1. Field of the Invention
The present invention relates to a method and a portal system for personalized dynamically grant just in time Internet resources and deny access for non-granted Internet resources.
Moreover, the present invention relates to a personalized access policy server, a portal server, a firewall, and computer software products for dynamically granting and denying network resources.
The present invention is based on a priority application, EP 02360208.9, which is hereby incorporated by reference.
2. Background
In current environments firewalls and HTTP-proxy servers are able to block fixed sets of resources, e.g. identified by uniform resource identifiers (URIs). The set of URIs that is blocked for a requesting user might dependent on the user's grants or on a user profile as well as security requirements.
Today, as mentioned above, this set of accessible resources is statically configured. Static firewall configurations solve a lot of problems. A well-known example is Internet access in a corporate environment. Employees may access all URIs of the intranet and some URIs of the extra-net without identification. After an authentication to the proxy server the employees can reach the whole Internet.
The origin functionality of a firewall is to create barriers in order to prevent unauthorized access to a network. When thinking of the Internet as a series of hallways, firewalls are the security doors through which some people (i.e. data) may pass and others may not. Hence a firewall is an almost static configurable filter.
From a technical point of view a firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks. The term also implies the security policy that is used with the programs. An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to.
Basically, a firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources.
There are a number of firewall screening methods. A simple one is to screen requests to make sure they come from acceptable, previously identified domain name and Internet Protocol addresses.
A number of companies make firewall products. Features include logging and reporting, automatic alarms at given thresholds of attack, and a graphical user interface for controlling the firewall.
In the above description, the requestor is located in a private network that has connectivity to the Internet. The owner of the private network however wants to control and/or limit the requests to the Internet. For this purpose the existing solutions fits.
In the business proposition of an Internet service provider (ISP) and a Telephone Corporation (Telco) a more dynamic firewall is advantageous. When a telecom provider offers a service selector portal to an end-user, the end-user has in a first step only access to the Telco's portal. The connection is the Telco's network is established by e.g. a Digital Subscriber Line (DSL). Later on by selecting a service on the portal, the end-user gets access to a corporate network or the Internet via an ISP. The dynamic access can be realized by the virtual routing algorithms and/or IP-filters of an access server, or similar approaches. Note that the role of providing such service selector portal, described in this document as executed by the Telco, can also be executed by an ISP. Other ISPs further in the network are in such case typically named “sub-ISP”.
The Telco's portal seems to be the ideal place to publish advertisements, as this forced portal is the entry point for all the end-users as well as for all end-users' further access to any other service in the network. To make the advertisements valuable, it is necessary that the business sites related to the advertisements are reachable for the end-user from the first beginning without an established Internet connection, i.e. with no ISP.
The advertisement business sites are typically located on the public Internet. The Telco however cannot give the end-user full Internet access via his network directly, because by doing this he would become a competitor of its own customer, the ISP.
3. Technical Problem
A URI-blocking function (of a firewall) is necessary where the Telco could restrict the Internet access leaving the added value for the ISP. However, to make the whole advertisement site accessible the restriction to advertisement pages might be too restrictive.