1. Field of the Invention
The present invention relates generally to information processing and, more particularly, to systems and methods for maintaining security of computer systems connected to one or more networks (Local Area Networks or Wide Area Networks) and reconciling multiple security policies that may apply to computer systems from time to time.
2. Description of the Background Art
The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or “LANs”. In both cases, maintaining security and controlling what information a computer user could access was relatively simple because the overall computing environment was limited and clearly defined.
In traditional computing networks, a desktop computer largely remained in a fixed location and was physically connected to a single local network via Ethernet. More recently, however, an increasingly large number of business and individual users are using portable computing devices, such as laptop computers, that are moved frequently and that connect into more than one network. For example, many users now have laptop computers that are plugged into a corporate network during the day and are plugged into a home network during the evening. Computers can be connected to networks at home, at work, and in numerous other locations. Many users also have home computers that are remotely connected to various organizations from time to time through the Internet. The number of computing devices, and the number of networks that these devices connect to, has increased dramatically in recent years.
In addition, various different types of connections may be utilized to connect to these different networks. A dial-up modem may be used for remote access to an office network. Various types of wireless connectivity, including IEEE (Institute of Electrical and Electronics Engineers) 802.11 and Bluetooth, are also increasingly popular. Wireless networks often have a large number of different users that are occasionally connected from time to time. Moreover, connection to these networks is often very easy, as connection does not require a physical link. Wireless and other types of networks are frequently provided in cafes, airports, convention centers, and other public locations to enable mobile computer users to connect to the Internet. Increasingly, users are also using the Internet to remotely connect to a number of different systems and networks. For example, a user may connect his or her home computer to a corporate network through a virtual private network (VPN) which creates a secure Internet session between the home computer and the corporation's servers. The user may also connect this same home computer to his or her bank for on-line banking. Thus, it is becoming more common for users to connect to a number of different networks from time to time through a number of different means.
One of the implications of this increasing number of devices occasionally connected to different networks is that traditional corporate firewall technologies are no longer effective. Traditional firewall products guard a boundary (or gateway) between a local network, such as a corporate network, and a larger network, such as the Internet. These products primarily regulate traffic between physical networks by establishing and enforcing rules that regulate access based upon the type of access request, the source requesting access, the connection port to be accessed, and other factors. For example, a firewall may permit access to a particular computer on port 80, but deny remote access to other computers on the network. A firewall may also permit access from a specific IP address or range (or zone) of IP addresses, but deny access from other addresses. Different security rules may be defined for different zones of addresses. However, traditional firewall technology guarding a network boundary does not protect against traffic that does not traverse that boundary. It does not regulate traffic between two devices within the network or two devices outside the network. A corporate firewall provides some degree of protection when a device is connected to that particular corporate network, but it provides no protection when the device is connected to other networks. In addition, a traditional firewall may not protect against intrusions originating from a remote device which is connected to a corporate (or similar) network.
One security measure that has been utilized by many users is to install a personal firewall (or end point security) product on a computer system to control traffic into and out of the system. An end point security product can regulate all traffic into and out of a particular computer. However, in today's Internet connected environment an end user may connect to a number of different networks from time to time. For example, a user with a home computer may connect this machine to his or her bank for on-line banking as well as to his or her Internet service provider. The user may also remotely connect the device to a private network of a corporation, government entity, or similar organization (e.g., through a virtual private network (VPN)). Each of these connections may involve different security concerns.
In the situation where a user remotely connects to a private network through a VPN, the organization operating the private network may require the end user to take steps necessary to protect the security of the private network. One way to increase the security of a private network that permits access by remote users is to provide remote users with end point security software. Security may be further enhanced by requiring users to comply with security policies in connection with obtaining remote access to the private network. An increasing number of corporate and other organizations are putting security policies in place and requiring compliance by remote users in order to secure their networks, infrastructure, and information. As a result, an end user of a computing device may be subject to different security policies and requirements from time to time. For example, an end user may utilize an end point security module to secure his or her device. As part of this effort, the user may adopt certain security settings or policies for security of his or her device as he or she accesses various sites on the Internet. However, when the user opens communication channels to other systems, additional security policies may come into play. For instance, a connection to a bank for on-line banking may require the user to download and apply the bank's required security policies. As a result, an end user may be required to implement a number of different security policies from time to time as he or she connects to different networks, sites, or entities.
Corporations and other organizations permitting access to their networks are increasingly requiring compliance with organizational security policies (hereinafter referred to as “corporate security policies”) in order to protect their networks and systems. For example, if a remote user connected to a bank for on-line banking does not apply and properly enforce the bank's required security policies, a hacker could gain unauthorized access to the bank's systems through the remote user's unsecured system. Although a secure VPN connection may be established between the bank and the user in this instance, if the user's system is vulnerable, security of the overall environment may be jeopardized.
To guard against these types of risks, the bank may require an on-line banking user to install particular security software on his or her machine and/or may require particular security policies or settings to be implemented. Current VPN and security technology provides for loading of a particular security policy (e.g., software implementing a particular security policy required by the bank in this example) based upon a particular location (e.g., based upon a specific network connection to the bank). However, this is currently an all or nothing solution. This current solution may, in fact, provide an appropriate level of protection for the bank's systems. However, the result of this current approach is that a user may be forced to implement security policies that are much more restrictive than he or she requires for other activities, such as connecting to an Internet service provider or connecting to other computers in a home network. These restrictions may, in fact, make it more difficult for the user to perform particular tasks that he or she may want to do perform with organizations or entities other than the bank. The set of security policies appropriate for on-line banking may be inappropriate for connecting to other sites for other purposes. On the other hand, if the bank leaves security policies and settings to the sole discretion of the user, the user's preferred security settings may be insufficient to protect the bank's systems.
What is required is a more flexible system in which different security policies and settings are applied depending upon the entities or networks to which a user is connected from time to time. A user may, for example, wish to apply his or her own individual set of security policies in connecting to his or her Internet service provider. However, he or she may also need to comply with other policies as required for other purposes, such as remotely connecting to his or her employer's corporate network or to a bank for on-line banking. Ideally, the solution should also enable multiple security policies to be effectively reconciled and merged as required from time to time. The ability to merge multiple security policies enables required security concerns to be satisfied, while still providing a degree of flexibility to the user. The solution should also be easy to implement and apply, so that the solution may be utilized by a wide range of users, including users with little knowledge of security policies and requirements. The present invention fulfills these and other needs.