1. Field of the Invention
The invention pertains generally to limiting website access on a computer network. More specifically, the invention relates to an electronic walled garden for providing access to one or more websites that incorporate content from other websites.
2. Description of the Prior Art
For a variety of reasons, network providers may require users to log in before allowing them to access websites on the Internet. Logging in may involve one or more of payment, authentication, and/or registration. However, it may also be desirable to provide free access to certain websites for guest users who have not logged in. For example, a hotel may desire a limited number of external websites such as a hotel reservation website and a tour operator website to be freely accessible from laptops and other web browsing devices within the hotel even for guests who have not logged in.
A walled garden is a well-known concept allowing a network administrator to limit access to only some external websites. Walled gardens typically include an administrator-specified list of external websites which are to be freely available, and these sites are specified by either IP addresses or hostnames. Before a user has logged in, the walled garden ensures that only external websites listed on the administrator-specified cleared sites list may be accessed by the user.
The inventor of the present application recognized a problem with typical walled gardens in that a single Internet website may be provided from a plurality of different sub domains and IP addresses, and not all of the different sub domains and IP addresses may be known to the administrator at the time the walled garden is configured. Additionally, sub domains and IP addresses utilized by external websites may change after the walled garden is configured and the administrator may be unaware of these external changes. Therefore it is very difficult for an administrator to permanently configure a typical walled garden with a list of allowed websites because the administrator does not know all details of the external sites and does not know when known details will change. The result of missing or incorrect sub domains and IP addresses configured at the walled garden is that some content that is supposed to be freely available to users will not be available. Websites that are affected may appear to be unavailable or malfunctioning to users who are not logged in.
FIG. 1 is an illustration of the present inventor's own prior art smart walled garden system 100. To solve the above-described problem, the inventor of the present invention conceived of and reduced to practice the smart walled garden system 100 that allows the usage of wildcards by an administrator when defining the cleared sites list 124. The present inventor's implementation of the smart walled garden system 100, further described below, was rolled out to a plurality of hotels in the United States no later than March 2009 and remains in use today.
Referring to FIG. 1, an administrator console 102 to the smart walled garden system 100 is provided for an administrator of the guest network 110 to enter on the cleared sites list 124 hostname descriptors corresponding to websites that are to be freely available. The admin console 102 is isolated on an admin network 108 for security purposes. FIG. 2 illustrates an example cleared sites list 200. As shown, the hostname descriptors on the cleared sites list 200 may include wild cards at the beginning of a portion of the hostname to indicate other allowed sub domains for that host. Any websites matching the hostname descriptors of the cleared sites list 200 are freely accessible by a guest laptop 112 without requiring a user of the guest laptop 112 to log in or make payment.
At start-up, the controller 114 parses the cleared sites list 124 and does a DNS lookup of all exact site names that do not include wild cards to determine their corresponding one or more IP addresses. The resulting IP addresses are added to the cleared IP list 122 of the firewall 120. Using the cleared sites list 200 shown in FIG. 2 as an example, the DNS-resolved IP address of “www.marriott.com” would be automatically added to the cleared IP list 122. The cleared IP list 122 is used by the firewall 120 to determine which destination IP addresses can be directly accessed by users who are not logged in.
FIG. 3 shows a flowchart describing operations of the smart walled garden system 100 when a new hypertext transfer protocol (HTTP) request to access an external website is received from guest laptop 112. The following steps are performed:
Step 300: An incoming HTTP connection request is received at the firewall 120.
Step 302: According to the firewall rules associated with the cleared IP list 122, the firewall 120 either permits direct transfer of the connection request to the Internet 106, or forwards the connection request to the controller 114. More specifically, when the destination IP address of the connection request matches one of the IP addresses on the cleared IP list 122, control proceeds to step 304; otherwise, control proceeds to step 306.
Step 304: Because the destination IP address is cleared, the firewall 120 allows direct access to the Internet 106 for the connection request.
Step 306: Because the destination IP address is not cleared, the firewall 120 forwards the connection request to the controller 114 and the controller accepts the connection request at this step.
Step 308: After the controller 114 accepts the connection request, the host name detector 118 examines the contents of the HTTP request to determine the destination host name header. The destination host name header is a standard HTTP field, also known as the host request-header field, that specifies the Internet host and port number of the resource being requested. In other words, the destination host name header includes the host name of the destination website. The destination host name header is required for all HTTP/1.1 request messages. If the destination host name matches one of the site names on the cleared sites list 124, control proceeds to step 310; otherwise, control proceeds to step 312. Wildcards on the cleared site list 124 are taken into account when searching for a match between the destination host name and the hostname descriptors listed on the cleared sites list 124.
Step 310: Because the destination host header indicates a cleared site, the controller 114 adds the destination IP address to the cleared IP list 122 for the firewall rules.
Step 312: Because the destination host header indicates a website that is not on the cleared sites list 124, the controller 114 blocks access.
Step 314: Utilizing the transparent proxy 114, the controller 114 acts as a transparent proxy for this HTTP request-response transaction between the guest laptop 112 and the destination host.
To ensure the smart walled garden system 100 takes into account changes to IP addresses of external websites, once per day, all IP addresses are purged from the cleared IP list 122. Similar to at start-up, the controller 114 then parses the cleared sites list 124 and does a DNS lookup of all exact site names that do not include wild cards to determine their corresponding one or more IP addresses. The resulting IP addresses are added to the cleared IP list 122 of the firewall 120. Thereafter, as users access sites that match the allowed sites on the cleared sites list 124 having wildcards, more IP addresses are automatically added to the cleared IP list 122 as described above. Because the cleared IP list 122 is deleted and rebuilt once per day, the list does not grow infinitely as addresses change. Also, older (possibly invalid) IP addresses are automatically removed and rechecked.
One advantage of the inventor's prior art smart walled garden system 100 is that administrators can allow all sub domains of an external website regardless of how many IP addresses are associated with these locations and without knowing in advance all the exact sub domains. Changes to the websites involving new or modified sub domains may also be handled automatically by the use of wildcards in the cleared sites list 124. Another advantage is that standard firewalls supporting dynamic rules can be used, which reduces complexity and cost because a single firewall can handle all its regular duties plus the walled garden system 100 duties. Standard DNS systems are also supported. If the IP address of a cleared website changes, the controller 120 will automatically add the new IP address to the cleared IP list and the user will not be affected. Additionally, proxying is only performed by the controller 120 for the first HTTP request-response transaction for sites that match one of the websites on the cleared sites list 124. Then, for subsequent transactions, the destination IP address of the allowed site will be on the cleared IP list 122 and HTTP traffic will therefore be transferred directly by firewall 120. This is beneficial because performing proxy operations adds some load to the walled garden server 104 so the present inventor's prior art smart walled garden system 100 minimizes the load by only requiring transparent proxying to be performed by the controller 114 once per IP address that is newly added to the cleared IP list 122.