmitting means connected to said memory means and to one of said transmission (data packet) lines for establishing a connection with said host computer and thereafter for accessing said event data in said memory means and for transmitting over said transmission line to said host computer a report message including said event data , said transmitting means comprising means for determining whether said connection was completed and , if not , for incrementing a number indicative of the unsuccessful transmissions of said report message , said number is stored in said memory means , and means for incorporating said number in said report message ; and (b) said host computer comprising means for receiving said report message from each of said plurality of remote terminals .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (transmitted data, computer program) for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US4893248A CLAIM 1 . A remote terminal for use in a system for monitoring and accumulating data indicative of viewer authorized pay per view programs on a television set at each of a plurality of remote terminals , each of said remote terminals connected by non-dedicated telephone lines for transmitting said accumulated data over said telephone lines to a host computer at a central station , said host computer processing said transmitted data (network protocol programs) to provide bills to said viewers , each of said remote terminals comprising : (a) means actuated by a viewer for authorizing the viewing of a pay per view program upon the television set ; (b) means connected to said authorizing means and responsive to the viewer actuation of said authorizing means for monitoring the viewing of said pay per view program to provide program data indicative thereof ; (c) memory means connected to said monitoring means for storing said program data therefrom ; and (d) means connected to said authorizing means and said memory means , and responsive to said authorization for transmitting over said telephone lines to said host computer a report message including said program data . US4893248A CLAIM 51 . The remote terminal as claimed in claim 48 , wherein said memory means also stores an executable computer program (network protocol programs) , and there is further included a computer processor for cyclically executing said program , and said examining means responds in the course of each cyclical execution of said computer program to examine said initializing data to determine the integrity thereof .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said transmission) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US4893248A CLAIM 44 . A system for monitoring events occurring at a plurality of remote terminals and reporting event data indicative thereof over transmission lines to a host computer disposed at a central station , said monitoring system comprising : (a) a plurality of said remote terminals , each comprised of : (1) means for monitoring said events to provide event data indicative thereof ; (2) memory means connected to said monitoring means for storing said event data therefrom ; and (3) transmitting means connected to said memory means and to one of said transmission (data packet) lines for establishing a connection with said host computer and thereafter for accessing said event data in said memory means and for transmitting over said transmission line to said host computer a report message including said event data , said transmitting means comprising means for determining whether said connection was completed and , if not , for incrementing a number indicative of the unsuccessful transmissions of said report message , said number is stored in said memory means , and means for incorporating said number in said report message ; and (b) said host computer comprising means for receiving said report message from each of said plurality of remote terminals .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (central station) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said transmission) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4893248A CLAIM 1 . A remote terminal for use in a system for monitoring and accumulating data indicative of viewer authorized pay per view programs on a television set at each of a plurality of remote terminals , each of said remote terminals connected by non-dedicated telephone lines for transmitting said accumulated data over said telephone lines to a host computer at a central station (electronic communication) , said host computer processing said transmitted data to provide bills to said viewers , each of said remote terminals comprising : (a) means actuated by a viewer for authorizing the viewing of a pay per view program upon the television set ; (b) means connected to said authorizing means and responsive to the viewer actuation of said authorizing means for monitoring the viewing of said pay per view program to provide program data indicative thereof ; (c) memory means connected to said monitoring means for storing said program data therefrom ; and (d) means connected to said authorizing means and said memory means , and responsive to said authorization for transmitting over said telephone lines to said host computer a report message including said program data . US4893248A CLAIM 44 . A system for monitoring events occurring at a plurality of remote terminals and reporting event data indicative thereof over transmission lines to a host computer disposed at a central station , said monitoring system comprising : (a) a plurality of said remote terminals , each comprised of : (1) means for monitoring said events to provide event data indicative thereof ; (2) memory means connected to said monitoring means for storing said event data therefrom ; and (3) transmitting means connected to said memory means and to one of said transmission (data packet) lines for establishing a connection with said host computer and thereafter for accessing said event data in said memory means and for transmitting over said transmission line to said host computer a report message including said event data , said transmitting means comprising means for determining whether said connection was completed and , if not , for incrementing a number indicative of the unsuccessful transmissions of said report message , said number is stored in said memory means , and means for incorporating said number in said report message ; and (b) said host computer comprising means for receiving said report message from each of said plurality of remote terminals .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said transmission) arrived via an authorized network interface .	US4893248A CLAIM 44 . A system for monitoring events occurring at a plurality of remote terminals and reporting event data indicative thereof over transmission lines to a host computer disposed at a central station , said monitoring system comprising : (a) a plurality of said remote terminals , each comprised of : (1) means for monitoring said events to provide event data indicative thereof ; (2) memory means connected to said monitoring means for storing said event data therefrom ; and (3) transmitting means connected to said memory means and to one of said transmission (data packet) lines for establishing a connection with said host computer and thereafter for accessing said event data in said memory means and for transmitting over said transmission line to said host computer a report message including said event data , said transmitting means comprising means for determining whether said connection was completed and , if not , for incrementing a number indicative of the unsuccessful transmissions of said report message , said number is stored in said memory means , and means for incorporating said number in said report message ; and (b) said host computer comprising means for receiving said report message from each of said plurality of remote terminals .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said transmission) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US4893248A CLAIM 44 . A system for monitoring events occurring at a plurality of remote terminals and reporting event data indicative thereof over transmission lines to a host computer disposed at a central station , said monitoring system comprising : (a) a plurality of said remote terminals , each comprised of : (1) means for monitoring said events to provide event data indicative thereof ; (2) memory means connected to said monitoring means for storing said event data therefrom ; and (3) transmitting means connected to said memory means and to one of said transmission (data packet) lines for establishing a connection with said host computer and thereafter for accessing said event data in said memory means and for transmitting over said transmission line to said host computer a report message including said event data , said transmitting means comprising means for determining whether said connection was completed and , if not , for incrementing a number indicative of the unsuccessful transmissions of said report message , said number is stored in said memory means , and means for incorporating said number in said report message ; and (b) said host computer comprising means for receiving said report message from each of said plurality of remote terminals .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said transmission) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US4893248A CLAIM 44 . A system for monitoring events occurring at a plurality of remote terminals and reporting event data indicative thereof over transmission lines to a host computer disposed at a central station , said monitoring system comprising : (a) a plurality of said remote terminals , each comprised of : (1) means for monitoring said events to provide event data indicative thereof ; (2) memory means connected to said monitoring means for storing said event data therefrom ; and (3) transmitting means connected to said memory means and to one of said transmission (data packet) lines for establishing a connection with said host computer and thereafter for accessing said event data in said memory means and for transmitting over said transmission line to said host computer a report message including said event data , said transmitting means comprising means for determining whether said connection was completed and , if not , for incrementing a number indicative of the unsuccessful transmissions of said report message , said number is stored in said memory means , and means for incorporating said number in said report message ; and (b) said host computer comprising means for receiving said report message from each of said plurality of remote terminals .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (computer processor) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said transmission) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US4893248A CLAIM 44 . A system for monitoring events occurring at a plurality of remote terminals and reporting event data indicative thereof over transmission lines to a host computer disposed at a central station , said monitoring system comprising : (a) a plurality of said remote terminals , each comprised of : (1) means for monitoring said events to provide event data indicative thereof ; (2) memory means connected to said monitoring means for storing said event data therefrom ; and (3) transmitting means connected to said memory means and to one of said transmission (data packet) lines for establishing a connection with said host computer and thereafter for accessing said event data in said memory means and for transmitting over said transmission line to said host computer a report message including said event data , said transmitting means comprising means for determining whether said connection was completed and , if not , for incrementing a number indicative of the unsuccessful transmissions of said report message , said number is stored in said memory means , and means for incorporating said number in said report message ; and (b) said host computer comprising means for receiving said report message from each of said plurality of remote terminals . US4893248A CLAIM 51 . The remote terminal as claimed in claim 48 , wherein said memory means also stores an executable computer program , and there is further included a computer processor (storing instructions) for cyclically executing said program , and said examining means responds in the course of each cyclical execution of said computer program to examine said initializing data to determine the integrity thereof .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device , and a video codec (current view) .	US4893248A CLAIM 25 . The remote terminal as claimed in claim 24 , wherein there is included means responsive to said deauthorizing of said pay per view TV program for calculating a current view (video codec) ing time of said authorized pay per view TV program as the difference between said first and second real times .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (said transmission) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US4893248A CLAIM 44 . A system for monitoring events occurring at a plurality of remote terminals and reporting event data indicative thereof over transmission lines to a host computer disposed at a central station , said monitoring system comprising : (a) a plurality of said remote terminals , each comprised of : (1) means for monitoring said events to provide event data indicative thereof ; (2) memory means connected to said monitoring means for storing said event data therefrom ; and (3) transmitting means connected to said memory means and to one of said transmission (data packet) lines for establishing a connection with said host computer and thereafter for accessing said event data in said memory means and for transmitting over said transmission line to said host computer a report message including said event data , said transmitting means comprising means for determining whether said connection was completed and , if not , for incrementing a number indicative of the unsuccessful transmissions of said report message , said number is stored in said memory means , and means for incorporating said number in said report message ; and (b) said host computer comprising means for receiving said report message from each of said plurality of remote terminals .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (monitoring system) is further configured to manage access over a SCSI interface .	US4893248A CLAIM 44 . A system for monitoring events occurring at a plurality of remote terminals and reporting event data indicative thereof over transmission lines to a host computer disposed at a central station , said monitoring system (managing means) comprising : (a) a plurality of said remote terminals , each comprised of : (1) means for monitoring said events to provide event data indicative thereof ; (2) memory means connected to said monitoring means for storing said event data therefrom ; and (3) transmitting means connected to said memory means and to one of said transmission lines for establishing a connection with said host computer and thereafter for accessing said event data in said memory means and for transmitting over said transmission line to said host computer a report message including said event data , said transmitting means comprising means for determining whether said connection was completed and , if not , for incrementing a number indicative of the unsuccessful transmissions of said report message , said number is stored in said memory means , and means for incorporating said number in said report message ; and (b) said host computer comprising means for receiving said report message from each of said plurality of remote terminals .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device , and a video codec (current view) .	US4893248A CLAIM 25 . The remote terminal as claimed in claim 24 , wherein there is included means responsive to said deauthorizing of said pay per view TV program for calculating a current view (video codec) ing time of said authorized pay per view TV program as the difference between said first and second real times .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4817050A Filed: 1986-11-21 Issued: 1989-03-28 Database system (Original Assignee) Toshiba Corp (Current Assignee) Toshiba Corp Kenichi Komatsu, Kiyoshi Tawara, Eitaro Nishihara, Seiji Fujimoto
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (said network) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4817050A CLAIM 8 . A system according to claim 1 , wherein : said file management means includes means for directly transferring data read out from said second data file means to said network (NAD server) system .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (said network) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems (recording medium) .	US4817050A CLAIM 8 . A system according to claim 1 , wherein : said file management means includes means for directly transferring data read out from said second data file means to said network (NAD server) system . US4817050A CLAIM 17 . A system according to claim 16 , wherein : said memory unit of the second data file means is an optical disc unit having an optical disc as a data recording medium (network clients having different operating systems) , and said fourth data file means includes a memory unit comprising an optical disc stock unit capable of stocking a plurality of optical discs and carrying means for moving an optical disc between said optical disc stock unit and said optical disc unit .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication (exchanging data) with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4817050A CLAIM 1 . A database system provided in a network system capable of exchanging data (electronic communication) , and capable of storing and retrieving the data via the network system , comprising : first data file means , having a rewritable memory unit , for storing data supplied through the network system ; second data file means , having a memory unit with a larger memory capacity than that of said memory unit of the first data file means , for storing data to be transferred from said first data file means ; and file management means , for managing the access and storage of data in both said first and second data file means , said file management means being responsive to a utilization characteristic of data stored in said first data file means .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (data recording) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US4817050A CLAIM 17 . A system according to claim 16 , wherein : said memory unit of the second data file means is an optical disc unit having an optical disc as a data recording (processing unit) medium , and said fourth data file means includes a memory unit comprising an optical disc stock unit capable of stocking a plurality of optical discs and carrying means for moving an optical disc between said optical disc stock unit and said optical disc unit .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (data recording) to determine whether each packet arrived via an authorized network interface .	US4817050A CLAIM 17 . A system according to claim 16 , wherein : said memory unit of the second data file means is an optical disc unit having an optical disc as a data recording (processing unit) medium , and said fourth data file means includes a memory unit comprising an optical disc stock unit capable of stocking a plurality of optical discs and carrying means for moving an optical disc between said optical disc stock unit and said optical disc unit .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (data recording) to determine whether each packet contains an unauthorized IP address .	US4817050A CLAIM 17 . A system according to claim 16 , wherein : said memory unit of the second data file means is an optical disc unit having an optical disc as a data recording (processing unit) medium , and said fourth data file means includes a memory unit comprising an optical disc stock unit capable of stocking a plurality of optical discs and carrying means for moving an optical disc between said optical disc stock unit and said optical disc unit .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (data recording) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US4817050A CLAIM 17 . A system according to claim 16 , wherein : said memory unit of the second data file means is an optical disc unit having an optical disc as a data recording (processing unit) medium , and said fourth data file means includes a memory unit comprising an optical disc stock unit capable of stocking a plurality of optical discs and carrying means for moving an optical disc between said optical disc stock unit and said optical disc unit .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (data recording) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US4817050A CLAIM 17 . A system according to claim 16 , wherein : said memory unit of the second data file means is an optical disc unit having an optical disc as a data recording (processing unit) medium , and said fourth data file means includes a memory unit comprising an optical disc stock unit capable of stocking a plurality of optical discs and carrying means for moving an optical disc between said optical disc stock unit and said optical disc unit .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (when data) .	US4817050A CLAIM 14 . A system according to claim 1 , wherein : said file management means includes control means which , when data (SCSI interface) stored in said second data file means is accessed , transfers a predetermined data group including the accessed data from said second data file means to first data file means .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (when data) .	US4817050A CLAIM 14 . A system according to claim 1 , wherein : said file management means includes control means which , when data (SCSI interface) stored in said second data file means is accessed , transfers a predetermined data group including the accessed data from said second data file means to first data file means .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4745560A Filed: 1985-10-15 Issued: 1988-05-17 Method of controlling a bit-image printer (Original Assignee) International Business Machines Corp (Current Assignee) International Business Machines Corp John W. Decker, James C. King, Ray A. Larner, Jeffrey B. Lotspiech
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (top edge) to the NAD , the NAD server including computer executable instructions (memory location) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4745560A CLAIM 1 . A method of printing on a sheet having top , bottom , left and right edges , and having a right edge to left edge width dimension (W) , and a top edge (network access, filtering means, network stack) to bottom edge height dimension (H) , the sheet containing W-times-H individually printable areas (PELS) which may be either printed in a color or left uncolored , using an all-pels-addressable (APA) printer , and the printer feeding the sheet through a print station with the sheet' ; s top edge as the leading edge , comprising : providing a page memory having at least W-times-H PEL memory location (executable instructions) s , and a cursor which is movable within said page memory , the cursor' ; s position being identified by W and H dimensions within said page memory , and the cursor' ; s position identifying an individual PEL area on said sheet and a corresponding PEL memory location is said page memory , the binary number content of said page memory location determining whether the corresponding sheet PEL area will be colored or left uncolored ; providing a source of print fonts , each font having a unique font identifying number , and each font comprising a plurality of characters , each character being defined by h parallel raster scan lines , each raster scan line being w PELs long , and each individual PEL containing a binary bit , the multiplicity of binary bits in the multiplicity of raster lines defining the character , the character also having (a) a unique character identifying number , (b) a rectangular character box of h-times-w PEL areas , said character box having h raster scan lines , each of w-PEL length , and containing within said character box the binary content of the raster scan lines defining the character' ; s image , (c) an L/T number defining the number of PELS which exist between the left edge of its character box and the location of the starting cursor position for the character , (d) and R/B number defining the number of PELS which exist between the right edge of its character box and the location of the ending cursor position for the character , and (e) a cursor line (CL) offset number defining the number of PELS which exist between the top edge of its character box and the location of a cursor line which connects the character' ; s staring cursor position and its ending cursor position , composing a page to be printed by defining a font whose characters may be loaded into page memory to compose a page image , loading selected characters from said font into said page memory in accordance with the character' ; s L/T , R/B and CL numbers , whereupon each ending cursor position for a character becomes the starting cursor position for the next character , and the cursor lines of all characters are aligned to define scan lines within said page memory ; and scanning the memory locations of said page memory , while applying the resulting binary content of each of said memory locations to said print station , as said printer prints corresponding PEL areas of said sheet .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (top edge) to the NAD from a plurality of network clients having different operating systems .	US4745560A CLAIM 1 . A method of printing on a sheet having top , bottom , left and right edges , and having a right edge to left edge width dimension (W) , and a top edge (network access, filtering means, network stack) to bottom edge height dimension (H) , the sheet containing W-times-H individually printable areas (PELS) which may be either printed in a color or left uncolored , using an all-pels-addressable (APA) printer , and the printer feeding the sheet through a print station with the sheet' ; s top edge as the leading edge , comprising : providing a page memory having at least W-times-H PEL memory locations , and a cursor which is movable within said page memory , the cursor' ; s position being identified by W and H dimensions within said page memory , and the cursor' ; s position identifying an individual PEL area on said sheet and a corresponding PEL memory location is said page memory , the binary number content of said page memory location determining whether the corresponding sheet PEL area will be colored or left uncolored ; providing a source of print fonts , each font having a unique font identifying number , and each font comprising a plurality of characters , each character being defined by h parallel raster scan lines , each raster scan line being w PELs long , and each individual PEL containing a binary bit , the multiplicity of binary bits in the multiplicity of raster lines defining the character , the character also having (a) a unique character identifying number , (b) a rectangular character box of h-times-w PEL areas , said character box having h raster scan lines , each of w-PEL length , and containing within said character box the binary content of the raster scan lines defining the character' ; s image , (c) an L/T number defining the number of PELS which exist between the left edge of its character box and the location of the starting cursor position for the character , (d) and R/B number defining the number of PELS which exist between the right edge of its character box and the location of the ending cursor position for the character , and (e) a cursor line (CL) offset number defining the number of PELS which exist between the top edge of its character box and the location of a cursor line which connects the character' ; s staring cursor position and its ending cursor position , composing a page to be printed by defining a font whose characters may be loaded into page memory to compose a page image , loading selected characters from said font into said page memory in accordance with the character' ; s L/T , R/B and CL numbers , whereupon each ending cursor position for a character becomes the starting cursor position for the next character , and the cursor lines of all characters are aligned to define scan lines within said page memory ; and scanning the memory locations of said page memory , while applying the resulting binary content of each of said memory locations to said print station , as said printer prints corresponding PEL areas of said sheet .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (top edge) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US4745560A CLAIM 10 . The method of claim 1 including the steps of : selecting one of four possible page orientations whereby said printer will print the PEL content of said page memory onto said sheet , the four orientations being : (a) portrait , wherein the sheet' ; s top edge (network access, filtering means, network stack) is the top of the image to be printed , (b) portrait upside-down , wherein the sheet' ; s bottom edge is the top of the image to be printed , (c) landscape left , wherein the sheet' ; s left edge is the top of the image to be printed , and (d) landscape right , wherein the sheet' ; s right edge is the top of the image to be printed , indicating which of said fonts shall be an active font , providing a font memory and loading at least said active font into said font memory , selecting a character from a font in said font memory as a character to be loaded into said page memory , and sensing which of said four orientations has been selected , and rotating said active font in said font memory corresponding to said selected orientation , and loading said selected character from said font memory into said page memory in an orientation in accordance with the selected orientation .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (top edge) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4745560A CLAIM 10 . The method of claim 1 including the steps of : selecting one of four possible page orientations whereby said printer will print the PEL content of said page memory onto said sheet , the four orientations being : (a) portrait , wherein the sheet' ; s top edge (network access, filtering means, network stack) is the top of the image to be printed , (b) portrait upside-down , wherein the sheet' ; s bottom edge is the top of the image to be printed , (c) landscape left , wherein the sheet' ; s left edge is the top of the image to be printed , and (d) landscape right , wherein the sheet' ; s right edge is the top of the image to be printed , indicating which of said fonts shall be an active font , providing a font memory and loading at least said active font into said font memory , selecting a character from a font in said font memory as a character to be loaded into said page memory , and sensing which of said four orientations has been selected , and rotating said active font in said font memory corresponding to said selected orientation , and loading said selected character from said font memory into said page memory in an orientation in accordance with the selected orientation .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (top edge) to the NAD .	US4745560A CLAIM 10 . The method of claim 1 including the steps of : selecting one of four possible page orientations whereby said printer will print the PEL content of said page memory onto said sheet , the four orientations being : (a) portrait , wherein the sheet' ; s top edge (network access, filtering means, network stack) is the top of the image to be printed , (b) portrait upside-down , wherein the sheet' ; s bottom edge is the top of the image to be printed , (c) landscape left , wherein the sheet' ; s left edge is the top of the image to be printed , and (d) landscape right , wherein the sheet' ; s right edge is the top of the image to be printed , indicating which of said fonts shall be an active font , providing a font memory and loading at least said active font into said font memory , selecting a character from a font in said font memory as a character to be loaded into said page memory , and sensing which of said four orientations has been selected , and rotating said active font in said font memory corresponding to said selected orientation , and loading said selected character from said font memory into said page memory in an orientation in accordance with the selected orientation .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (top edge) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US4745560A CLAIM 10 . The method of claim 1 including the steps of : selecting one of four possible page orientations whereby said printer will print the PEL content of said page memory onto said sheet , the four orientations being : (a) portrait , wherein the sheet' ; s top edge (network access, filtering means, network stack) is the top of the image to be printed , (b) portrait upside-down , wherein the sheet' ; s bottom edge is the top of the image to be printed , (c) landscape left , wherein the sheet' ; s left edge is the top of the image to be printed , and (d) landscape right , wherein the sheet' ; s right edge is the top of the image to be printed , indicating which of said fonts shall be an active font , providing a font memory and loading at least said active font into said font memory , selecting a character from a font in said font memory as a character to be loaded into said page memory , and sensing which of said four orientations has been selected , and rotating said active font in said font memory corresponding to said selected orientation , and loading said selected character from said font memory into said page memory in an orientation in accordance with the selected orientation .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (top edge) to the NAD is only available through the server .	US4745560A CLAIM 10 . The method of claim 1 including the steps of : selecting one of four possible page orientations whereby said printer will print the PEL content of said page memory onto said sheet , the four orientations being : (a) portrait , wherein the sheet' ; s top edge (network access, filtering means, network stack) is the top of the image to be printed , (b) portrait upside-down , wherein the sheet' ; s bottom edge is the top of the image to be printed , (c) landscape left , wherein the sheet' ; s left edge is the top of the image to be printed , and (d) landscape right , wherein the sheet' ; s right edge is the top of the image to be printed , indicating which of said fonts shall be an active font , providing a font memory and loading at least said active font into said font memory , selecting a character from a font in said font memory as a character to be loaded into said page memory , and sensing which of said four orientations has been selected , and rotating said active font in said font memory corresponding to said selected orientation , and loading said selected character from said font memory into said page memory in an orientation in accordance with the selected orientation .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (top edge) includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US4745560A CLAIM 10 . The method of claim 1 including the steps of : selecting one of four possible page orientations whereby said printer will print the PEL content of said page memory onto said sheet , the four orientations being : (a) portrait , wherein the sheet' ; s top edge (network access, filtering means, network stack) is the top of the image to be printed , (b) portrait upside-down , wherein the sheet' ; s bottom edge is the top of the image to be printed , (c) landscape left , wherein the sheet' ; s left edge is the top of the image to be printed , and (d) landscape right , wherein the sheet' ; s right edge is the top of the image to be printed , indicating which of said fonts shall be an active font , providing a font memory and loading at least said active font into said font memory , selecting a character from a font in said font memory as a character to be loaded into said page memory , and sensing which of said four orientations has been selected , and rotating said active font in said font memory corresponding to said selected orientation , and loading said selected character from said font memory into said page memory in an orientation in accordance with the selected orientation .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (first location) , and a video codec .	US4745560A CLAIM 7 . The method of claim 6 including the steps of providing a cursor register , and saving a first location (storage device) of the page map cursor in said register prior to moving said cursor to a different location , such that said cursor may be subsequently restored to said first page map location .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (top edge) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US4745560A CLAIM 10 . The method of claim 1 including the steps of : selecting one of four possible page orientations whereby said printer will print the PEL content of said page memory onto said sheet , the four orientations being : (a) portrait , wherein the sheet' ; s top edge (network access, filtering means, network stack) is the top of the image to be printed , (b) portrait upside-down , wherein the sheet' ; s bottom edge is the top of the image to be printed , (c) landscape left , wherein the sheet' ; s left edge is the top of the image to be printed , and (d) landscape right , wherein the sheet' ; s right edge is the top of the image to be printed , indicating which of said fonts shall be an active font , providing a font memory and loading at least said active font into said font memory , selecting a character from a font in said font memory as a character to be loaded into said page memory , and sensing which of said four orientations has been selected , and rotating said active font in said font memory corresponding to said selected orientation , and loading said selected character from said font memory into said page memory in an orientation in accordance with the selected orientation .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (top edge) is further configured to carry out the filtering at an application layer of a network stack (top edge) .	US4745560A CLAIM 10 . The method of claim 1 including the steps of : selecting one of four possible page orientations whereby said printer will print the PEL content of said page memory onto said sheet , the four orientations being : (a) portrait , wherein the sheet' ; s top edge (network access, filtering means, network stack) is the top of the image to be printed , (b) portrait upside-down , wherein the sheet' ; s bottom edge is the top of the image to be printed , (c) landscape left , wherein the sheet' ; s left edge is the top of the image to be printed , and (d) landscape right , wherein the sheet' ; s right edge is the top of the image to be printed , indicating which of said fonts shall be an active font , providing a font memory and loading at least said active font into said font memory , selecting a character from a font in said font memory as a character to be loaded into said page memory , and sensing which of said four orientations has been selected , and rotating said active font in said font memory corresponding to said selected orientation , and loading said selected character from said font memory into said page memory in an orientation in accordance with the selected orientation .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (first location) , and a video codec .	US4745560A CLAIM 7 . The method of claim 6 including the steps of providing a cursor register , and saving a first location (storage device) of the page map cursor in said register prior to moving said cursor to a different location , such that said cursor may be subsequently restored to said first page map location .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	EP0177210A1 Filed: 1985-09-13 Issued: 1986-04-09 Electric circuit testing equipment (Original Assignee) GEC Avionics Ltd; GEC Marconi Ltd (Current Assignee) BAE Systems Electronics Ltd Frederick John Wixley
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server (point a) disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (integrated circuit package, input signal) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0177210A1 CLAIM 1 . An electric circuit testing equipment comprising at least one signal pick-up probe unit (25 , 41 or 105) adapted to be coupled with a selected point of a circuit to be tested (23) and means (31) utilising an output signal derived from the probe unit for test purposes characterised in that the probe unit (25 , 41 or 105) is adapted to be capacitively coupled with said selected point a (NAD server) nd said output signal is derived from said probe unit (25 , 41 or 105) by signal conditioning circuit means (R2 , C2 , and 47 to 61 or 121 to 127 and 49 to 61) responsive to the signals picked up by the probe unit (25 , 41 or 105) to produce an output signal corresponding only to signals picked up by the probe unit (25 , 41 or 105) from said selected point . EP0177210A1 CLAIM 3 . An equipment according to Claim 2 wherein said circuit means comprises : means (R2 , C2) for differentiating the signals picked up by the probe unit ; comparator means (49 , 51) for producing an output in response to each excursion in an input signal (network destination) derived from the differentiated signals beyond a first threshold value of a first polarity or beyond a second threshold value of the opposite polarity to but substantially the same magnitude as the first threshold value ; and flip-flop means (60) responsive to the output of the comparator means . EP0177210A1 CLAIM 8 . An equipment according to any one of Claims 1 to 5 wherein said probe unit (25 , 41 or 105) forms part of a multi-test probe unit adapted to pick up simultaneously the signals appearing on the leads of an integrated circuit package (network destination) (23) , said multi-test probe unit comprising : a body portion (61) of electrically insulating material including a wall portion (63) disposed on a side of a cavity (65) adapted to receive the package with a line of leads (71) of the package (23) facing said wall portion (63) ; a plurality of bores (69) within said wall portion (63) disposed in parallel spaced relationship corresponding to the spaced relationship of the leads of the adjacent line of leads (71) of the package (23) ; and extending along each bore a coaxial conductor pair (73 , 91) the outer conductor (73) of which is removed at the extremity of the pair adjacent said cavity (65) over a region adjacent and substantially centred on the corresponding lead (71) of the package (23) .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server (point a) comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	EP0177210A1 CLAIM 1 . An electric circuit testing equipment comprising at least one signal pick-up probe unit (25 , 41 or 105) adapted to be coupled with a selected point of a circuit to be tested (23) and means (31) utilising an output signal derived from the probe unit for test purposes characterised in that the probe unit (25 , 41 or 105) is adapted to be capacitively coupled with said selected point a (NAD server) nd said output signal is derived from said probe unit (25 , 41 or 105) by signal conditioning circuit means (R2 , C2 , and 47 to 61 or 121 to 127 and 49 to 61) responsive to the signals picked up by the probe unit (25 , 41 or 105) to produce an output signal corresponding only to signals picked up by the probe unit (25 , 41 or 105) from said selected point .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (integrated circuit package, input signal) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	EP0177210A1 CLAIM 3 . An equipment according to Claim 2 wherein said circuit means comprises : means (R2 , C2) for differentiating the signals picked up by the probe unit ; comparator means (49 , 51) for producing an output in response to each excursion in an input signal (network destination) derived from the differentiated signals beyond a first threshold value of a first polarity or beyond a second threshold value of the opposite polarity to but substantially the same magnitude as the first threshold value ; and flip-flop means (60) responsive to the output of the comparator means . EP0177210A1 CLAIM 8 . An equipment according to any one of Claims 1 to 5 wherein said probe unit (25 , 41 or 105) forms part of a multi-test probe unit adapted to pick up simultaneously the signals appearing on the leads of an integrated circuit package (network destination) (23) , said multi-test probe unit comprising : a body portion (61) of electrically insulating material including a wall portion (63) disposed on a side of a cavity (65) adapted to receive the package with a line of leads (71) of the package (23) facing said wall portion (63) ; a plurality of bores (69) within said wall portion (63) disposed in parallel spaced relationship corresponding to the spaced relationship of the leads of the adjacent line of leads (71) of the package (23) ; and extending along each bore a coaxial conductor pair (73 , 91) the outer conductor (73) of which is removed at the extremity of the pair adjacent said cavity (65) over a region adjacent and substantially centred on the corresponding lead (71) of the package (23) .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (integrated circuit package, input signal) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	EP0177210A1 CLAIM 3 . An equipment according to Claim 2 wherein said circuit means comprises : means (R2 , C2) for differentiating the signals picked up by the probe unit ; comparator means (49 , 51) for producing an output in response to each excursion in an input signal (network destination) derived from the differentiated signals beyond a first threshold value of a first polarity or beyond a second threshold value of the opposite polarity to but substantially the same magnitude as the first threshold value ; and flip-flop means (60) responsive to the output of the comparator means . EP0177210A1 CLAIM 8 . An equipment according to any one of Claims 1 to 5 wherein said probe unit (25 , 41 or 105) forms part of a multi-test probe unit adapted to pick up simultaneously the signals appearing on the leads of an integrated circuit package (network destination) (23) , said multi-test probe unit comprising : a body portion (61) of electrically insulating material including a wall portion (63) disposed on a side of a cavity (65) adapted to receive the package with a line of leads (71) of the package (23) facing said wall portion (63) ; a plurality of bores (69) within said wall portion (63) disposed in parallel spaced relationship corresponding to the spaced relationship of the leads of the adjacent line of leads (71) of the package (23) ; and extending along each bore a coaxial conductor pair (73 , 91) the outer conductor (73) of which is removed at the extremity of the pair adjacent said cavity (65) over a region adjacent and substantially centred on the corresponding lead (71) of the package (23) .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (integrated circuit package, input signal) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	EP0177210A1 CLAIM 3 . An equipment according to Claim 2 wherein said circuit means comprises : means (R2 , C2) for differentiating the signals picked up by the probe unit ; comparator means (49 , 51) for producing an output in response to each excursion in an input signal (network destination) derived from the differentiated signals beyond a first threshold value of a first polarity or beyond a second threshold value of the opposite polarity to but substantially the same magnitude as the first threshold value ; and flip-flop means (60) responsive to the output of the comparator means . EP0177210A1 CLAIM 8 . An equipment according to any one of Claims 1 to 5 wherein said probe unit (25 , 41 or 105) forms part of a multi-test probe unit adapted to pick up simultaneously the signals appearing on the leads of an integrated circuit package (network destination) (23) , said multi-test probe unit comprising : a body portion (61) of electrically insulating material including a wall portion (63) disposed on a side of a cavity (65) adapted to receive the package with a line of leads (71) of the package (23) facing said wall portion (63) ; a plurality of bores (69) within said wall portion (63) disposed in parallel spaced relationship corresponding to the spaced relationship of the leads of the adjacent line of leads (71) of the package (23) ; and extending along each bore a coaxial conductor pair (73 , 91) the outer conductor (73) of which is removed at the extremity of the pair adjacent said cavity (65) over a region adjacent and substantially centred on the corresponding lead (71) of the package (23) .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4727243A Filed: 1984-10-24 Issued: 1988-02-23 Financial transaction system (Original Assignee) TELENET COMMUNICATIONS CORP (Current Assignee) Sprint International Communications Corp Eugene Savar
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access (respective point) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4727243A CLAIM 1 . A financial transaction system , for processing data representing a series of transactions requiring authorization from a credit agency which maintains a data base containing information for designating approval or denial of credit transactions , said system comprising : means for entering the data representing each of said series of transactions into the system for authorization , and for journaling at least the data relating to financial amount of each of the transactions entered ; means in association with said data base for accessing said data base responsive to data representing an operative transaction among data representing the series of transactions entered ; means in association with said data base for receiving authorization information (network destination) from said data base in response to said accessing , and for displaying said authorization information as part of said processing ; and means for capturing journalled data representing complete and incomplete transactions among said series of transactions , for tallying only journalled data representing complete transactions among said series of transactions over a predetermined interval of time as another part of said processing and for closing out the tallied data in preparation for journalling new data over the next predetermined interval of time . US4727243A CLAIM 28 . Apparatus for processing financial transactions representing prospective purchases of goods and services for which authorization is dependent on current status of customer credit and/or checking account information contained in data bases from which such authorization may be approved or denied , said apparatus comprising point of sale terminal means for entering data identifying the prospective customer and transaction , central processing means communicating with said point of sale terminal means , for accessing said data bases to obtain information as to whether authorization for the respective transaction is approved or denied and for furnishing same to said point of sale terminal means , means responsive to said acccessed authorization information for compiling and storing data representing successive approved transactions respectively entered from each said point of sale terminal means over a predetermined time interval , and means responsive to instructional data entered from a respective point (network access, providing network access) of sale terminal means , for reconciling data representing approved transactions compiled in said data storing means over said predetermined time interval from said respective point of sale terminal means , and responsive to reconciliation for authorizing payment for the transactions covered thereby .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (respective point) to the NAD from a plurality of network clients having different operating systems .	US4727243A CLAIM 28 . Apparatus for processing financial transactions representing prospective purchases of goods and services for which authorization is dependent on current status of customer credit and/or checking account information contained in data bases from which such authorization may be approved or denied , said apparatus comprising point of sale terminal means for entering data identifying the prospective customer and transaction , central processing means communicating with said point of sale terminal means , for accessing said data bases to obtain information as to whether authorization for the respective transaction is approved or denied and for furnishing same to said point of sale terminal means , means responsive to said acccessed authorization information for compiling and storing data representing successive approved transactions respectively entered from each said point of sale terminal means over a predetermined time interval , and means responsive to instructional data entered from a respective point (network access, providing network access) of sale terminal means , for reconciling data representing approved transactions compiled in said data storing means over said predetermined time interval from said respective point of sale terminal means , and responsive to reconciliation for authorizing payment for the transactions covered thereby .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (respective point) to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US4727243A CLAIM 28 . Apparatus for processing financial transactions representing prospective purchases of goods and services for which authorization is dependent on current status of customer credit and/or checking account information contained in data bases from which such authorization may be approved or denied , said apparatus comprising point of sale terminal means for entering data identifying the prospective customer and transaction , central processing means communicating with said point of sale terminal means , for accessing said data bases to obtain information as to whether authorization for the respective transaction is approved or denied and for furnishing same to said point of sale terminal means , means responsive to said acccessed authorization information for compiling and storing data representing successive approved transactions respectively entered from each said point of sale terminal means over a predetermined time interval , and means responsive to instructional data entered from a respective point (network access, providing network access) of sale terminal means , for reconciling data representing approved transactions compiled in said data storing means over said predetermined time interval from said respective point of sale terminal means , and responsive to reconciliation for authorizing payment for the transactions covered thereby .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (respective point) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4727243A CLAIM 28 . Apparatus for processing financial transactions representing prospective purchases of goods and services for which authorization is dependent on current status of customer credit and/or checking account information contained in data bases from which such authorization may be approved or denied , said apparatus comprising point of sale terminal means for entering data identifying the prospective customer and transaction , central processing means communicating with said point of sale terminal means , for accessing said data bases to obtain information as to whether authorization for the respective transaction is approved or denied and for furnishing same to said point of sale terminal means , means responsive to said acccessed authorization information for compiling and storing data representing successive approved transactions respectively entered from each said point of sale terminal means over a predetermined time interval , and means responsive to instructional data entered from a respective point (network access, providing network access) of sale terminal means , for reconciling data representing approved transactions compiled in said data storing means over said predetermined time interval from said respective point of sale terminal means , and responsive to reconciliation for authorizing payment for the transactions covered thereby .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access (respective point) to the NAD .	US4727243A CLAIM 28 . Apparatus for processing financial transactions representing prospective purchases of goods and services for which authorization is dependent on current status of customer credit and/or checking account information contained in data bases from which such authorization may be approved or denied , said apparatus comprising point of sale terminal means for entering data identifying the prospective customer and transaction , central processing means communicating with said point of sale terminal means , for accessing said data bases to obtain information as to whether authorization for the respective transaction is approved or denied and for furnishing same to said point of sale terminal means , means responsive to said acccessed authorization information for compiling and storing data representing successive approved transactions respectively entered from each said point of sale terminal means over a predetermined time interval , and means responsive to instructional data entered from a respective point (network access, providing network access) of sale terminal means , for reconciling data representing approved transactions compiled in said data storing means over said predetermined time interval from said respective point of sale terminal means , and responsive to reconciliation for authorizing payment for the transactions covered thereby .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (respective point) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US4727243A CLAIM 1 . A financial transaction system , for processing data representing a series of transactions requiring authorization from a credit agency which maintains a data base containing information for designating approval or denial of credit transactions , said system comprising : means for entering the data representing each of said series of transactions into the system for authorization , and for journaling at least the data relating to financial amount of each of the transactions entered ; means in association with said data base for accessing said data base responsive to data representing an operative transaction among data representing the series of transactions entered ; means in association with said data base for receiving authorization information (network destination) from said data base in response to said accessing , and for displaying said authorization information as part of said processing ; and means for capturing journalled data representing complete and incomplete transactions among said series of transactions , for tallying only journalled data representing complete transactions among said series of transactions over a predetermined interval of time as another part of said processing and for closing out the tallied data in preparation for journalling new data over the next predetermined interval of time . US4727243A CLAIM 28 . Apparatus for processing financial transactions representing prospective purchases of goods and services for which authorization is dependent on current status of customer credit and/or checking account information contained in data bases from which such authorization may be approved or denied , said apparatus comprising point of sale terminal means for entering data identifying the prospective customer and transaction , central processing means communicating with said point of sale terminal means , for accessing said data bases to obtain information as to whether authorization for the respective transaction is approved or denied and for furnishing same to said point of sale terminal means , means responsive to said acccessed authorization information for compiling and storing data representing successive approved transactions respectively entered from each said point of sale terminal means over a predetermined time interval , and means responsive to instructional data entered from a respective point (network access, providing network access) of sale terminal means , for reconciling data representing approved transactions compiled in said data storing means over said predetermined time interval from said respective point of sale terminal means , and responsive to reconciliation for authorizing payment for the transactions covered thereby .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (respective point) to the NAD is only available through the server .	US4727243A CLAIM 28 . Apparatus for processing financial transactions representing prospective purchases of goods and services for which authorization is dependent on current status of customer credit and/or checking account information contained in data bases from which such authorization may be approved or denied , said apparatus comprising point of sale terminal means for entering data identifying the prospective customer and transaction , central processing means communicating with said point of sale terminal means , for accessing said data bases to obtain information as to whether authorization for the respective transaction is approved or denied and for furnishing same to said point of sale terminal means , means responsive to said acccessed authorization information for compiling and storing data representing successive approved transactions respectively entered from each said point of sale terminal means over a predetermined time interval , and means responsive to instructional data entered from a respective point (network access, providing network access) of sale terminal means , for reconciling data representing approved transactions compiled in said data storing means over said predetermined time interval from said respective point of sale terminal means , and responsive to reconciliation for authorizing payment for the transactions covered thereby .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit (data capture) ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet containing the request for network access (respective point) includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US4727243A CLAIM 1 . A financial transaction system , for processing data representing a series of transactions requiring authorization from a credit agency which maintains a data base containing information for designating approval or denial of credit transactions , said system comprising : means for entering the data representing each of said series of transactions into the system for authorization , and for journaling at least the data relating to financial amount of each of the transactions entered ; means in association with said data base for accessing said data base responsive to data representing an operative transaction among data representing the series of transactions entered ; means in association with said data base for receiving authorization information (network destination) from said data base in response to said accessing , and for displaying said authorization information as part of said processing ; and means for capturing journalled data representing complete and incomplete transactions among said series of transactions , for tallying only journalled data representing complete transactions among said series of transactions over a predetermined interval of time as another part of said processing and for closing out the tallied data in preparation for journalling new data over the next predetermined interval of time . US4727243A CLAIM 27 . A method for prcessing a series of financial transactions requiring authorization from a credit agency which maintains a data base containing information regarding the approval and denial of credit transactions , said method comprising the steps of : entering digital data representative of each of said series of transactions as each transaction occurs , over a predetermined period of time , into an electronic system communicating with said data base , journalling at least a part of the data representative of each of the transactions entered , accessing said data base upon entry of data representative of each operative transaction forming part of the series of transactions entered , to elicit information from said data base as to whether the respective operative transaction represented by the entered data is approved or denied , displaying the elicited information respecting each operative transaction as part of said processing , within the time interval required for accessing and eliciting said information from said data base immediately following entry of data representative of the respective operative transaction , capturing entered data representative of both complete and incomplete transactions among said journalled series of transactions , tallying only the captured data representative of said complete transactions , and reconciling all of the data capture (processing unit) d over said predetermined period of time as another part of said processing , and eliminating the data captured over said predetermined period of time by distribution thereof together with indicia representative of the source of said transactions through said system to the respective data base for automatic authorization of payment to said source for approved completed transactions represented among the distributed captured data , in preparation for entry of data representative of new transactions into said system over the next predetermined period of time . US4727243A CLAIM 28 . Apparatus for processing financial transactions representing prospective purchases of goods and services for which authorization is dependent on current status of customer credit and/or checking account information contained in data bases from which such authorization may be approved or denied , said apparatus comprising point of sale terminal means for entering data identifying the prospective customer and transaction , central processing means communicating with said point of sale terminal means , for accessing said data bases to obtain information as to whether authorization for the respective transaction is approved or denied and for furnishing same to said point of sale terminal means , means responsive to said acccessed authorization information for compiling and storing data representing successive approved transactions respectively entered from each said point of sale terminal means over a predetermined time interval , and means responsive to instructional data entered from a respective point (network access, providing network access) of sale terminal means , for reconciling data representing approved transactions compiled in said data storing means over said predetermined time interval from said respective point of sale terminal means , and responsive to reconciliation for authorizing payment for the transactions covered thereby .
US7739302B2 CLAIM 13 . The apparatus of claim 12 wherein the instructions , when executed , further cause the processing unit (data capture) to determine whether each packet arrived via an authorized network interface .	US4727243A CLAIM 27 . A method for prcessing a series of financial transactions requiring authorization from a credit agency which maintains a data base containing information regarding the approval and denial of credit transactions , said method comprising the steps of : entering digital data representative of each of said series of transactions as each transaction occurs , over a predetermined period of time , into an electronic system communicating with said data base , journalling at least a part of the data representative of each of the transactions entered , accessing said data base upon entry of data representative of each operative transaction forming part of the series of transactions entered , to elicit information from said data base as to whether the respective operative transaction represented by the entered data is approved or denied , displaying the elicited information respecting each operative transaction as part of said processing , within the time interval required for accessing and eliciting said information from said data base immediately following entry of data representative of the respective operative transaction , capturing entered data representative of both complete and incomplete transactions among said journalled series of transactions , tallying only the captured data representative of said complete transactions , and reconciling all of the data capture (processing unit) d over said predetermined period of time as another part of said processing , and eliminating the data captured over said predetermined period of time by distribution thereof together with indicia representative of the source of said transactions through said system to the respective data base for automatic authorization of payment to said source for approved completed transactions represented among the distributed captured data , in preparation for entry of data representative of new transactions into said system over the next predetermined period of time .
US7739302B2 CLAIM 14 . The apparatus of claim 13 , wherein the instructions , when executed , cause the processing unit (data capture) to determine whether each packet contains an unauthorized IP address .	US4727243A CLAIM 27 . A method for prcessing a series of financial transactions requiring authorization from a credit agency which maintains a data base containing information regarding the approval and denial of credit transactions , said method comprising the steps of : entering digital data representative of each of said series of transactions as each transaction occurs , over a predetermined period of time , into an electronic system communicating with said data base , journalling at least a part of the data representative of each of the transactions entered , accessing said data base upon entry of data representative of each operative transaction forming part of the series of transactions entered , to elicit information from said data base as to whether the respective operative transaction represented by the entered data is approved or denied , displaying the elicited information respecting each operative transaction as part of said processing , within the time interval required for accessing and eliciting said information from said data base immediately following entry of data representative of the respective operative transaction , capturing entered data representative of both complete and incomplete transactions among said journalled series of transactions , tallying only the captured data representative of said complete transactions , and reconciling all of the data capture (processing unit) d over said predetermined period of time as another part of said processing , and eliminating the data captured over said predetermined period of time by distribution thereof together with indicia representative of the source of said transactions through said system to the respective data base for automatic authorization of payment to said source for approved completed transactions represented among the distributed captured data , in preparation for entry of data representative of new transactions into said system over the next predetermined period of time .
US7739302B2 CLAIM 15 . The apparatus of claim 13 , wherein the instructions , when executed , enable the processing unit (data capture) to selectively generate a packet for communication to an intermediary computing device , the selectively generated packet containing the request for access to the directly attached device .	US4727243A CLAIM 27 . A method for prcessing a series of financial transactions requiring authorization from a credit agency which maintains a data base containing information regarding the approval and denial of credit transactions , said method comprising the steps of : entering digital data representative of each of said series of transactions as each transaction occurs , over a predetermined period of time , into an electronic system communicating with said data base , journalling at least a part of the data representative of each of the transactions entered , accessing said data base upon entry of data representative of each operative transaction forming part of the series of transactions entered , to elicit information from said data base as to whether the respective operative transaction represented by the entered data is approved or denied , displaying the elicited information respecting each operative transaction as part of said processing , within the time interval required for accessing and eliciting said information from said data base immediately following entry of data representative of the respective operative transaction , capturing entered data representative of both complete and incomplete transactions among said journalled series of transactions , tallying only the captured data representative of said complete transactions , and reconciling all of the data capture (processing unit) d over said predetermined period of time as another part of said processing , and eliminating the data captured over said predetermined period of time by distribution thereof together with indicia representative of the source of said transactions through said system to the respective data base for automatic authorization of payment to said source for approved completed transactions represented among the distributed captured data , in preparation for entry of data representative of new transactions into said system over the next predetermined period of time .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit (data capture) to determine whether the requests contain information to gain access to a proper port over the directly attached device interface .	US4727243A CLAIM 27 . A method for prcessing a series of financial transactions requiring authorization from a credit agency which maintains a data base containing information regarding the approval and denial of credit transactions , said method comprising the steps of : entering digital data representative of each of said series of transactions as each transaction occurs , over a predetermined period of time , into an electronic system communicating with said data base , journalling at least a part of the data representative of each of the transactions entered , accessing said data base upon entry of data representative of each operative transaction forming part of the series of transactions entered , to elicit information from said data base as to whether the respective operative transaction represented by the entered data is approved or denied , displaying the elicited information respecting each operative transaction as part of said processing , within the time interval required for accessing and eliciting said information from said data base immediately following entry of data representative of the respective operative transaction , capturing entered data representative of both complete and incomplete transactions among said journalled series of transactions , tallying only the captured data representative of said complete transactions , and reconciling all of the data capture (processing unit) d over said predetermined period of time as another part of said processing , and eliminating the data captured over said predetermined period of time by distribution thereof together with indicia representative of the source of said transactions through said system to the respective data base for automatic authorization of payment to said source for approved completed transactions represented among the distributed captured data , in preparation for entry of data representative of new transactions into said system over the next predetermined period of time .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (new data) .	US4727243A CLAIM 1 . A financial transaction system , for processing data representing a series of transactions requiring authorization from a credit agency which maintains a data base containing information for designating approval or denial of credit transactions , said system comprising : means for entering the data representing each of said series of transactions into the system for authorization , and for journaling at least the data relating to financial amount of each of the transactions entered ; means in association with said data base for accessing said data base responsive to data representing an operative transaction among data representing the series of transactions entered ; means in association with said data base for receiving authorization information from said data base in response to said accessing , and for displaying said authorization information as part of said processing ; and means for capturing journalled data representing complete and incomplete transactions among said series of transactions , for tallying only journalled data representing complete transactions among said series of transactions over a predetermined interval of time as another part of said processing and for closing out the tallied data in preparation for journalling new data (SCSI interface) over the next predetermined interval of time .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (one terminal) , and a video codec .	US4727243A CLAIM 2 . The system of claim 1 wherein said entering means comprises at least one terminal (storage device) means , and said accessing means comprises central processing means adapted for commmunication with said data base in communication with said terminal means .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US4727243A CLAIM 1 . A financial transaction system , for processing data representing a series of transactions requiring authorization from a credit agency which maintains a data base containing information for designating approval or denial of credit transactions , said system comprising : means for entering the data representing each of said series of transactions into the system for authorization , and for journaling at least the data relating to financial amount of each of the transactions entered ; means in association with said data base for accessing said data base responsive to data representing an operative transaction among data representing the series of transactions entered ; means in association with said data base for receiving authorization information (network destination) from said data base in response to said accessing , and for displaying said authorization information as part of said processing ; and means for capturing journalled data representing complete and incomplete transactions among said series of transactions , for tallying only journalled data representing complete transactions among said series of transactions over a predetermined interval of time as another part of said processing and for closing out the tallied data in preparation for journalling new data over the next predetermined interval of time .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (new data) .	US4727243A CLAIM 1 . A financial transaction system , for processing data representing a series of transactions requiring authorization from a credit agency which maintains a data base containing information for designating approval or denial of credit transactions , said system comprising : means for entering the data representing each of said series of transactions into the system for authorization , and for journaling at least the data relating to financial amount of each of the transactions entered ; means in association with said data base for accessing said data base responsive to data representing an operative transaction among data representing the series of transactions entered ; means in association with said data base for receiving authorization information from said data base in response to said accessing , and for displaying said authorization information as part of said processing ; and means for capturing journalled data representing complete and incomplete transactions among said series of transactions , for tallying only journalled data representing complete transactions among said series of transactions over a predetermined interval of time as another part of said processing and for closing out the tallied data in preparation for journalling new data (SCSI interface) over the next predetermined interval of time .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (one terminal) , and a video codec .	US4727243A CLAIM 2 . The system of claim 1 wherein said entering means comprises at least one terminal (storage device) means , and said accessing means comprises central processing means adapted for commmunication with said data base in communication with said terminal means .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4654793A Filed: 1984-10-15 Issued: 1987-03-31 System and method for registering and keeping track of the activities of attendees at a trade show, convention or the like (Original Assignee) SHOWDATA Inc (Current Assignee) SHOW DATA Inc ; SOUTHEASTERN REGISTRATION SERVICES A GENERAL PARTNERSHIP OF TX ; SOUTHWESTERN REGISTRATION SERVICES A CORP OF TX Philip C. Elrod
US7739302B2 CLAIM 1 . A network arrangement (selected location) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said time) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4654793A CLAIM 5 . The system according to claim 1 further including third storage means for storing said registration numbers assigned to the respective attendees in sequential numerical order , each registration number being assigned a discrete sector pointer code in said third storage means , and fourth storage means for storing registration information (network destination) for each attendee entered by said input means at a predetermined location in said fourth storage means corresponding to the particular sector pointer code assigned to the particular registration number corresponding to a particular attendee , registration information for each attendee being selectively retrievable from said fourth storage means by entering from said input means the corresponding registration number for that particular attendee . US4654793A CLAIM 7 . An electronic system for keeping track of selected activities of attendees at a trade show , convention or the like , comprising : means for providing a first set of information codes identifying the respective attendees ; means for providing a second set of information codes representing selected inquiries and requests for information made by the attendees at the trade show , convention or the like ; means for reading said first set of information codes and for generating a respective first set of electrical signals indicative thereof ; means for reading selected ones of said second set of information codes corresponding to the inquiries and requests for information made by a particular attendee and generating a respective second set of electrical signals indicative thereof ; timekeeping means for keeping track of time of day and date ; processing means electrically coupled to said reading means and said time (data packet, filtering means) keeping means for processing said first and second sets of electrical signals in accordance with a predetermined set of instructions ; and memory means electrically coupled to said processing means for storing processed information , said processing means being responsive to timekeeping signals from said timekeeping means for storing in said memory means the time of day and date on which selected processed information is stored in said memory means . US4654793A CLAIM 9 . The system according to claim 8 wherein each of said attendees is furnished with a registration badge bearing his assigned bar-coded registration number and selected location (network arrangement) s at said trade show , convention or the like are provided with a hard copy of said second set of bar-coded information codes .
US7739302B2 CLAIM 2 . The network arrangement (selected location) of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems .	US4654793A CLAIM 9 . The system according to claim 8 wherein each of said attendees is furnished with a registration badge bearing his assigned bar-coded registration number and selected location (network arrangement) s at said trade show , convention or the like are provided with a hard copy of said second set of bar-coded information codes .
US7739302B2 CLAIM 3 . The network arrangement (selected location) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US4654793A CLAIM 9 . The system according to claim 8 wherein each of said attendees is furnished with a registration badge bearing his assigned bar-coded registration number and selected location (network arrangement) s at said trade show , convention or the like are provided with a hard copy of said second set of bar-coded information codes .
US7739302B2 CLAIM 4 . The network arrangement (selected location) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said time) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US4654793A CLAIM 7 . An electronic system for keeping track of selected activities of attendees at a trade show , convention or the like , comprising : means for providing a first set of information codes identifying the respective attendees ; means for providing a second set of information codes representing selected inquiries and requests for information made by the attendees at the trade show , convention or the like ; means for reading said first set of information codes and for generating a respective first set of electrical signals indicative thereof ; means for reading selected ones of said second set of information codes corresponding to the inquiries and requests for information made by a particular attendee and generating a respective second set of electrical signals indicative thereof ; timekeeping means for keeping track of time of day and date ; processing means electrically coupled to said reading means and said time (data packet, filtering means) keeping means for processing said first and second sets of electrical signals in accordance with a predetermined set of instructions ; and memory means electrically coupled to said processing means for storing processed information , said processing means being responsive to timekeeping signals from said timekeeping means for storing in said memory means the time of day and date on which selected processed information is stored in said memory means . US4654793A CLAIM 9 . The system according to claim 8 wherein each of said attendees is furnished with a registration badge bearing his assigned bar-coded registration number and selected location (network arrangement) s at said trade show , convention or the like are provided with a hard copy of said second set of bar-coded information codes .
US7739302B2 CLAIM 5 . A local area network arrangement (selected location) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said time) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4654793A CLAIM 7 . An electronic system for keeping track of selected activities of attendees at a trade show , convention or the like , comprising : means for providing a first set of information codes identifying the respective attendees ; means for providing a second set of information codes representing selected inquiries and requests for information made by the attendees at the trade show , convention or the like ; means for reading said first set of information codes and for generating a respective first set of electrical signals indicative thereof ; means for reading selected ones of said second set of information codes corresponding to the inquiries and requests for information made by a particular attendee and generating a respective second set of electrical signals indicative thereof ; timekeeping means for keeping track of time of day and date ; processing means electrically coupled to said reading means and said time (data packet, filtering means) keeping means for processing said first and second sets of electrical signals in accordance with a predetermined set of instructions ; and memory means electrically coupled to said processing means for storing processed information , said processing means being responsive to timekeeping signals from said timekeeping means for storing in said memory means the time of day and date on which selected processed information is stored in said memory means . US4654793A CLAIM 9 . The system according to claim 8 wherein each of said attendees is furnished with a registration badge bearing his assigned bar-coded registration number and selected location (network arrangement) s at said trade show , convention or the like are provided with a hard copy of said second set of bar-coded information codes .
US7739302B2 CLAIM 6 . The network arrangement (selected location) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said time) arrived via an authorized network interface .	US4654793A CLAIM 7 . An electronic system for keeping track of selected activities of attendees at a trade show , convention or the like , comprising : means for providing a first set of information codes identifying the respective attendees ; means for providing a second set of information codes representing selected inquiries and requests for information made by the attendees at the trade show , convention or the like ; means for reading said first set of information codes and for generating a respective first set of electrical signals indicative thereof ; means for reading selected ones of said second set of information codes corresponding to the inquiries and requests for information made by a particular attendee and generating a respective second set of electrical signals indicative thereof ; timekeeping means for keeping track of time of day and date ; processing means electrically coupled to said reading means and said time (data packet, filtering means) keeping means for processing said first and second sets of electrical signals in accordance with a predetermined set of instructions ; and memory means electrically coupled to said processing means for storing processed information , said processing means being responsive to timekeeping signals from said timekeeping means for storing in said memory means the time of day and date on which selected processed information is stored in said memory means . US4654793A CLAIM 9 . The system according to claim 8 wherein each of said attendees is furnished with a registration badge bearing his assigned bar-coded registration number and selected location (network arrangement) s at said trade show , convention or the like are provided with a hard copy of said second set of bar-coded information codes .
US7739302B2 CLAIM 7 . The network arrangement (selected location) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US4654793A CLAIM 9 . The system according to claim 8 wherein each of said attendees is furnished with a registration badge bearing his assigned bar-coded registration number and selected location (network arrangement) s at said trade show , convention or the like are provided with a hard copy of said second set of bar-coded information codes .
US7739302B2 CLAIM 8 . The network arrangement (selected location) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US4654793A CLAIM 9 . The system according to claim 8 wherein each of said attendees is furnished with a registration badge bearing his assigned bar-coded registration number and selected location (network arrangement) s at said trade show , convention or the like are provided with a hard copy of said second set of bar-coded information codes .
US7739302B2 CLAIM 9 . The network arrangement (selected location) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said time) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US4654793A CLAIM 7 . An electronic system for keeping track of selected activities of attendees at a trade show , convention or the like , comprising : means for providing a first set of information codes identifying the respective attendees ; means for providing a second set of information codes representing selected inquiries and requests for information made by the attendees at the trade show , convention or the like ; means for reading said first set of information codes and for generating a respective first set of electrical signals indicative thereof ; means for reading selected ones of said second set of information codes corresponding to the inquiries and requests for information made by a particular attendee and generating a respective second set of electrical signals indicative thereof ; timekeeping means for keeping track of time of day and date ; processing means electrically coupled to said reading means and said time (data packet, filtering means) keeping means for processing said first and second sets of electrical signals in accordance with a predetermined set of instructions ; and memory means electrically coupled to said processing means for storing processed information , said processing means being responsive to timekeeping signals from said timekeeping means for storing in said memory means the time of day and date on which selected processed information is stored in said memory means . US4654793A CLAIM 9 . The system according to claim 8 wherein each of said attendees is furnished with a registration badge bearing his assigned bar-coded registration number and selected location (network arrangement) s at said trade show , convention or the like are provided with a hard copy of said second set of bar-coded information codes .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US4654793A CLAIM 5 . The system according to claim 1 further including third storage means for storing said registration numbers assigned to the respective attendees in sequential numerical order , each registration number being assigned a discrete sector pointer code in said third storage means , and fourth storage means for storing registration information (network destination) for each attendee entered by said input means at a predetermined location in said fourth storage means corresponding to the particular sector pointer code assigned to the particular registration number corresponding to a particular attendee , registration information for each attendee being selectively retrievable from said fourth storage means by entering from said input means the corresponding registration number for that particular attendee . US4654793A CLAIM 7 . An electronic system for keeping track of selected activities of attendees at a trade show , convention or the like , comprising : means for providing a first set of information codes identifying the respective attendees ; means for providing a second set of information codes representing selected inquiries and requests for information made by the attendees at the trade show , convention or the like ; means for reading said first set of information codes and for generating a respective first set of electrical signals indicative thereof ; means for reading selected ones of said second set of information codes corresponding to the inquiries and requests for information made by a particular attendee and generating a respective second set of electrical signals indicative thereof ; timekeeping means for keeping track of time of day and date ; processing means electrically coupled to said reading means and said time (data packet, filtering means) keeping means for processing said first and second sets of electrical signals in accordance with a predetermined set of instructions ; and memory means electrically coupled to said processing means for storing processed information , said processing means being responsive to timekeeping signals from said timekeeping means for storing in said memory means the time of day and date on which selected processed information is stored in said memory means .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (said memory) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US4654793A CLAIM 5 . The system according to claim 1 further including third storage means for storing said registration numbers assigned to the respective attendees in sequential numerical order , each registration number being assigned a discrete sector pointer code in said third storage means , and fourth storage means for storing registration information (network destination) for each attendee entered by said input means at a predetermined location in said fourth storage means corresponding to the particular sector pointer code assigned to the particular registration number corresponding to a particular attendee , registration information for each attendee being selectively retrievable from said fourth storage means by entering from said input means the corresponding registration number for that particular attendee . US4654793A CLAIM 6 . In an electronic information processing system having memory means for storing information and processing means for processing said information , a method for registering attendees at a trade show , convention or the like , said method comprising the steps of : entering selected information relating to each attendee , said selected information including the name of each attendee and a predetermined code indicating whether or not a registration badge is to be printed for that particular attendee ; storing the selected information entered by said input means in said memory (storing instructions) means ; storing a predetermined number of sequential registration numbers to be assigned to the respective attendees in said memory means ; retrieving said registration numbers in sequence from said memory means and assigning individual ones of said registration numbers in sequence to the respective attendees ; determining the acceptability of each character of information entered and generating an error signal if a particular character is not an acceptable character for the corresponding position in a predetermined data entry format ; and selectively printing a registration badge for each attendee for which the predetermined code corresponding to that particular attendee indicates that a registration badge is to be printed . US4654793A CLAIM 7 . An electronic system for keeping track of selected activities of attendees at a trade show , convention or the like , comprising : means for providing a first set of information codes identifying the respective attendees ; means for providing a second set of information codes representing selected inquiries and requests for information made by the attendees at the trade show , convention or the like ; means for reading said first set of information codes and for generating a respective first set of electrical signals indicative thereof ; means for reading selected ones of said second set of information codes corresponding to the inquiries and requests for information made by a particular attendee and generating a respective second set of electrical signals indicative thereof ; timekeeping means for keeping track of time of day and date ; processing means electrically coupled to said reading means and said time (data packet, filtering means) keeping means for processing said first and second sets of electrical signals in accordance with a predetermined set of instructions ; and memory means electrically coupled to said processing means for storing processed information , said processing means being responsive to timekeeping signals from said timekeeping means for storing in said memory means the time of day and date on which selected processed information is stored in said memory means .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet (said time) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said time) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US4654793A CLAIM 5 . The system according to claim 1 further including third storage means for storing said registration numbers assigned to the respective attendees in sequential numerical order , each registration number being assigned a discrete sector pointer code in said third storage means , and fourth storage means for storing registration information (network destination) for each attendee entered by said input means at a predetermined location in said fourth storage means corresponding to the particular sector pointer code assigned to the particular registration number corresponding to a particular attendee , registration information for each attendee being selectively retrievable from said fourth storage means by entering from said input means the corresponding registration number for that particular attendee . US4654793A CLAIM 7 . An electronic system for keeping track of selected activities of attendees at a trade show , convention or the like , comprising : means for providing a first set of information codes identifying the respective attendees ; means for providing a second set of information codes representing selected inquiries and requests for information made by the attendees at the trade show , convention or the like ; means for reading said first set of information codes and for generating a respective first set of electrical signals indicative thereof ; means for reading selected ones of said second set of information codes corresponding to the inquiries and requests for information made by a particular attendee and generating a respective second set of electrical signals indicative thereof ; timekeeping means for keeping track of time of day and date ; processing means electrically coupled to said reading means and said time (data packet, filtering means) keeping means for processing said first and second sets of electrical signals in accordance with a predetermined set of instructions ; and memory means electrically coupled to said processing means for storing processed information , said processing means being responsive to timekeeping signals from said timekeeping means for storing in said memory means the time of day and date on which selected processed information is stored in said memory means .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (storage units) is further configured to manage access over a SCSI interface .	US4654793A CLAIM 13 . The system according to claim 12 wherein said system includes a plurality of information storage units (managing means) positioned at selected locations at said trade show , convention or the like for gathering and storing information relating to the activities of the attendees , each of said information storage units being assigned a unique identification number .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said time) is further configured to carry out the filtering at an application layer of a network stack .	US4654793A CLAIM 7 . An electronic system for keeping track of selected activities of attendees at a trade show , convention or the like , comprising : means for providing a first set of information codes identifying the respective attendees ; means for providing a second set of information codes representing selected inquiries and requests for information made by the attendees at the trade show , convention or the like ; means for reading said first set of information codes and for generating a respective first set of electrical signals indicative thereof ; means for reading selected ones of said second set of information codes corresponding to the inquiries and requests for information made by a particular attendee and generating a respective second set of electrical signals indicative thereof ; timekeeping means for keeping track of time of day and date ; processing means electrically coupled to said reading means and said time (data packet, filtering means) keeping means for processing said first and second sets of electrical signals in accordance with a predetermined set of instructions ; and memory means electrically coupled to said processing means for storing processed information , said processing means being responsive to timekeeping signals from said timekeeping means for storing in said memory means the time of day and date on which selected processed information is stored in said memory means .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4425618A Filed: 1981-11-23 Issued: 1984-01-10 Method and apparatus for introducing program changes in program-controlled systems (Original Assignee) Nokia Bell Labs (Current Assignee) Nokia Bell Labs Thomas P. Bishop, Susan J. Picus
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (said time) for network access to the NAD , the NAD server including computer executable instructions (memory location) that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4425618A CLAIM 3 . The method in accordance with claim 1 in which said step or assigning comprises the step of storing said system sequence number in memory location (executable instructions) s associated with each of said processes . US4425618A CLAIM 8 . In a program-controlled processor system wherein processes are initiated and executed by function calls to program functions stored in a program memory , means for modifying program functions during the execution of said processes , said means comprising : means for storing a system sequence number ; means associated with each process for storing a process sequence number ; means for storing a current version of a selected one of said program functions ; means for storing a modified version of said selected one of said program functions ; means for storing a decision function sequence number associated with said modified version ; processor means , operative under the control of instructions stored therein to store said current version in said means for storing said current version , to store said modified version in said means for storing said modified version , to generate and store a quantity in said means for storing a system sequence number , to copy said system sequence number into said means for storing a process sequence number when the associated process is initiated , at the time said modified version is stored , to store in said means for storing a decision function sequence number a quantity whose value exceeds at said time (data packet, filtering means) said modified version is stored the value of any process sequence number in a given direction , to change said system sequence number so that it reaches a value at least as far in said given direction as said decision function sequence number , to initiate execution of said current version of said selected function in response to a function call by a calling process to said selected function if the process sequence number of said calling process is before said decision function sequence number in said given direction and to initiate execution of said modified version of said selected function in response to a function call by said calling process to said selected function if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating (processor system) systems .	US4425618A CLAIM 1 . In a program-controlled processor system (different operating, different operating systems) wherein processes are initiated and are executed by function calls to program functions stored in a program memory , a method of modifying said program functions during execution of said processes , said method comprising the steps of : generating a system sequence number ; assigning the present value of said system sequence number to each of said processes as a process sequence number at the time of initiation ; storing a modified version of a selected one of said program functions into said program memory while retaining a current version of said selected program function ; recording a decision function sequence number , the value of said decision function sequence number being beyond the present value of any process sequence number in a given direction ; changing said system sequence number in said given direction so that it reaches a value at least as far in said given direction as said decision function sequence number ; and in response to a function call by a calling process to execute said selected function , executing said current version if the process sequence number of said calling process is before said decision function sequence number in said given direction , and executing said modified version if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (said time) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US4425618A CLAIM 8 . In a program-controlled processor system wherein processes are initiated and executed by function calls to program functions stored in a program memory , means for modifying program functions during the execution of said processes , said means comprising : means for storing a system sequence number ; means associated with each process for storing a process sequence number ; means for storing a current version of a selected one of said program functions ; means for storing a modified version of said selected one of said program functions ; means for storing a decision function sequence number associated with said modified version ; processor means , operative under the control of instructions stored therein to store said current version in said means for storing said current version , to store said modified version in said means for storing said modified version , to generate and store a quantity in said means for storing a system sequence number , to copy said system sequence number into said means for storing a process sequence number when the associated process is initiated , at the time said modified version is stored , to store in said means for storing a decision function sequence number a quantity whose value exceeds at said time (data packet, filtering means) said modified version is stored the value of any process sequence number in a given direction , to change said system sequence number so that it reaches a value at least as far in said given direction as said decision function sequence number , to initiate execution of said current version of said selected function in response to a function call by a calling process to said selected function if the process sequence number of said calling process is before said decision function sequence number in said given direction and to initiate execution of said modified version of said selected function in response to a function call by said calling process to said selected function if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (said time) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4425618A CLAIM 8 . In a program-controlled processor system wherein processes are initiated and executed by function calls to program functions stored in a program memory , means for modifying program functions during the execution of said processes , said means comprising : means for storing a system sequence number ; means associated with each process for storing a process sequence number ; means for storing a current version of a selected one of said program functions ; means for storing a modified version of said selected one of said program functions ; means for storing a decision function sequence number associated with said modified version ; processor means , operative under the control of instructions stored therein to store said current version in said means for storing said current version , to store said modified version in said means for storing said modified version , to generate and store a quantity in said means for storing a system sequence number , to copy said system sequence number into said means for storing a process sequence number when the associated process is initiated , at the time said modified version is stored , to store in said means for storing a decision function sequence number a quantity whose value exceeds at said time (data packet, filtering means) said modified version is stored the value of any process sequence number in a given direction , to change said system sequence number so that it reaches a value at least as far in said given direction as said decision function sequence number , to initiate execution of said current version of said selected function in response to a function call by a calling process to said selected function if the process sequence number of said calling process is before said decision function sequence number in said given direction and to initiate execution of said modified version of said selected function in response to a function call by said calling process to said selected function if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (said time) arrived via an authorized network interface .	US4425618A CLAIM 8 . In a program-controlled processor system wherein processes are initiated and executed by function calls to program functions stored in a program memory , means for modifying program functions during the execution of said processes , said means comprising : means for storing a system sequence number ; means associated with each process for storing a process sequence number ; means for storing a current version of a selected one of said program functions ; means for storing a modified version of said selected one of said program functions ; means for storing a decision function sequence number associated with said modified version ; processor means , operative under the control of instructions stored therein to store said current version in said means for storing said current version , to store said modified version in said means for storing said modified version , to generate and store a quantity in said means for storing a system sequence number , to copy said system sequence number into said means for storing a process sequence number when the associated process is initiated , at the time said modified version is stored , to store in said means for storing a decision function sequence number a quantity whose value exceeds at said time (data packet, filtering means) said modified version is stored the value of any process sequence number in a given direction , to change said system sequence number so that it reaches a value at least as far in said given direction as said decision function sequence number , to initiate execution of said current version of said selected function in response to a function call by a calling process to said selected function if the process sequence number of said calling process is before said decision function sequence number in said given direction and to initiate execution of said modified version of said selected function in response to a function call by said calling process to said selected function if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (said time) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US4425618A CLAIM 8 . In a program-controlled processor system wherein processes are initiated and executed by function calls to program functions stored in a program memory , means for modifying program functions during the execution of said processes , said means comprising : means for storing a system sequence number ; means associated with each process for storing a process sequence number ; means for storing a current version of a selected one of said program functions ; means for storing a modified version of said selected one of said program functions ; means for storing a decision function sequence number associated with said modified version ; processor means , operative under the control of instructions stored therein to store said current version in said means for storing said current version , to store said modified version in said means for storing said modified version , to generate and store a quantity in said means for storing a system sequence number , to copy said system sequence number into said means for storing a process sequence number when the associated process is initiated , at the time said modified version is stored , to store in said means for storing a decision function sequence number a quantity whose value exceeds at said time (data packet, filtering means) said modified version is stored the value of any process sequence number in a given direction , to change said system sequence number so that it reaches a value at least as far in said given direction as said decision function sequence number , to initiate execution of said current version of said selected function in response to a function call by a calling process to said selected function if the process sequence number of said calling process is before said decision function sequence number in said given direction and to initiate execution of said modified version of said selected function in response to a function call by said calling process to said selected function if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US4425618A CLAIM 8 . In a program-controlled processor system wherein processes are initiated and executed by function calls to program functions stored in a program memory , means for modifying program functions during the execution of said processes , said means comprising : means for storing a system sequence number ; means associated with each process for storing a process sequence number ; means for storing a current version of a selected one of said program functions ; means for storing a modified version of said selected one of said program functions ; means for storing a decision function sequence number associated with said modified version ; processor means , operative under the control of instructions stored therein to store said current version in said means for storing said current version , to store said modified version in said means for storing said modified version , to generate and store a quantity in said means for storing a system sequence number , to copy said system sequence number into said means for storing a process sequence number when the associated process is initiated , at the time said modified version is stored , to store in said means for storing a decision function sequence number a quantity whose value exceeds at said time (data packet, filtering means) said modified version is stored the value of any process sequence number in a given direction , to change said system sequence number so that it reaches a value at least as far in said given direction as said decision function sequence number , to initiate execution of said current version of said selected function in response to a function call by a calling process to said selected function if the process sequence number of said calling process is before said decision function sequence number in said given direction and to initiate execution of said modified version of said selected function in response to a function call by said calling process to said selected function if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (said time) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US4425618A CLAIM 8 . In a program-controlled processor system wherein processes are initiated and executed by function calls to program functions stored in a program memory , means for modifying program functions during the execution of said processes , said means comprising : means for storing a system sequence number ; means associated with each process for storing a process sequence number ; means for storing a current version of a selected one of said program functions ; means for storing a modified version of said selected one of said program functions ; means for storing a decision function sequence number associated with said modified version ; processor means , operative under the control of instructions stored therein to store said current version in said means for storing said current version , to store said modified version in said means for storing said modified version , to generate and store a quantity in said means for storing a system sequence number , to copy said system sequence number into said means for storing a process sequence number when the associated process is initiated , at the time said modified version is stored , to store in said means for storing a decision function sequence number a quantity whose value exceeds at said time (data packet, filtering means) said modified version is stored the value of any process sequence number in a given direction , to change said system sequence number so that it reaches a value at least as far in said given direction as said decision function sequence number , to initiate execution of said current version of said selected function in response to a function call by a calling process to said selected function if the process sequence number of said calling process is before said decision function sequence number in said given direction and to initiate execution of said modified version of said selected function in response to a function call by said calling process to said selected function if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (said time) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means (said time) determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US4425618A CLAIM 8 . In a program-controlled processor system wherein processes are initiated and executed by function calls to program functions stored in a program memory , means for modifying program functions during the execution of said processes , said means comprising : means for storing a system sequence number ; means associated with each process for storing a process sequence number ; means for storing a current version of a selected one of said program functions ; means for storing a modified version of said selected one of said program functions ; means for storing a decision function sequence number associated with said modified version ; processor means , operative under the control of instructions stored therein to store said current version in said means for storing said current version , to store said modified version in said means for storing said modified version , to generate and store a quantity in said means for storing a system sequence number , to copy said system sequence number into said means for storing a process sequence number when the associated process is initiated , at the time said modified version is stored , to store in said means for storing a decision function sequence number a quantity whose value exceeds at said time (data packet, filtering means) said modified version is stored the value of any process sequence number in a given direction , to change said system sequence number so that it reaches a value at least as far in said given direction as said decision function sequence number , to initiate execution of said current version of said selected function in response to a function call by a calling process to said selected function if the process sequence number of said calling process is before said decision function sequence number in said given direction and to initiate execution of said modified version of said selected function in response to a function call by said calling process to said selected function if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means (said time) is further configured to carry out the filtering at an application layer of a network stack .	US4425618A CLAIM 8 . In a program-controlled processor system wherein processes are initiated and executed by function calls to program functions stored in a program memory , means for modifying program functions during the execution of said processes , said means comprising : means for storing a system sequence number ; means associated with each process for storing a process sequence number ; means for storing a current version of a selected one of said program functions ; means for storing a modified version of said selected one of said program functions ; means for storing a decision function sequence number associated with said modified version ; processor means , operative under the control of instructions stored therein to store said current version in said means for storing said current version , to store said modified version in said means for storing said modified version , to generate and store a quantity in said means for storing a system sequence number , to copy said system sequence number into said means for storing a process sequence number when the associated process is initiated , at the time said modified version is stored , to store in said means for storing a decision function sequence number a quantity whose value exceeds at said time (data packet, filtering means) said modified version is stored the value of any process sequence number in a given direction , to change said system sequence number so that it reaches a value at least as far in said given direction as said decision function sequence number , to initiate execution of said current version of said selected function in response to a function call by a calling process to said selected function if the process sequence number of said calling process is before said decision function sequence number in said given direction and to initiate execution of said modified version of said selected function in response to a function call by said calling process to said selected function if the process sequence number of said calling process is at least as far as said decision function sequence number in said given direction .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	GB2063532A Filed: 1980-09-16 Issued: 1981-06-03 Data storage system for a computer (Original Assignee) Oracle StorageTek (Current Assignee) Oracle StorageTek
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (interface units, second data) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface with a second data (data packet) buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form . GB2063532A CLAIM 7 . A method of storing digital data , comprising receiving the data in a main memory ; determining appropriate storage locations on disk memory units ; transmitting the data to disk interface units (data packet) associated with said disk memory units ; and writing the data from the disk interface units on to the disk memory units .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access to the NAD from a plurality of network clients having different operating systems (disk interface) .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface (different operating systems) with a second data buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form .
US7739302B2 CLAIM 3 . The network arrangement of claim 1 , wherein the computer-executable instructions comprise distributed program modules (data buffer) .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer (program modules) for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface with a second data buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (interface units, second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface with a second data (data packet) buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form . GB2063532A CLAIM 7 . A method of storing digital data , comprising receiving the data in a main memory ; determining appropriate storage locations on disk memory units ; transmitting the data to disk interface units (data packet) associated with said disk memory units ; and writing the data from the disk interface units on to the disk memory units .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (interface units, second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface with a second data (data packet) buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form . GB2063532A CLAIM 7 . A method of storing digital data , comprising receiving the data in a main memory ; determining appropriate storage locations on disk memory units ; transmitting the data to disk interface units (data packet) associated with said disk memory units ; and writing the data from the disk interface units on to the disk memory units .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (interface units, second data) arrived via an authorized network interface .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface with a second data (data packet) buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form . GB2063532A CLAIM 7 . A method of storing digital data , comprising receiving the data in a main memory ; determining appropriate storage locations on disk memory units ; transmitting the data to disk interface units (data packet) associated with said disk memory units ; and writing the data from the disk interface units on to the disk memory units .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (interface units, second data) to the proper port ; and at the proper port , provide the requested network access to the NAD .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface with a second data (data packet) buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form . GB2063532A CLAIM 7 . A method of storing digital data , comprising receiving the data in a main memory ; determining appropriate storage locations on disk memory units ; transmitting the data to disk interface units (data packet) associated with said disk memory units ; and writing the data from the disk interface units on to the disk memory units .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (interface units, second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface with a second data (data packet) buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form . GB2063532A CLAIM 7 . A method of storing digital data , comprising receiving the data in a main memory ; determining appropriate storage locations on disk memory units ; transmitting the data to disk interface units (data packet) associated with said disk memory units ; and writing the data from the disk interface units on to the disk memory units .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions (data cache) that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (interface units, second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface with a second data (data packet) buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form . GB2063532A CLAIM 2 . A data storage system for use in conjunction with one or more host computers and disk drives , comprising a data cache (storing instructions) , comprising a high-speed main memory unit , a number of host computer interfaces at least equal to the number of host computers , each comprising a local controller and interface means to couple the host computer interfaces to the host computer(s) and to the data cache , a number of disk drive interfaces , each comprising a local controller and interface means to couple the disk drive interfaces to associated disk drives and to the data cache , and a controller for coordinating the operation of the host computer interface stages , the disk drive interface stages , and the data cache . GB2063532A CLAIM 7 . A method of storing digital data , comprising receiving the data in a main memory ; determining appropriate storage locations on disk memory units ; transmitting the data to disk interface units (data packet) associated with said disk memory units ; and writing the data from the disk interface units on to the disk memory units .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (interface units, second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	GB2063532A CLAIM 1 . A data storage system for use with a host digital computer , comprising at least one host interface responsive to commands from the host computer for storing or accessing information arranged in serial form , the or each host interface comprising a first data buffer for storing data received from or directed to the host digital computer ; a main memory ; at least one disk storage unit comprising a plurality of disks adapted to store digital information thereon , the or each disk storage unit having an associated disk interface with a second data (data packet) buffer coupled to the disk storage unit and to the main memory for storing data received from or directed to the disk storage unit ; and a control unit coupled to the interface for causing the or each host interface to receive and accept data in serial form , and for causing the or each disk storage unit interface to store and to access information in random form . GB2063532A CLAIM 7 . A method of storing digital data , comprising receiving the data in a main memory ; determining appropriate storage locations on disk memory units ; transmitting the data to disk interface units (data packet) associated with said disk memory units ; and writing the data from the disk interface units on to the disk memory units .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4345315A Filed: 1979-01-19 Issued: 1982-08-17 Customer satisfaction terminal (Original Assignee) MSI Data Corp (Current Assignee) Symbol Technologies LLC Ernest R. Cadotte, Gerald P. Hester
US7739302B2 CLAIM 1 . A network arrangement (selected location) comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4345315A CLAIM 1 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization , including the steps of providing an electronic terminal having a multiplicity of pressure sensitive keys on one face thereof , said face of the terminal being capable of simultaneously and continuously displaying a plurality of permanently recorded customer satisfaction inquiries at preselected location (network arrangement) s on the terminal and individual multiple responses tailored for each different inquiry , a plurality of groups of keys corresponding to the plurality of inquiries arranged adjacent individual inquiries and being representative of the individual responses for the single inquiry adjacent thereto with each key of the group being representative of a different response to the same inquiry , the terminal including means for individually substituting different permanently recorded inquiries and the responses for the displayed inquiries associated with a group or groups of keys , placing the thus defined electronic terminal in a location of the service organization that is readily accessible to the customers of the service organization so that the customers are invited to use the terminal and record their opinions as to the services they have experienced , the same inquiries and multiple responses being continuously displayed to a multiplicity of customers until the service organization changes the inquiries and multiple responses , the operation of a key generating an electrical data signal representative of opinion data relative to a previously identified inquiry displayed on the terminal , individually collecting the electrical data signals representative of each individually selected response signalled by the operation of a key by the terminal user on the basis of the location of the operated key , storing the electrical data signals in permanent storage means within the terminal on the basis of the number of users selecting each individual response to each of the individual responses , the permanent storage means includes program storage characters for defining the responses to each inquiry as permitting multiple responses or only a single response to an inquiry for each inquiry , examining the program storage characters to determine if the inquiry has been programmed for a single response or multiple responses , temporarily storing all key operations for each inquiry based on the collected data signals in a temporary storage device prior to storage in the permanent storage means , if it is determined an inquiry has been programmed for a single response , clear all previously stored data signals while maintaining the last data signal stored in the temporary storage device whereby the terminal user may change a previously selected response prior to storage in the permanent storage means .
US7739302B2 CLAIM 2 . The network arrangement (selected location) of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (control signals) for accepting requests for network access to the NAD from a plurality of network clients (timing signals) having different operating (key operation) systems .	US4345315A CLAIM 1 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization , including the steps of providing an electronic terminal having a multiplicity of pressure sensitive keys on one face thereof , said face of the terminal being capable of simultaneously and continuously displaying a plurality of permanently recorded customer satisfaction inquiries at preselected location (network arrangement) s on the terminal and individual multiple responses tailored for each different inquiry , a plurality of groups of keys corresponding to the plurality of inquiries arranged adjacent individual inquiries and being representative of the individual responses for the single inquiry adjacent thereto with each key of the group being representative of a different response to the same inquiry , the terminal including means for individually substituting different permanently recorded inquiries and the responses for the displayed inquiries associated with a group or groups of keys , placing the thus defined electronic terminal in a location of the service organization that is readily accessible to the customers of the service organization so that the customers are invited to use the terminal and record their opinions as to the services they have experienced , the same inquiries and multiple responses being continuously displayed to a multiplicity of customers until the service organization changes the inquiries and multiple responses , the operation of a key generating an electrical data signal representative of opinion data relative to a previously identified inquiry displayed on the terminal , individually collecting the electrical data signals representative of each individually selected response signalled by the operation of a key by the terminal user on the basis of the location of the operated key , storing the electrical data signals in permanent storage means within the terminal on the basis of the number of users selecting each individual response to each of the individual responses , the permanent storage means includes program storage characters for defining the responses to each inquiry as permitting multiple responses or only a single response to an inquiry for each inquiry , examining the program storage characters to determine if the inquiry has been programmed for a single response or multiple responses , temporarily storing all key operation (different operating) s for each inquiry based on the collected data signals in a temporary storage device prior to storage in the permanent storage means , if it is determined an inquiry has been programmed for a single response , clear all previously stored data signals while maintaining the last data signal stored in the temporary storage device whereby the terminal user may change a previously selected response prior to storage in the permanent storage means . US4345315A CLAIM 16 . A method of anonymously collecting opinion data as defined in claim 10 wherein the keyboard is switchably electrically powered and including a real time clock for continuously providing electronic timing signals (network clients, network protocols, network stack) at preselected real time increments , continuously recording the electronic timing signals in a permanent memory whether or not power is applied to the keyboard including the step of applying electrical power for preselected time intervals , if not previously powered during the recording step , to permit the recording thereof .
US7739302B2 CLAIM 3 . The network arrangement (selected location) of claim 1 , wherein the computer-executable instructions comprise distributed program modules .	US4345315A CLAIM 1 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization , including the steps of providing an electronic terminal having a multiplicity of pressure sensitive keys on one face thereof , said face of the terminal being capable of simultaneously and continuously displaying a plurality of permanently recorded customer satisfaction inquiries at preselected location (network arrangement) s on the terminal and individual multiple responses tailored for each different inquiry , a plurality of groups of keys corresponding to the plurality of inquiries arranged adjacent individual inquiries and being representative of the individual responses for the single inquiry adjacent thereto with each key of the group being representative of a different response to the same inquiry , the terminal including means for individually substituting different permanently recorded inquiries and the responses for the displayed inquiries associated with a group or groups of keys , placing the thus defined electronic terminal in a location of the service organization that is readily accessible to the customers of the service organization so that the customers are invited to use the terminal and record their opinions as to the services they have experienced , the same inquiries and multiple responses being continuously displayed to a multiplicity of customers until the service organization changes the inquiries and multiple responses , the operation of a key generating an electrical data signal representative of opinion data relative to a previously identified inquiry displayed on the terminal , individually collecting the electrical data signals representative of each individually selected response signalled by the operation of a key by the terminal user on the basis of the location of the operated key , storing the electrical data signals in permanent storage means within the terminal on the basis of the number of users selecting each individual response to each of the individual responses , the permanent storage means includes program storage characters for defining the responses to each inquiry as permitting multiple responses or only a single response to an inquiry for each inquiry , examining the program storage characters to determine if the inquiry has been programmed for a single response or multiple responses , temporarily storing all key operations for each inquiry based on the collected data signals in a temporary storage device prior to storage in the permanent storage means , if it is determined an inquiry has been programmed for a single response , clear all previously stored data signals while maintaining the last data signal stored in the temporary storage device whereby the terminal user may change a previously selected response prior to storage in the permanent storage means .
US7739302B2 CLAIM 4 . The network arrangement (selected location) of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US4345315A CLAIM 1 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization , including the steps of providing an electronic terminal having a multiplicity of pressure sensitive keys on one face thereof , said face of the terminal being capable of simultaneously and continuously displaying a plurality of permanently recorded customer satisfaction inquiries at preselected location (network arrangement) s on the terminal and individual multiple responses tailored for each different inquiry , a plurality of groups of keys corresponding to the plurality of inquiries arranged adjacent individual inquiries and being representative of the individual responses for the single inquiry adjacent thereto with each key of the group being representative of a different response to the same inquiry , the terminal including means for individually substituting different permanently recorded inquiries and the responses for the displayed inquiries associated with a group or groups of keys , placing the thus defined electronic terminal in a location of the service organization that is readily accessible to the customers of the service organization so that the customers are invited to use the terminal and record their opinions as to the services they have experienced , the same inquiries and multiple responses being continuously displayed to a multiplicity of customers until the service organization changes the inquiries and multiple responses , the operation of a key generating an electrical data signal representative of opinion data relative to a previously identified inquiry displayed on the terminal , individually collecting the electrical data signals representative of each individually selected response signalled by the operation of a key by the terminal user on the basis of the location of the operated key , storing the electrical data signals in permanent storage means within the terminal on the basis of the number of users selecting each individual response to each of the individual responses , the permanent storage means includes program storage characters for defining the responses to each inquiry as permitting multiple responses or only a single response to an inquiry for each inquiry , examining the program storage characters to determine if the inquiry has been programmed for a single response or multiple responses , temporarily storing all key operations for each inquiry based on the collected data signals in a temporary storage device prior to storage in the permanent storage means , if it is determined an inquiry has been programmed for a single response , clear all previously stored data signals while maintaining the last data signal stored in the temporary storage device whereby the terminal user may change a previously selected response prior to storage in the permanent storage means .
US7739302B2 CLAIM 5 . A local area network arrangement (selected location) comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4345315A CLAIM 1 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization , including the steps of providing an electronic terminal having a multiplicity of pressure sensitive keys on one face thereof , said face of the terminal being capable of simultaneously and continuously displaying a plurality of permanently recorded customer satisfaction inquiries at preselected location (network arrangement) s on the terminal and individual multiple responses tailored for each different inquiry , a plurality of groups of keys corresponding to the plurality of inquiries arranged adjacent individual inquiries and being representative of the individual responses for the single inquiry adjacent thereto with each key of the group being representative of a different response to the same inquiry , the terminal including means for individually substituting different permanently recorded inquiries and the responses for the displayed inquiries associated with a group or groups of keys , placing the thus defined electronic terminal in a location of the service organization that is readily accessible to the customers of the service organization so that the customers are invited to use the terminal and record their opinions as to the services they have experienced , the same inquiries and multiple responses being continuously displayed to a multiplicity of customers until the service organization changes the inquiries and multiple responses , the operation of a key generating an electrical data signal representative of opinion data relative to a previously identified inquiry displayed on the terminal , individually collecting the electrical data signals representative of each individually selected response signalled by the operation of a key by the terminal user on the basis of the location of the operated key , storing the electrical data signals in permanent storage means within the terminal on the basis of the number of users selecting each individual response to each of the individual responses , the permanent storage means includes program storage characters for defining the responses to each inquiry as permitting multiple responses or only a single response to an inquiry for each inquiry , examining the program storage characters to determine if the inquiry has been programmed for a single response or multiple responses , temporarily storing all key operations for each inquiry based on the collected data signals in a temporary storage device prior to storage in the permanent storage means , if it is determined an inquiry has been programmed for a single response , clear all previously stored data signals while maintaining the last data signal stored in the temporary storage device whereby the terminal user may change a previously selected response prior to storage in the permanent storage means .
US7739302B2 CLAIM 6 . The network arrangement (selected location) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet arrived via an authorized network interface .	US4345315A CLAIM 1 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization , including the steps of providing an electronic terminal having a multiplicity of pressure sensitive keys on one face thereof , said face of the terminal being capable of simultaneously and continuously displaying a plurality of permanently recorded customer satisfaction inquiries at preselected location (network arrangement) s on the terminal and individual multiple responses tailored for each different inquiry , a plurality of groups of keys corresponding to the plurality of inquiries arranged adjacent individual inquiries and being representative of the individual responses for the single inquiry adjacent thereto with each key of the group being representative of a different response to the same inquiry , the terminal including means for individually substituting different permanently recorded inquiries and the responses for the displayed inquiries associated with a group or groups of keys , placing the thus defined electronic terminal in a location of the service organization that is readily accessible to the customers of the service organization so that the customers are invited to use the terminal and record their opinions as to the services they have experienced , the same inquiries and multiple responses being continuously displayed to a multiplicity of customers until the service organization changes the inquiries and multiple responses , the operation of a key generating an electrical data signal representative of opinion data relative to a previously identified inquiry displayed on the terminal , individually collecting the electrical data signals representative of each individually selected response signalled by the operation of a key by the terminal user on the basis of the location of the operated key , storing the electrical data signals in permanent storage means within the terminal on the basis of the number of users selecting each individual response to each of the individual responses , the permanent storage means includes program storage characters for defining the responses to each inquiry as permitting multiple responses or only a single response to an inquiry for each inquiry , examining the program storage characters to determine if the inquiry has been programmed for a single response or multiple responses , temporarily storing all key operations for each inquiry based on the collected data signals in a temporary storage device prior to storage in the permanent storage means , if it is determined an inquiry has been programmed for a single response , clear all previously stored data signals while maintaining the last data signal stored in the temporary storage device whereby the terminal user may change a previously selected response prior to storage in the permanent storage means .
US7739302B2 CLAIM 7 . The network arrangement (selected location) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid source address .	US4345315A CLAIM 1 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization , including the steps of providing an electronic terminal having a multiplicity of pressure sensitive keys on one face thereof , said face of the terminal being capable of simultaneously and continuously displaying a plurality of permanently recorded customer satisfaction inquiries at preselected location (network arrangement) s on the terminal and individual multiple responses tailored for each different inquiry , a plurality of groups of keys corresponding to the plurality of inquiries arranged adjacent individual inquiries and being representative of the individual responses for the single inquiry adjacent thereto with each key of the group being representative of a different response to the same inquiry , the terminal including means for individually substituting different permanently recorded inquiries and the responses for the displayed inquiries associated with a group or groups of keys , placing the thus defined electronic terminal in a location of the service organization that is readily accessible to the customers of the service organization so that the customers are invited to use the terminal and record their opinions as to the services they have experienced , the same inquiries and multiple responses being continuously displayed to a multiplicity of customers until the service organization changes the inquiries and multiple responses , the operation of a key generating an electrical data signal representative of opinion data relative to a previously identified inquiry displayed on the terminal , individually collecting the electrical data signals representative of each individually selected response signalled by the operation of a key by the terminal user on the basis of the location of the operated key , storing the electrical data signals in permanent storage means within the terminal on the basis of the number of users selecting each individual response to each of the individual responses , the permanent storage means includes program storage characters for defining the responses to each inquiry as permitting multiple responses or only a single response to an inquiry for each inquiry , examining the program storage characters to determine if the inquiry has been programmed for a single response or multiple responses , temporarily storing all key operations for each inquiry based on the collected data signals in a temporary storage device prior to storage in the permanent storage means , if it is determined an inquiry has been programmed for a single response , clear all previously stored data signals while maintaining the last data signal stored in the temporary storage device whereby the terminal user may change a previously selected response prior to storage in the permanent storage means .
US7739302B2 CLAIM 8 . The network arrangement (selected location) of claim 5 , wherein the internal firewall management component is further configured to determine whether the header contains a valid destination address .	US4345315A CLAIM 1 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization , including the steps of providing an electronic terminal having a multiplicity of pressure sensitive keys on one face thereof , said face of the terminal being capable of simultaneously and continuously displaying a plurality of permanently recorded customer satisfaction inquiries at preselected location (network arrangement) s on the terminal and individual multiple responses tailored for each different inquiry , a plurality of groups of keys corresponding to the plurality of inquiries arranged adjacent individual inquiries and being representative of the individual responses for the single inquiry adjacent thereto with each key of the group being representative of a different response to the same inquiry , the terminal including means for individually substituting different permanently recorded inquiries and the responses for the displayed inquiries associated with a group or groups of keys , placing the thus defined electronic terminal in a location of the service organization that is readily accessible to the customers of the service organization so that the customers are invited to use the terminal and record their opinions as to the services they have experienced , the same inquiries and multiple responses being continuously displayed to a multiplicity of customers until the service organization changes the inquiries and multiple responses , the operation of a key generating an electrical data signal representative of opinion data relative to a previously identified inquiry displayed on the terminal , individually collecting the electrical data signals representative of each individually selected response signalled by the operation of a key by the terminal user on the basis of the location of the operated key , storing the electrical data signals in permanent storage means within the terminal on the basis of the number of users selecting each individual response to each of the individual responses , the permanent storage means includes program storage characters for defining the responses to each inquiry as permitting multiple responses or only a single response to an inquiry for each inquiry , examining the program storage characters to determine if the inquiry has been programmed for a single response or multiple responses , temporarily storing all key operations for each inquiry based on the collected data signals in a temporary storage device prior to storage in the permanent storage means , if it is determined an inquiry has been programmed for a single response , clear all previously stored data signals while maintaining the last data signal stored in the temporary storage device whereby the terminal user may change a previously selected response prior to storage in the permanent storage means .
US7739302B2 CLAIM 9 . The network arrangement (selected location) of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access to the NAD .	US4345315A CLAIM 1 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization , including the steps of providing an electronic terminal having a multiplicity of pressure sensitive keys on one face thereof , said face of the terminal being capable of simultaneously and continuously displaying a plurality of permanently recorded customer satisfaction inquiries at preselected location (network arrangement) s on the terminal and individual multiple responses tailored for each different inquiry , a plurality of groups of keys corresponding to the plurality of inquiries arranged adjacent individual inquiries and being representative of the individual responses for the single inquiry adjacent thereto with each key of the group being representative of a different response to the same inquiry , the terminal including means for individually substituting different permanently recorded inquiries and the responses for the displayed inquiries associated with a group or groups of keys , placing the thus defined electronic terminal in a location of the service organization that is readily accessible to the customers of the service organization so that the customers are invited to use the terminal and record their opinions as to the services they have experienced , the same inquiries and multiple responses being continuously displayed to a multiplicity of customers until the service organization changes the inquiries and multiple responses , the operation of a key generating an electrical data signal representative of opinion data relative to a previously identified inquiry displayed on the terminal , individually collecting the electrical data signals representative of each individually selected response signalled by the operation of a key by the terminal user on the basis of the location of the operated key , storing the electrical data signals in permanent storage means within the terminal on the basis of the number of users selecting each individual response to each of the individual responses , the permanent storage means includes program storage characters for defining the responses to each inquiry as permitting multiple responses or only a single response to an inquiry for each inquiry , examining the program storage characters to determine if the inquiry has been programmed for a single response or multiple responses , temporarily storing all key operations for each inquiry based on the collected data signals in a temporary storage device prior to storage in the permanent storage means , if it is determined an inquiry has been programmed for a single response , clear all previously stored data signals while maintaining the last data signal stored in the temporary storage device whereby the terminal user may change a previously selected response prior to storage in the permanent storage means .
US7739302B2 CLAIM 18 . The apparatus of claim 12 , wherein the apparatus is configured to operate in a heterogeneous network environment comprising a plurality of network protocols (timing signals) .	US4345315A CLAIM 16 . A method of anonymously collecting opinion data as defined in claim 10 wherein the keyboard is switchably electrically powered and including a real time clock for continuously providing electronic timing signals (network clients, network protocols, network stack) at preselected real time increments , continuously recording the electronic timing signals in a permanent memory whether or not power is applied to the keyboard including the step of applying electrical power for preselected time intervals , if not previously powered during the recording step , to permit the recording thereof .
US7739302B2 CLAIM 19 . The apparatus of claim 18 wherein one of the plurality of network protocols (timing signals) is TCP/IP .	US4345315A CLAIM 16 . A method of anonymously collecting opinion data as defined in claim 10 wherein the keyboard is switchably electrically powered and including a real time clock for continuously providing electronic timing signals (network clients, network protocols, network stack) at preselected real time increments , continuously recording the electronic timing signals in a permanent memory whether or not power is applied to the keyboard including the step of applying electrical power for preselected time intervals , if not previously powered during the recording step , to permit the recording thereof .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (new data) .	US4345315A CLAIM 10 . A method of anonymously collecting opinion data including the steps of recording a plurality of inquiries with multiple choice responses for each individual inquiry , simultaneously displaying the record of the plurality of inquiries and the corresponding responses with a keyboard so that the individual keys of the keyboard are associated with and represent one of the multiple choice responses of the group of responses for an individual inquiry , providing a manually operable mode select switch switchable between an " ; operate" ; mode for collecting opinion data or a " ; parameter" ; mode for storing data in a permanent memory and reading out the data , permanently storing data including program data in a permanent memory that is addressable to read out the data and write in new data (SCSI interface) when the mode select switch is in the " ; parameter" ; mode , placing the select switch in the " ; operate" ; mode for acquiring response data represented by an operated key , while the select switch is in the " ; operate" ; mode , electronically scanning the keyboard to acquire response data represented by an operated key and continuously displaying the fact that an individual key has been operated and the corresponding response or responses for each displayed inquiry has been selected , designating addressable locations in the permanent memory as tally counters for storing a count representative of the number of times each individual key of the keyboard associated with an individual response has been selected , incrementing each tally counter in the permanent memory for each of said keys that have been operated , the program data stored in the permanent data includes data for identifying an inquiry as requiring multiple responses or single responses to the displayed inquiries , examining the program data to determine the single or multiple response requirement for each displayed inquiry , upon determining that an inquiry has been programmed for multiple responses , incrementing each tally counter for each operated key , and upon determining that an inquiry has been programmed for a single response , incrementing the tally counter for the last operated key only for said single response inquiry .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients (timing signals) and other devices in a manner that is in addition to any protection afforded by a firewall .	US4345315A CLAIM 16 . A method of anonymously collecting opinion data as defined in claim 10 wherein the keyboard is switchably electrically powered and including a real time clock for continuously providing electronic timing signals (network clients, network protocols, network stack) at preselected real time increments , continuously recording the electronic timing signals in a permanent memory whether or not power is applied to the keyboard including the step of applying electrical power for preselected time intervals , if not previously powered during the recording step , to permit the recording thereof .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means (said keys) is further configured to manage access over a SCSI interface (new data) .	US4345315A CLAIM 9 . A method of anonymously collecting data on customer satisfaction with the services rendered by a service organization as defined in claim 1 wherein at least one inquiry displayed on the terminal requires numerical data as a response and a plurality of keys are associated with said one inquiry with each key representing a different numerical value , and the keyboard includes a digital display adapted to display the numerical values represented by an operated numerical key , converting the electrical data signals generated in response to the operation of said keys (managing means) representative of numerical data to digital display signals for signalling the numerical values of the selected numerical key , and coupling the digital display signals to the digital display to display the selected numerical value . US4345315A CLAIM 10 . A method of anonymously collecting opinion data including the steps of recording a plurality of inquiries with multiple choice responses for each individual inquiry , simultaneously displaying the record of the plurality of inquiries and the corresponding responses with a keyboard so that the individual keys of the keyboard are associated with and represent one of the multiple choice responses of the group of responses for an individual inquiry , providing a manually operable mode select switch switchable between an " ; operate" ; mode for collecting opinion data or a " ; parameter" ; mode for storing data in a permanent memory and reading out the data , permanently storing data including program data in a permanent memory that is addressable to read out the data and write in new data (SCSI interface) when the mode select switch is in the " ; parameter" ; mode , placing the select switch in the " ; operate" ; mode for acquiring response data represented by an operated key , while the select switch is in the " ; operate" ; mode , electronically scanning the keyboard to acquire response data represented by an operated key and continuously displaying the fact that an individual key has been operated and the corresponding response or responses for each displayed inquiry has been selected , designating addressable locations in the permanent memory as tally counters for storing a count representative of the number of times each individual key of the keyboard associated with an individual response has been selected , incrementing each tally counter in the permanent memory for each of said keys that have been operated , the program data stored in the permanent data includes data for identifying an inquiry as requiring multiple responses or single responses to the displayed inquiries , examining the program data to determine the single or multiple response requirement for each displayed inquiry , upon determining that an inquiry has been programmed for multiple responses , incrementing each tally counter for each operated key , and upon determining that an inquiry has been programmed for a single response , incrementing the tally counter for the last operated key only for said single response inquiry .
US7739302B2 CLAIM 28 . The apparatus of claim 22 , wherein the filtering means is further configured to carry out the filtering at an application layer of a network stack (timing signals) .	US4345315A CLAIM 16 . A method of anonymously collecting opinion data as defined in claim 10 wherein the keyboard is switchably electrically powered and including a real time clock for continuously providing electronic timing signals (network clients, network protocols, network stack) at preselected real time increments , continuously recording the electronic timing signals in a permanent memory whether or not power is applied to the keyboard including the step of applying electrical power for preselected time intervals , if not previously powered during the recording step , to permit the recording thereof .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4233661A Filed: 1978-07-31 Issued: 1980-11-11 Computer controlled registration and inquiry system (Original Assignee) Bolton Edgar A; Dallen Larry D (Current Assignee) REGISTRATION CONTROL SYSTEMS INC 2601 EAST 28TH ST LONG BEACH CA A CORP OF Edgar A. Bolton, Larry D. Dallen
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data) for network access to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	US4233661A CLAIM 2 . A registration system for obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefor comprising : at least one input means , each adapted for intermittently receiving a set of inputted registration data associated with a single registrant ; editing means coupled to each input means for testing the format of the inputted data against a predefined format , storing only registration data having the predefined format , and revising incorrect stored registration data with new registration data for obtaining a set of correct registration data ; means for generating a flag signal when a complete set of correct registration data is stored in the editing means ; at least one embossing means each adapted for intermittently embossing an indentification card with a first selected portion of a set of correct registration data associated with one of the registrants ; first data storage means for storing a second selected portion of the set of correct registration data ; controller means comprising : second data (data packet) storage means for storing a plurality of sets of correct registration data ; processing means for defining the first and second selected portions of each set of correct registration data ; interrupt means for : intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of the embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; and intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to the first storage means , the interrupt means enabling all of said transfers occurring according to a programmed priority schedule .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access to the NAD is authorized comprises determining whether information in the header of a received data packet (second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	US4233661A CLAIM 2 . A registration system for obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefor comprising : at least one input means , each adapted for intermittently receiving a set of inputted registration data associated with a single registrant ; editing means coupled to each input means for testing the format of the inputted data against a predefined format , storing only registration data having the predefined format , and revising incorrect stored registration data with new registration data for obtaining a set of correct registration data ; means for generating a flag signal when a complete set of correct registration data is stored in the editing means ; at least one embossing means each adapted for intermittently embossing an indentification card with a first selected portion of a set of correct registration data associated with one of the registrants ; first data storage means for storing a second selected portion of the set of correct registration data ; controller means comprising : second data (data packet) storage means for storing a plurality of sets of correct registration data ; processing means for defining the first and second selected portions of each set of correct registration data ; interrupt means for : intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of the embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; and intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to the first storage means , the interrupt means enabling all of said transfers occurring according to a programmed priority schedule .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4233661A CLAIM 2 . A registration system for obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefor comprising : at least one input means , each adapted for intermittently receiving a set of inputted registration data associated with a single registrant ; editing means coupled to each input means for testing the format of the inputted data against a predefined format , storing only registration data having the predefined format , and revising incorrect stored registration data with new registration data for obtaining a set of correct registration data ; means for generating a flag signal when a complete set of correct registration data is stored in the editing means ; at least one embossing means each adapted for intermittently embossing an indentification card with a first selected portion of a set of correct registration data associated with one of the registrants ; first data storage means for storing a second selected portion of the set of correct registration data ; controller means comprising : second data (data packet) storage means for storing a plurality of sets of correct registration data ; processing means for defining the first and second selected portions of each set of correct registration data ; interrupt means for : intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of the embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; and intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to the first storage means , the interrupt means enabling all of said transfers occurring according to a programmed priority schedule .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data) arrived via an authorized network interface .	US4233661A CLAIM 2 . A registration system for obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefor comprising : at least one input means , each adapted for intermittently receiving a set of inputted registration data associated with a single registrant ; editing means coupled to each input means for testing the format of the inputted data against a predefined format , storing only registration data having the predefined format , and revising incorrect stored registration data with new registration data for obtaining a set of correct registration data ; means for generating a flag signal when a complete set of correct registration data is stored in the editing means ; at least one embossing means each adapted for intermittently embossing an indentification card with a first selected portion of a set of correct registration data associated with one of the registrants ; first data storage means for storing a second selected portion of the set of correct registration data ; controller means comprising : second data (data packet) storage means for storing a plurality of sets of correct registration data ; processing means for defining the first and second selected portions of each set of correct registration data ; interrupt means for : intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of the embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; and intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to the first storage means , the interrupt means enabling all of said transfers occurring according to a programmed priority schedule .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data) to the proper port ; and at the proper port , provide the requested network access to the NAD .	US4233661A CLAIM 2 . A registration system for obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefor comprising : at least one input means , each adapted for intermittently receiving a set of inputted registration data associated with a single registrant ; editing means coupled to each input means for testing the format of the inputted data against a predefined format , storing only registration data having the predefined format , and revising incorrect stored registration data with new registration data for obtaining a set of correct registration data ; means for generating a flag signal when a complete set of correct registration data is stored in the editing means ; at least one embossing means each adapted for intermittently embossing an indentification card with a first selected portion of a set of correct registration data associated with one of the registrants ; first data storage means for storing a second selected portion of the set of correct registration data ; controller means comprising : second data (data packet) storage means for storing a plurality of sets of correct registration data ; processing means for defining the first and second selected portions of each set of correct registration data ; interrupt means for : intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of the embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; and intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to the first storage means , the interrupt means enabling all of said transfers occurring according to a programmed priority schedule .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	US4233661A CLAIM 2 . A registration system for obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefor comprising : at least one input means , each adapted for intermittently receiving a set of inputted registration data associated with a single registrant ; editing means coupled to each input means for testing the format of the inputted data against a predefined format , storing only registration data having the predefined format , and revising incorrect stored registration data with new registration data for obtaining a set of correct registration data ; means for generating a flag signal when a complete set of correct registration data is stored in the editing means ; at least one embossing means each adapted for intermittently embossing an indentification card with a first selected portion of a set of correct registration data associated with one of the registrants ; first data storage means for storing a second selected portion of the set of correct registration data ; controller means comprising : second data (data packet) storage means for storing a plurality of sets of correct registration data ; processing means for defining the first and second selected portions of each set of correct registration data ; interrupt means for : intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of the embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; and intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to the first storage means , the interrupt means enabling all of said transfers occurring according to a programmed priority schedule .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	US4233661A CLAIM 2 . A registration system for obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefor comprising : at least one input means , each adapted for intermittently receiving a set of inputted registration data associated with a single registrant ; editing means coupled to each input means for testing the format of the inputted data against a predefined format , storing only registration data having the predefined format , and revising incorrect stored registration data with new registration data for obtaining a set of correct registration data ; means for generating a flag signal when a complete set of correct registration data is stored in the editing means ; at least one embossing means each adapted for intermittently embossing an indentification card with a first selected portion of a set of correct registration data associated with one of the registrants ; first data storage means for storing a second selected portion of the set of correct registration data ; controller means comprising : second data (data packet) storage means for storing a plurality of sets of correct registration data ; processing means for defining the first and second selected portions of each set of correct registration data ; interrupt means for : intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of the embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; and intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to the first storage means , the interrupt means enabling all of said transfers occurring according to a programmed priority schedule .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface comprises a SCSI interface (data storage) .	US4233661A CLAIM 1 . A method of obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefrom comprising the steps of : intermittently receiving a set of inputted registration data associated with a signal registration from at least one input means ; editing the inputted registration data according to the substeps of : comparing the format of the inputted data against a predefined format , observing the stored registration data and replacing the stored registration data which is incorrect with new registration data for obtaining a set of correct registration data ; generating a flag signal when a complete set of correct registration data is stored in the editing means ; utilizing a controller means for : storing a plurality of sets of correct registrtion data in a first data storage (SCSI interface) means ; intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of a plurality of embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to a second storage means , all of said transfers occurring according to a programmed priority schedule .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination , and a route of the data packet (second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	US4233661A CLAIM 2 . A registration system for obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefor comprising : at least one input means , each adapted for intermittently receiving a set of inputted registration data associated with a single registrant ; editing means coupled to each input means for testing the format of the inputted data against a predefined format , storing only registration data having the predefined format , and revising incorrect stored registration data with new registration data for obtaining a set of correct registration data ; means for generating a flag signal when a complete set of correct registration data is stored in the editing means ; at least one embossing means each adapted for intermittently embossing an indentification card with a first selected portion of a set of correct registration data associated with one of the registrants ; first data storage means for storing a second selected portion of the set of correct registration data ; controller means comprising : second data (data packet) storage means for storing a plurality of sets of correct registration data ; processing means for defining the first and second selected portions of each set of correct registration data ; interrupt means for : intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of the embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; and intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to the first storage means , the interrupt means enabling all of said transfers occurring according to a programmed priority schedule .
US7739302B2 CLAIM 24 . The apparatus of claim 23 , wherein the managing means is further configured to manage access over a SCSI interface (data storage) .	US4233661A CLAIM 1 . A method of obtaining and processing information on a multiplicity of registrants to be registered and generating an embossed identification card therefrom comprising the steps of : intermittently receiving a set of inputted registration data associated with a signal registration from at least one input means ; editing the inputted registration data according to the substeps of : comparing the format of the inputted data against a predefined format , observing the stored registration data and replacing the stored registration data which is incorrect with new registration data for obtaining a set of correct registration data ; generating a flag signal when a complete set of correct registration data is stored in the editing means ; utilizing a controller means for : storing a plurality of sets of correct registrtion data in a first data storage (SCSI interface) means ; intermittently selecting a set of correct registration data and enabling the transfer of that selected set of correct registration data between the controller means and the editing means ; intermittently selecting one of a plurality of embossing means and enabling the transfer of a first selected portion of a selected set of the correct registration data to the selected embossing means ; intermittently enabling the transfer of the second selected portion of a selected set of correct registration data to a second storage means , all of said transfers occurring according to a programmed priority schedule .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	US4160129A Filed: 1977-05-03 Issued: 1979-07-03 Telephone communications control system having a plurality of remote switching units (Original Assignee) TDX SYSTEMS Inc (Current Assignee) TDX SYSTEMS Inc Alan Peyser, William von Meister
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs (control signals) for accepting requests for network access to the NAD from a plurality of network clients having different operating (communication signals) systems .	US4160129A CLAIM 8 . The telephone communications control system of claim 7 wherein said means for interconnecting said central control means to said plurality of remote switching means comprises means for converting digital information and control signals (network protocol programs) at said central control means and at said remote switching means to signals transmittable over telephone lines , and at least one dedicated data line interconnecting said central control means and said remote switching means . US4160129A CLAIM 9 . A telephone communications lines control system for connecting local subscriber units to selected long distance telephone lines comprising : a plurality of remote switching means for connecting voice communications signals transmitted by said local subscriber units directly to selected long distance telephone lines at said remote switching means , a central control means positioned remote from said plurality of remote switching means for controlling said remote switching means to connect said voice communications signals transmitted by said local subscriber units to said selected long distance telephone lines , said central control means including means for selecting the long distance lines connected to said subscriber units with a predetermined long distance line selection priority for each of said remote switching means , and means interconnecting said central control means to each of said remote switching means for receiving data signals from said remote switching means and sending switch control signals back to said remote switching means for connecting voice communication signals (different operating, different operating systems, data management component) transmitted by said local subscriber units directly to selected long distance telephone lines at said remote switching means without being coupled through said central control means .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component (communication signals) , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	US4160129A CLAIM 9 . A telephone communications lines control system for connecting local subscriber units to selected long distance telephone lines comprising : a plurality of remote switching means for connecting voice communications signals transmitted by said local subscriber units directly to selected long distance telephone lines at said remote switching means , a central control means positioned remote from said plurality of remote switching means for controlling said remote switching means to connect said voice communications signals transmitted by said local subscriber units to said selected long distance telephone lines , said central control means including means for selecting the long distance lines connected to said subscriber units with a predetermined long distance line selection priority for each of said remote switching means , and means interconnecting said central control means to each of said remote switching means for receiving data signals from said remote switching means and sending switch control signals back to said remote switching means for connecting voice communication signals (different operating, different operating systems, data management component) transmitted by said local subscriber units directly to selected long distance telephone lines at said remote switching means without being coupled through said central control means .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information (one communication line) identifying a proper port of the NAD ; pass the data packet to the proper port ; and at the proper port , provide the requested network access to the NAD .	US4160129A CLAIM 1 . A telephone communication line (header contains information) s control system for controllably connecting local subscriber telephone units to long distance lines comprising : a plurality of remote switching means for connecting local subscriber telephone units to selected long distance telephone lines ; a central control means positioned at a location remote from said switching means for controlling the connection of said local subscriber telephone units to said long distance telephone lines at each of said plurality of remote switching means , said central control means including means for selecting said long distance lines with a predetermined priority for each of a plurality of said subscriber telephone units ; and means for interconnecting said central control means to said plurality of remote switching means , said interconnecting means transmitting data signals between said remote switching means and said remotely positioned central control means wherein voice communications signals being transmitted by said local subscriber telephone units are connected to selected long distance lines at said remote switching means without being connected through said remotely positioned control means .

US7739302B2 Filed: 1998-09-01 Issued: 2010-06-15 Network attached device with dedicated firewall security (Original Assignee) ROBUST NETWORKS LLC (Current Assignee) Firenet Technologies LLC Stacy Kenworthy	CA2643148A1 Filed: 1998-02-25 Issued: 1998-08-27 Technique for defining, using and manipulating rights management data structures (Original Assignee) Intertrust Technologies Corp.; Edwin J. Hall; Victor H. Shear; Luke S. Tomasello; David M. Van Wie; Robert P. Weber; Kim Worsencroft; Xuejun Xu (Current Assignee) Intertrust Technologies Corp Edwin J. Hall, Victor H. Shear, Luke S. Tomasello, David M. Van Wie, Robert P. Weber, Kim Worsencroft, Xuejun Xu
US7739302B2 CLAIM 1 . A network arrangement comprising : a network client and at least one network attached device (NAD) residing on a same network ; a NAD server disposed between the network client and the NAD , the NAD server being configured to electronically communicate with the NAD over a connection , the NAD server being further configured to receive request contained in a data packet (second data) for network access (process request) to the NAD , the NAD server including computer executable instructions that , upon execution , cause the NAD server to : determine whether the header of a received data packet containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet and to : determine whether the received request for network access to the NAD is authorized ; and provide the network client with network access to the NAD only if the request for network access is authorized , such that the NAD is protected from unauthorized access requests from the network client and other devices in a manner that is in addition to any protection afforded by a firewall .	CA2643148A1 CLAIM 1 . A method of creating a first secure container , said method including the following steps ; accessing a descriptive data structure , said descriptive data structure including or addressing organization information (network destination) at least in part describing a required or desired organization of a content section of said first secure container , and metadata information at least in part specifying at least one step required or desired in creation of said first secure container ; using said descriptive data structure to organize said first secure container contents ; using said metadata information to at least in part determine specific information required to be included in said first secure container contents ; and generating or identifying at least one rule designed to control at least one aspect of access to or use of at least a portion of said first secure container contents . CA2643148A1 CLAIM 4 . A method as in Claim 1 , in which : said creation of said first secure container occurs at a first data processing arrangement located at a first site ; said first data processing arrangement including a communications port ; and said method further includes : prior to said step of accessing said descriptive data structure , said first data processing arrangement receiving said descriptive data structure from a second data (data packet) processing arrangement located at a second site , said receipt occurring through said first data processing arrangement communications port . CA2643148A1 CLAIM 9 . A method as in Claim 8 , in which : said descriptive data structure includes a reference to said metadata , a process running at said first data processing arrangement accesses said reference , and said process request (network access) s delivery of said metadata ; said metadata being received through said first data processing arrangement communications port following said request .
US7739302B2 CLAIM 2 . The network arrangement of claim 1 , wherein the NAD server comprises a plurality of network protocol programs for accepting requests for network access (process request) to the NAD from a plurality of network clients having different operating systems .	CA2643148A1 CLAIM 9 . A method as in Claim 8 , in which : said descriptive data structure includes a reference to said metadata , a process running at said first data processing arrangement accesses said reference , and said process request (network access) s delivery of said metadata ; said metadata being received through said first data processing arrangement communications port following said request .
US7739302B2 CLAIM 4 . The network arrangement of claim 1 , wherein the step of determining whether the request for network access (process request) to the NAD is authorized comprises determining whether information in the header of a received data packet (second data) containing the request for network access is complete , the information relating to at least one of the network source , destination , and route of the data packet .	CA2643148A1 CLAIM 4 . A method as in Claim 1 , in which : said creation of said first secure container occurs at a first data processing arrangement located at a first site ; said first data processing arrangement including a communications port ; and said method further includes : prior to said step of accessing said descriptive data structure , said first data processing arrangement receiving said descriptive data structure from a second data (data packet) processing arrangement located at a second site , said receipt occurring through said first data processing arrangement communications port . CA2643148A1 CLAIM 9 . A method as in Claim 8 , in which : said descriptive data structure includes a reference to said metadata , a process running at said first data processing arrangement accesses said reference , and said process request (network access) s delivery of said metadata ; said metadata being received through said first data processing arrangement communications port following said request .
US7739302B2 CLAIM 5 . A local area network arrangement comprising a network client and at least one network attached device (NAD) disposed in electronic communication with each other over a same network , the NAD comprising ; a data management component , and an internal firewall management component , the internal firewall management component being configured to receive a plurality of requests for network access (process request) to the NAD from the network client and , for each of the plurality of requests , to determine , independently of a firewall external to the NAD , whether the request for network access to the NAD is authorized , wherein the data packet (second data) includes a header and wherein the internal firewall management component of the NAD is configured to determine whether each of the plurality of requests for network access to the NAD is authorized by filtering the data packet based at least on IP addresses contained in the header , and wherein the request for network access to the NAD is determined to be authorized by determining whether the header includes at least information relating to a network source , a destination , and a route of the data packet , wherein the data management component is configured to provide the network client with access to the NAD only if the request for network access is determined to be authorized by the internal firewall management component , and wherein at least some of the plurality of requests originate from within the network without passing through the firewall .	CA2643148A1 CLAIM 4 . A method as in Claim 1 , in which : said creation of said first secure container occurs at a first data processing arrangement located at a first site ; said first data processing arrangement including a communications port ; and said method further includes : prior to said step of accessing said descriptive data structure , said first data processing arrangement receiving said descriptive data structure from a second data (data packet) processing arrangement located at a second site , said receipt occurring through said first data processing arrangement communications port . CA2643148A1 CLAIM 9 . A method as in Claim 8 , in which : said descriptive data structure includes a reference to said metadata , a process running at said first data processing arrangement accesses said reference , and said process request (network access) s delivery of said metadata ; said metadata being received through said first data processing arrangement communications port following said request .
US7739302B2 CLAIM 6 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to determine whether the header indicates that the data packet (second data) arrived via an authorized network interface .	CA2643148A1 CLAIM 4 . A method as in Claim 1 , in which : said creation of said first secure container occurs at a first data processing arrangement located at a first site ; said first data processing arrangement including a communications port ; and said method further includes : prior to said step of accessing said descriptive data structure , said first data processing arrangement receiving said descriptive data structure from a second data (data packet) processing arrangement located at a second site , said receipt occurring through said first data processing arrangement communications port .
US7739302B2 CLAIM 9 . The network arrangement of claim 5 , wherein the internal firewall management component is further configured to : determine whether the header contains information identifying a proper port of the NAD ; pass the data packet (second data) to the proper port ; and at the proper port , provide the requested network access (process request) to the NAD .	CA2643148A1 CLAIM 4 . A method as in Claim 1 , in which : said creation of said first secure container occurs at a first data processing arrangement located at a first site ; said first data processing arrangement including a communications port ; and said method further includes : prior to said step of accessing said descriptive data structure , said first data processing arrangement receiving said descriptive data structure from a second data (data packet) processing arrangement located at a second site , said receipt occurring through said first data processing arrangement communications port . CA2643148A1 CLAIM 9 . A method as in Claim 8 , in which : said descriptive data structure includes a reference to said metadata , a process running at said first data processing arrangement accesses said reference , and said process request (network access) s delivery of said metadata ; said metadata being received through said first data processing arrangement communications port following said request .
US7739302B2 CLAIM 10 . A system for managing access from outside of a network running a bastion firewall to at least one network attached device (NAD) operatively connected to the network , the apparatus comprising : means for receiving at least one request for network access (process request) to the NAD and for determining whether the received at least one request for network access to the NAD should be authorized by determining whether the header of a received data packet (second data) containing the request for network access includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for providing network access to the NAD when the at least one request is authorized and for denying network access to the NAD when the at least one request is unauthorized , wherein the at least one request originates one of within the network and external to the network and wherein at least one request passed into the network through a firewall .	CA2643148A1 CLAIM 1 . A method of creating a first secure container , said method including the following steps ; accessing a descriptive data structure , said descriptive data structure including or addressing organization information (network destination) at least in part describing a required or desired organization of a content section of said first secure container , and metadata information at least in part specifying at least one step required or desired in creation of said first secure container ; using said descriptive data structure to organize said first secure container contents ; using said metadata information to at least in part determine specific information required to be included in said first secure container contents ; and generating or identifying at least one rule designed to control at least one aspect of access to or use of at least a portion of said first secure container contents . CA2643148A1 CLAIM 4 . A method as in Claim 1 , in which : said creation of said first secure container occurs at a first data processing arrangement located at a first site ; said first data processing arrangement including a communications port ; and said method further includes : prior to said step of accessing said descriptive data structure , said first data processing arrangement receiving said descriptive data structure from a second data (data packet) processing arrangement located at a second site , said receipt occurring through said first data processing arrangement communications port . CA2643148A1 CLAIM 9 . A method as in Claim 8 , in which : said descriptive data structure includes a reference to said metadata , a process running at said first data processing arrangement accesses said reference , and said process request (network access) s delivery of said metadata ; said metadata being received through said first data processing arrangement communications port following said request .
US7739302B2 CLAIM 11 . The system of claim 10 , wherein the apparatus includes a server coupled to the NAD and wherein network access (process request) to the NAD is only available through the server .	CA2643148A1 CLAIM 9 . A method as in Claim 8 , in which : said descriptive data structure includes a reference to said metadata , a process running at said first data processing arrangement accesses said reference , and said process request (network access) s delivery of said metadata ; said metadata being received through said first data processing arrangement communications port following said request .
US7739302B2 CLAIM 12 . An apparatus , comprising : a processing unit ; a network interface coupled to the processing unit and to a network ; an attached device interface (following steps) coupled to the processing unit and configured to provide a communication path to a directly attached device ; and a memory coupled to the processing unit and storing instructions that , upon execution , cause the processing unit to : determine whether requests for access to the directly attached device received from the network interface should be authorized or unauthorized wherein each of the requests for access to the directly attached device is contained in a packet and determine whether the header of a received data packet (second data) containing the request for network access (process request) includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; deny requests for access to the directly attached device that are determined to be unauthorized ; allow requests for access to the directly attached device that are determined to be authorized , wherein each of the requests originates one of within and external to the network and wherein at least one of the requests for access has passed into the network through a firewall .	CA2643148A1 CLAIM 1 . A method of creating a first secure container , said method including the following steps (device interface, storage device) ; accessing a descriptive data structure , said descriptive data structure including or addressing organization information (network destination) at least in part describing a required or desired organization of a content section of said first secure container , and metadata information at least in part specifying at least one step required or desired in creation of said first secure container ; using said descriptive data structure to organize said first secure container contents ; using said metadata information to at least in part determine specific information required to be included in said first secure container contents ; and generating or identifying at least one rule designed to control at least one aspect of access to or use of at least a portion of said first secure container contents . CA2643148A1 CLAIM 4 . A method as in Claim 1 , in which : said creation of said first secure container occurs at a first data processing arrangement located at a first site ; said first data processing arrangement including a communications port ; and said method further includes : prior to said step of accessing said descriptive data structure , said first data processing arrangement receiving said descriptive data structure from a second data (data packet) processing arrangement located at a second site , said receipt occurring through said first data processing arrangement communications port . CA2643148A1 CLAIM 9 . A method as in Claim 8 , in which : said descriptive data structure includes a reference to said metadata , a process running at said first data processing arrangement accesses said reference , and said process request (network access) s delivery of said metadata ; said metadata being received through said first data processing arrangement communications port following said request .
US7739302B2 CLAIM 16 . The apparatus of claim 12 , wherein the instructions , when executed , cause the processing unit to determine whether the requests contain information to gain access to a proper port over the directly attached device interface (following steps) .	CA2643148A1 CLAIM 1 . A method of creating a first secure container , said method including the following steps (device interface, storage device) ; accessing a descriptive data structure , said descriptive data structure including or addressing organization information at least in part describing a required or desired organization of a content section of said first secure container , and metadata information at least in part specifying at least one step required or desired in creation of said first secure container ; using said descriptive data structure to organize said first secure container contents ; using said metadata information to at least in part determine specific information required to be included in said first secure container contents ; and generating or identifying at least one rule designed to control at least one aspect of access to or use of at least a portion of said first secure container contents .
US7739302B2 CLAIM 20 . The apparatus of claim 12 wherein the directly attached device interface (following steps) comprises a SCSI interface .	CA2643148A1 CLAIM 1 . A method of creating a first secure container , said method including the following steps (device interface, storage device) ; accessing a descriptive data structure , said descriptive data structure including or addressing organization information at least in part describing a required or desired organization of a content section of said first secure container , and metadata information at least in part specifying at least one step required or desired in creation of said first secure container ; using said descriptive data structure to organize said first secure container contents ; using said metadata information to at least in part determine specific information required to be included in said first secure container contents ; and generating or identifying at least one rule designed to control at least one aspect of access to or use of at least a portion of said first secure container contents .
US7739302B2 CLAIM 21 . The apparatus of claim 12 wherein the directly attached device comprises at least one of a printer , a storage device (following steps) , and a video codec .	CA2643148A1 CLAIM 1 . A method of creating a first secure container , said method including the following steps (device interface, storage device) ; accessing a descriptive data structure , said descriptive data structure including or addressing organization information at least in part describing a required or desired organization of a content section of said first secure container , and metadata information at least in part specifying at least one step required or desired in creation of said first secure container ; using said descriptive data structure to organize said first secure container contents ; using said metadata information to at least in part determine specific information required to be included in said first secure container contents ; and generating or identifying at least one rule designed to control at least one aspect of access to or use of at least a portion of said first secure container contents .
US7739302B2 CLAIM 22 . An apparatus , comprising : means for receiving requests over a network for access to a network attached device (NAD) , the requests originating one of within the network and external thereto , at least one of the requests having passed into the network through a firewall ; means for filtering each of the requests for access to the NAD to prevent unauthorized access to the NAD wherein each of the requests includes a packet having a header and wherein the means for filtering comprises means for examining the header of a packet received in connection with the request to determine whether the header includes at least one of an IP address of a network source , an IP address of a network destination (n information) , and a route of the data packet (second data) , the NAD being further configured to filter the data packet based at least on an IP address in a header of the data packet ; and means for allowing access to the NAD for each request that the filtering means determines is authorized such that the NAD is protected from unauthorized access requests from network clients and other devices in a manner that is in addition to any protection afforded by a firewall .	CA2643148A1 CLAIM 1 . A method of creating a first secure container , said method including the following steps ; accessing a descriptive data structure , said descriptive data structure including or addressing organization information (network destination) at least in part describing a required or desired organization of a content section of said first secure container , and metadata information at least in part specifying at least one step required or desired in creation of said first secure container ; using said descriptive data structure to organize said first secure container contents ; using said metadata information to at least in part determine specific information required to be included in said first secure container contents ; and generating or identifying at least one rule designed to control at least one aspect of access to or use of at least a portion of said first secure container contents . CA2643148A1 CLAIM 4 . A method as in Claim 1 , in which : said creation of said first secure container occurs at a first data processing arrangement located at a first site ; said first data processing arrangement including a communications port ; and said method further includes : prior to said step of accessing said descriptive data structure , said first data processing arrangement receiving said descriptive data structure from a second data (data packet) processing arrangement located at a second site , said receipt occurring through said first data processing arrangement communications port .
US7739302B2 CLAIM 23 . The apparatus of claim 22 further comprising means for managing access to the NAD over a device interface (following steps) if the request is allowed .	CA2643148A1 CLAIM 1 . A method of creating a first secure container , said method including the following steps (device interface, storage device) ; accessing a descriptive data structure , said descriptive data structure including or addressing organization information at least in part describing a required or desired organization of a content section of said first secure container , and metadata information at least in part specifying at least one step required or desired in creation of said first secure container ; using said descriptive data structure to organize said first secure container contents ; using said metadata information to at least in part determine specific information required to be included in said first secure container contents ; and generating or identifying at least one rule designed to control at least one aspect of access to or use of at least a portion of said first secure container contents .
US7739302B2 CLAIM 29 . The apparatus of claim 22 , wherein the NAD comprises at least one of a printer , a storage device (following steps) , and a video codec .	CA2643148A1 CLAIM 1 . A method of creating a first secure container , said method including the following steps (device interface, storage device) ; accessing a descriptive data structure , said descriptive data structure including or addressing organization information at least in part describing a required or desired organization of a content section of said first secure container , and metadata information at least in part specifying at least one step required or desired in creation of said first secure container ; using said descriptive data structure to organize said first secure container contents ; using said metadata information to at least in part determine specific information required to be included in said first secure container contents ; and generating or identifying at least one rule designed to control at least one aspect of access to or use of at least a portion of said first secure container contents .