1. Field of the Invention
The invention relates to a content filtering system and more particularly to a system and method for controlling user access to a computer network using a content filtering router that filters requests for content by routing them based on their final destination addresses.
2. Description of the Related Art
The Internet is a loose network of networked computers spread throughout the world. Many of these networked computers serve content, such as Web pages, that are publicly accessible. This content is typically located through Internet addresses, such as www.company.com/info, which usually consist of the access protocol or scheme, such as HyperText Transport Protocol (http), the domain name (www.company.com), and optionally the path to a file or resource residing on that server (info). This Internet address is also known as a Uniform Resource Locator (URL). A Domain Name System (DNS) is then used to convert the domain name of a specific computer on the network into a corresponding unique Internet Protocol (IP) address, such as 204,171.64.2.
Typically, users access content in one of two ways. The first way is for the user to click on a Hyperlink. The Hyperlink links a displayed object, such as text or an icon, to a file addressed by a URL. The second way is for the user to enter a URL into a text or address box on an application layer such as a Graphical User Interface (GUI) of a file manager or an Internet browser, such as MICROSOFT'S INTERNET EXPLORER™, and click “Go” or press “Enter.” An application layer is like high-level set-up services for the application program or an interactive user. In the Open Systems Interconnection (OSI) communications model, the Application layer provides services for application program that ensure that communication is possible. The Application layer is NOT the application itself that is doing the communication. It is a service layer that provides these services: (1) Makes sure that the other party is identified and can be reached; (2) if appropriate, authenticates a sender, receiver, or both; (3) makes sure that necessary communication resources, such as a modem in the sender's computer, exist; (4) ensures agreement at both ends about error recovery procedures, data integrity, and privacy; and (5) determines protocol and data syntax rules at the application level.
OSI is a standard description or “reference model” for how messages should be transmitted between any two points in a telecommunication network. Currently, OSI is Recommendation X.200 of the ITU-TS, which is incorporated herein by reference. OSI divides telecommunication into seven layers. The layers are in two groups. The upper four layers are used whenever a message passes from or to a user. The lower three layers (up to the network layer) are used when any message passes through the host computer. Messages intended for this computer pass to the upper layers. Messages destined for some other host are not passed up to the upper layers but are forwarded to another host. The seven layers are: Layer 7 (the application layer)—the layer at which communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified; Layer 6 (the presentation layer, sometimes called the syntax layer)—the layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another; Layer 5 (the session layer)—sets up, coordinates, and terminates conversations, exchanges, and dialogs between the applications at each end. It deals with session and connection coordination; Layer 4 (the transport layer)—manages end-to-end control and error-checking. It ensures complete data transfer; Layer 3 (the network layer)—handles routing and forwarding; Layer 2 (the data-link layer)—provides synchronization for the physical level and does bit-stuffing for strings of 1's in excess of 5. It furnishes transmission protocol knowledge and management; and Layer 1 (the physical layer)—conveys the bit stream through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier.
As the Internet grows in size and sophistication, more and more content is becoming accessible to users. This content can be easily accessed by anyone who has a client computer and Internet access. However, some of this content may be unsuitable or inappropriate for all Internet users. For example, violent or adult content may be inappropriate for children. Therefore, in some situations it is desirable to limit and/or control user access to such content. For example, businesses may want to restrict their employees from viewing certain content on the Internet. Likewise, parents may wish to block their children's access to violent or adult content on the Internet.
This restriction and/or control of user access to content on the Internet is otherwise known as content filtering. Content filtering allows a system administrator to block or limit content based on traffic type, file type, Web site, or some other category. For example, Web access might be permitted, but file transfers may not.
There have been numerous attempts to provide content filtering using special browsers. These special browsers and associated filtering programs typically screen content by word content, site rating, or URL. The software provider of the special browsers typically keep a master list of objectionable content that must be periodically updated in the special browser or associated filtering program on the users client computer.
However, many of these existing content filtering systems have a number of drawbacks. First, they need to be installed and configured on each and every client computer where controlled access is desired. Such installation and configuration can be time-consuming, inconvenient, and require a basic understanding of computer hardware and software. Additionally, from time to time, the user may be required to install bug-fixes, patches, or updates to configure or maintain the filtering software. This is because additional content must be continually added to a list of restricted sites. Typically, this list must be periodically downloaded and installed by a user to his/her client computer. Moreover, the software and continually growing list of restricted sites may consume valuable client computer memory and CPU resources (especially for searching lengthy databases of disallowed sites), which, in some cases, may limit or effect overall client computer performance. What is more, many children are typically more computer savvy than their parents and often find ways to circumvent the content filtering software without their parent's knowledge.
Another approach to content filtering has been to place filtering software on a proxy server, so that entire networks connected to the proxy server can be filtered. The proxy server typically contains a list of restricted content that is periodically updated. However, each client computer connected to the proxy server must typically also include software that includes the filtering requirements appropriate for that particular client computer. Again this requires software to be installed and configured for each client computer. This is not only time consuming and inconvenient, but may consume much of a system administrators time. If each client computer is not appropriately configured, users may be blocked from content that they should otherwise have access to. Conversely, children and other restricted users may be able to get access to inappropriate content using a particular client computer or alternative software that has not been configured to restrict such content.
In addition, conventional filtering can be bypassed. One method of bypassing conventional filtering is by a DNS/Hosts file bypass. Using this method, the IP address of an objectionable host is entered into the hosts file under another (unobjectionable) name. Another method of bypassing conventional filtering is by a local proxy bypass. Using this method, a user can run a proxy and type in all URLs as “http://UserLocation?target”, where “UserLocation” is the URL of the user's own computer and target is the destination site.
Conventional content filtering has several other limitations. For example, content filtering is provided on a computer by computer basis. Also, if a filter list is broad and attempts to provide heightened restrictions, appropriate content may be invariably filtered out along with inappropriate or blocked content. On the other hand, if the filter list is too narrow, inappropriate content is more likely to be accessible.
Therefore, a need exists for a content filtering system that is easily provisioned for one or more client computers with little or no user intervention, such as installation and configuration of software, or updating a list of filtered content, onto the user's client computer. Moreover, a need exists for a filtering system that cannot easily be circumvented, bypassed, tampered with, or disabled at the client computer level.