(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2003/0097590 A1
`Syvanne
`(43) Pub. Date:
`May 22, 2003
`
`US 20030097590A1
`
`(54)
`
`PERSONAL FIREWALL WITH LOCATION
`DEPENDENT FUNCTIONALTY
`
`(57)
`
`ABSTRACT
`
`(76)
`
`Inventor: Tuomo Syvanne, Vantaa (FI)
`
`Correspondence Address:
`PILLSBURY WINTHROP, LLP
`P.O. BOX 10500
`MCLEAN, VA 22102 (US)
`
`Appl. No.:
`
`09/988,356
`
`Filed:
`
`Nov. 19, 2001
`
`Publication Classification
`
`Int. Cl. ................................................ G06F 11/30
`U.S. Cl. ............................................ 713/201; 709/223
`
`(21)
`(22)
`
`(51)
`(52)
`
`A computer device is provided with a local Security mecha
`nism, a personal firewall, for protecting the computer device
`from attacks from a foreign network, in addition to or
`instead of a firewall in the internal network which protects
`the computer when connected to a home network. The
`personal firewall is provided with different sets of security
`rules for the home network and foreign networks. The
`personal firewall is arranged to detect its current location,
`i.e. determine to which network it is connected to at each
`particular moment. The personal firewall activates one of the
`given Sets of Security rules according to the detected current
`location of the computer device, i.e. the personal firewall
`automatically uses the Security rules predefined for the
`network to which the computer device is connected at each
`particular moment. Upon detecting a change in the location,
`the personal firewall immediately adapts to use Security
`rules predefined for the new location.
`
`Determine the Current location on the basis of the Currently used IP address
`
`5O1
`
`Select a predetermined network element which should be available
`for Verification from the determined current location
`
`Send to the network element a request to send
`a response with data proving its identity
`5O
`4
`-1
`NO
`
`Response received?
`
`Yes
`Compare the received identity data with identity
`data stored in the
`Computer device in Order to verify the identity of the network element
`
`5O5
`
`
`
`
`
`
`
`
`
`-
`
`
`
`Reject the location determined on
`the basis of the Current IP address;
`uSe a default location
`
`Identity verified?
`Y GS
`Verify the location determined on the basis of the current IP address
`
`
`
`End
`
`Lenovo
`Ex. 1016 - Page 1
`
`

`

`Patent Application Publication May 22, 2003 Sheet 1 of 4
`
`US 2003/0097590 A1
`
`A-4- I -
`sea 2
`saga
`LOCation
`esd Verification
`P s SeWCe
`Paddr 2
`11
`Padd 3
`7
`Private Company
`subnetwork (e.g. R&D)
`(3
`YN
`FireWall 1O
`/
`Private company
`network (home)
`
`9
`
`e
`Al-A -"
`se
`S2 IP addr 4
`
`13
`
`
`
`
`
`
`
`Private company
`network (foreign)
`
`5
`
`
`
`12
`-1
`Public internet
`
`9
`-
`DHCP
`Serve
`
`7
`
`Firewall
`
`e
`
`N
`5O
`
`a
`
`Personal
`se
`firewall
`539a management
`
`2O2
`
`Upper layers
`(e.g. TCP, IP, NetBEU, IPX, applications)
`Personal firewal protection
`Physical and network layers
`
`3.
`
`1
`Personal firewall -- 202
`applications
`
`Fig.
`O
`
`2
`
`2O1
`2OO
`
`
`
`
`
`
`
`Rule bases
`Allowed: http: https;
`SMTP,
`NetBEU, IPX;
`NetBIOS disc-share for
`... predefined services
`others
`
`Denied:
`
`
`
`Fig. 5
`
`N- 3OO
`
`H
`Awk 10
`
`Selection rules
`
`Padd 1
`IP addr 2
`IP addr 3
`Padd 4
`
`Home
`network
`
`Foreign
`Company
`network
`
`-b-
`
`Allowed: http: https, DNS:
`VPN with IPSEC;
`SMTP,
`others
`
`Denied;
`
`Unidentified
`netWOrk
`
`Other
`Paddresses
`
`>A Allowed: http: https:
`owed: httpVlah IPSEC:
`Denied:
`others
`
`3O1
`Foreign
`company
`network
`
`
`
`3O2
`Default
`
`Lenovo
`Ex. 1016 - Page 2
`
`

`

`Patent Application Publication May 22, 2003 Sheet 2 of 4
`
`US 2003/0097590 A1
`
`
`
`
`
`Determine the Current IP address
`
`IP address changed?
`
`Does
`the new IP address belong
`to one of the networks On the
`list?
`Yes
`Select a rule base
`linked to the Paddress
`-
`
`End
`
`
`
`Create a log file
`
`Fig. 4
`
`Select a default rule base
`
`Fig. 9
`
`Determine the Current location
`
`N- 92
`
`93
`-1
`Location in the home network?
`
`
`
`
`
`Send log file to a
`central log server
`
`Store the log file locally, Send the log file
`with other Collected log files to a central log
`server next time the computer device is located
`in Or Connected to the home network
`
`Ed
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Lenovo
`Ex. 1016 - Page 3
`
`

`

`Patent Application Publication May 22, 2003 Sheet 3 of 4
`
`US 2003/0097590 A1
`
`
`
`Fig. 5
`
`Determine the current location on the basis of the Currently used IP address
`
`501
`
`Select a predetermined network element which should be available
`for Verification from the determined Current location
`
`Send to the network element a request to send
`a response with data proving its identity
`
`
`
`Response received?
`
`-
`
`5O3
`
`5O6
`
`- 5O3
`
`Fig. 6
`
`Yes y
`Compare the received identity data with identity data stored in the
`Computer device in order to verify the identity of the network element
`5O7 -
`No
`
`
`
`ldentity verified?
`
`Yes
`Verify the location determined on the basis of the current IP address
`
`End
`
`Reject the location determined on
`the basis of the Current IP address;
`use a default location
`
`Receive from a personal firewall a request to send a response with identity data |- 6O1
`
`Send the response with identity data to the personal firewall
`
`- 6O2
`
`Receive a rule updating query from a personal firewall
`
`s 8O1
`
`Fig. S
`
`Send updated rules, if any, to the personal firewall
`
`N- 8O2
`
`Lenovo
`Ex. 1016 - Page 4
`
`

`

`Patent Application Publication May 22, 2003 Sheet 4 of 4
`
`US 2003/0097590 A1
`
`Fig. 7
`
`Measure the updating period
`
`N- 7O1
`
`Updating period expired?
`
`LOCation in the home network?
`
`7O2
`-
`
`7O3
`
`Wait until the Computer device returns to the home network or
`establishes a Connection to it
`
`Send a rule updating query to the Central management
`
`Rule updating received?
`
`7O6
`-
`
`7O4
`
`7O5
`
`Update the rule bases stored in the computer device
`
`7O7
`
`
`
`
`
`
`
`
`
`
`
`Lenovo
`Ex. 1016 - Page 5
`
`

`

`US 2003/0097590 A1
`
`May 22, 2003
`
`PERSONAL FIREWALL WITH LOCATION
`DEPENDENT FUNCTIONALTY
`
`FIELD OF THE INVENTION
`0001. The present invention relates to network security
`and, more particularly, to personal firewalls.
`
`BACKGROUND OF THE INVENTION
`0002 Traditionally, a firewall is considered as a set of
`components forming a gateway between two or more net
`WorkS. Thus, a firewall has been a gateway which operates
`at the same time as a connector and a separator between the
`networks in a Sense that the firewall keeps track of the traffic
`that passes through it from one network to another and
`restricts connections and packets that are defined as
`unwanted by the administrator of the system. Physically a
`firewall is a machine with appropriate Software to do the
`tasks assigned to it. It can be a router, a personal computer
`(PC), or any other device that can be used for Such purposes.
`Although firewalls are mostly used to connect Local Area
`Networks (LANs), i.e. internal networks, to the Internet and
`to protect against attackers or undesired traffic in general,
`they may also be used to Separate and connect different
`Segments of internal network for Security purposes. The
`advantages of having a firewall are numerous. A firewall
`Secures the network and can be used as a tool for monitoring
`the traffic especially from the outside to the inside of the
`network guarded by a firewall. Because all traffic intended
`for the internal network must pass through the firewall, most
`of the network Security actions and policies can be concen
`trated in this particular point. This is of course a cost and
`administrative advantage.
`0003) Nowadays, laptop computers and other portable
`computer devices are widely used. While outside the internal
`network, the laptop cannot make benefit of the protection
`provided by the conventional “gateway-type' firewall.
`Therefore, approaches to improve Security of a client located
`in a foreign network (a public network or an internal
`network of a foreign organisation) have been proposed.
`These approaches are based on protecting the laptop itself by
`means of a local Security mechanism, called a personal
`firewall herein, installed in the laptop (in addition to or
`instead of a firewall in an internal network, which protects
`the computers connected to the internal network). The
`personal firewall may be implemented as Software installed
`in the computer device, or as a separate electronic device
`connected to the computer device.
`0004 European patent application EP 0952 715 dis
`closes a firewall Security device connected to an external
`communication port of a computer device. The incoming
`communications Stream to the computer device from e.g.
`public networks is passed through the firewall Security
`device. The firewall device applies Standard Security mea
`Sures, thereby protecting the computer device.
`0005 There is a particular need for such protection by
`means of a personal firewall if the laptop is allowed to have
`a remote access, e.g. make a VPN (Virtual Private Network)
`connection to company network while being connected to a
`foreign network. In order to improve security of the VPN
`connections, one prior art Solution is to enforce a protection
`level of a laptop, when a VPN tunnel to a company network
`is created. This means for example that, during a VPN
`
`connection, the IP address forwarding is not allowed, or that
`any connection attempts to the laptop are denied.
`0006 Clearly this is not enough, since the laptop must be
`protected as Soon as it is connected to a foreign network, not
`only during a VPN connection. The laptops are often used by
`non-technical people, which increases the risk of Overlook
`ing Security aspects. Laptops contain Sensitive material, Such
`as customer emails. If a laptop is unprotected, when con
`nected to a foreign network, even for a short period of time,
`there is a risk of getting infected by a hostile application.
`Such application can be activated later, when the laptop is
`connected to an internal network and offer inside help for
`attackS.
`0007 Thus, there is a need to protect the laptop by means
`of a personal firewall always when the laptop is connected
`to a foreign network. However, when the laptop is connected
`to a company internal network, Such personal firewall may
`unduly prevent Some essential traffic. For example, the
`personal firewall should allow use of a laptop at home
`(internal) network and access to all Services, Such as disk
`share. In a home network even non-IP protocols are Some
`times used. Therefore, it is not feasible to have a personal
`firewall running at all times, at least not with the same
`configuration, Since the protection needs in an internal
`network are different from those in a foreign network.
`0008 Some of the current solutions allow changing the
`Set of rules used in the personal firewall, that is, they allow
`the user of the laptop to use different rule sets when
`connected to the internal network and when connected to a
`foreign network. However this is a manual operation. Since
`manual action is required, there is a high risk that operation
`is not done. Risk is even higher if the end user does not fully
`understand the need of a firewall.
`
`SUMMARY OF THE INVENTION
`0009. An object of the invention is to improve the Secu
`rity and flexibility of a personal firewall.
`0010. A computer device which can be connected to a
`home network (Such as an internal network of a company or
`other organisation where the user is employed) and to a
`foreign network (Such as a public network or an internal
`network of a foreign organisation) is provided with a local
`Security mechanism, called a personal firewall herein, for
`protecting the computer device from attacks from a foreign
`network, in addition to or instead of a firewall in the internal
`network which protects the computer when connected to the
`internal network. The personal firewall is provided with
`different Sets of Security rules, at least one set of rules for the
`home network and at least one set of rules for foreign
`networks. In its simplest form, the set of rules for the home
`network contains no restrictions for the communication or
`use of service in the home network. The personal firewall is
`arranged to detect its current location, i.e. to determine the
`network to which it is connected at each particular moment.
`The personal firewall activates one of the given Sets of
`Security rules according to the detected current location of
`the computer device, i.e. the personal firewall automatically
`uses the security rules predefined for the network to which
`the computer device is connected at each particular moment.
`Upon detecting a change in the location, the personal
`firewall immediately adapts to use Security rules predefined
`for the new location. A benefit of the invention is that the
`
`Lenovo
`Ex. 1016 - Page 6
`
`

`

`US 2003/0097590 A1
`
`May 22, 2003
`
`protection of a personal firewall is always enabled at the
`correct level, depending on the current location. On the other
`hand, when the computer device is located in the home
`network, a lower level of protection, or no protection at all,
`can be automatically provided by the personal firewall, So
`that the communication and Services are not unduly
`restricted in the home network. Thus, the automated loca
`tion-dependent management of different Sets of rules offers
`optimal protection in different networks, while not unduly
`restricting operation in the home network.
`0.011
`The current location of the computer device is
`preferably determined on the basis of a currently used IP
`address of the computer device. This is based on the
`common practice that a computer device has a different IP
`address, either a fixed address or a dynamic address, in
`different networks. The IP address can thereby be utilized for
`identifying the current network and the location of the
`computer device.
`0012 However, there are situations where the IP address
`fails to indicate current location of the computer device.
`Therefore, in an embodiment of the invention, the current
`location determined on the basis of the current IP address of
`the computer device is verified by carrying out an additional
`location verification procedure with a predetermined net
`work element. In a still further embodiment of the invention,
`availability of Said predetermined network element related
`to the current IP address is checked. The predetermined
`network element is Such that it responses only if the com
`puter device is located in the network in which it is assumed
`to be on the basis of the current IP address. If the predeter
`mined network element responses and identifies itself prop
`erly, the current location determined based on the current IP
`address is considered to be verified. Otherwise the computer
`device determines that the current IP address fails to indicate
`current location of the computer device. The additional
`Verification process makes it even possible to automatically
`create a Secured tunnel, Such as a VPN tunnel to a home
`network even if the computer device uses the same IP
`address in the current location as in the internal (home)
`network. The present invention offers benefits even with
`Stand alone personal firewalls wherein the Security rules can
`be defined locally by the user, although the use of these rules
`is automated and location-dependent. However, more
`advantages are achieved when the basic invention is used
`with a central management of personal firewalls.
`0013. According to an aspect of the invention, security
`rules are defined, updated and distributed centrally by a
`centralized rule-based Server. Especially the updating of the
`rules is challenging, because the rule updates must be
`applied as Soon as possible, and therefore the process of
`updating rules in the personal firewalls must be automated.
`Updating of rules by push method from the centralized rule
`base Server is not a Sufficient option in this case. Use of
`DHCP (Dynamic Host Configuration Protocol), frequent
`travelling and the fact that at times the laptop may not be
`connected to any network makes it next to impossible for the
`centralized management to initiate contacts with the per
`Sonal firewalls in the computer devices, because there is no
`way for the centralized management to know the IP address
`the computer device is using at a given moment. Therefore,
`according to an aspect of the invention, the personal firewall
`is configured to periodically query the availability of
`updated Security rules from the centralized management.
`
`The queries should only be made, while the computer device
`is located in the home network, or optionally, when the
`computer device has a remote access (e.g. VPN connection)
`to the home network while being located in a foreign
`network. In other words, also the updating proceSS is depen
`dent on the current location of the computer device in a
`Similar manner as the Selection of the active rules, and
`Similar methods can be utilized for determining the current
`location.
`0014. According to another aspect of the invention, log
`files containing information of a status and usage of
`resources of the computer device are handled in a central
`ized management location. This enables perSonnel aware of
`Security aspects to Verify whether there have been any
`attacks against the computer device or not. To that end, the
`personal firewall sends the log files to the central manage
`ment, Such as to a centralized log Server, when the computer
`device is located in the home network. However, when the
`computer device is disconnected from the home network,
`the log files are collected and Stored locally in the firewall.
`In order to enable central handling of the log files, the
`personal firewall transferS the collected log files to the
`central log Server when Such is available. This is performed
`automatically, whenever the computer device is located in,
`or optionally, connected to the home network. Again, the
`handling of the log files in the personal firewall is automated
`and location dependent in a way Similar to the Selection of
`active rules, and Similar methods can be used for determin
`ing the current location of the computer device.
`0015 The present invention allows use of a computer
`device in a home (internal) network and access to all
`Services, Such as disc-share, and even use of non-IP proto
`cols, which are often denied in foreign networks.
`BRIEF DESCRIPTION OF THE DRAWINGS
`0016 Preferred embodiments of the invention will now
`be described with reference to the attached drawings, in
`which
`0017 FIG. 1 is a schematic block diagram of an exem
`plary network configuration where the present invention can
`be applied;
`0018 FIG. 2 shows an exemplary protocol stack of a
`computer device containing a personal firewall according to
`the present invention,
`0019 FIG. 3 illustrates exemplary selection rules and a
`Security rule basis, and the association therebetween,
`0020 FIG. 4 is a flow diagram illustrating a location
`dependent rule base Selection according to an embodiment
`of the invention;
`0021 FIGS. 5 and 6 are flow diagrams illustrating the
`location verification procedure according to an embodiment
`of the invention;
`0022 FIGS. 7 and 8 are flow diagrams illustrating the
`rule base updating according to an embodiment of the
`invention; and
`0023 FIG. 9 is a flow diagram illustrating the handling
`of log files according to an embodiment of the invention.
`PREFERRED EMBODIMENTS OF THE
`INVENTION
`0024. The present invention can be applied in personal
`firewalls in any computer device which can be moved and
`
`Lenovo
`Ex. 1016 - Page 7
`
`

`

`US 2003/0097590 A1
`
`May 22, 2003
`
`connected to different networks. Typically Such devices are
`portable computer devices, Such as laptop computers, PDAS,
`communicators, Smart phones, intelligent telecommunica
`tion devices, etc. In the following illustrative embodiments
`of the invention, a laptop computer is used as an example of
`Suitable computer devices.
`0.025
`FIG. 1 shows a schematic block diagram of an
`exemplary network configuration. The configuration is
`shown only to facilitate the understanding and description of
`the present invention. The present invention is not intended
`to be restricted to any particular network configuration.
`Further, in order to improve clarity, only network elements
`which are somehow involved with the present invention are
`shown in FIG. 1.
`0026. As illustrated in FIG. 1, private local networks 10
`and 13 are coupled to a public network, Such as the Internet
`12 via firewalls 5 and 7, respectively. Naturally, the coupling
`between the private networks and the public Internet 12 may
`include also routers and Internet service providers (ISPs not
`shown in FIG. 1). As is well known in the art, private
`networkS 10 and 13 may be, for example, company net
`works, Such as local area networks (LANS) which connect
`users and resources, Such as workStations, Servers, printers
`and the like of the company. A private internal network may
`also consist of Several Sub-networks Separated by internal
`firewalls. In the exemplary network configuration shown in
`FIG. 1, the private company sub-network 11 is connected
`via a firewall 6 to the private local network 10. Such a
`Sub-network 11 may be, for example, a dedicated network
`for a specific department of the organisation, such as the
`research and development (R&D) department which must
`have a restrictive acceSS and higher protection level com
`pared with other part of the company network. Sub-net
`Works of the company, Such as the local networks of
`organisation headquarters and branch offices may be inter
`connected by Secure connections, Such as Virtual private
`network (VPN).
`0.027 AS already described above, the firewalls 5, 6 and
`7 are gateways which operate at the same time as connectors
`and Separators between the networks in a Sense that the
`firewall keeps track of the traffic that passes through it from
`one network to another and restricts connections and packets
`that are defined as unwanted by the administrator of the
`System. Physically a firewall is a machine with appropriate
`Software to perform the task assigned to it. It can be a router,
`a personal computer (PC), or whatever that can be used for
`Such purposes.
`0028. However, the firewalls between the networks, or
`the implementations thereof, are not relevant to the present
`invention.
`0029. The present invention relates to protecting of the
`computer device, e.g. laptop itself, by means of a local
`Security mechanism, called a personal firewall herein,
`installed on the laptop in addition to or instead of a firewall
`in a private network. The personal firewall may be imple
`mented as Software installed and run in the computer device,
`which is a preferred embodiment, or as a separate electronic
`device connected to the computer device. In FIG. 1, the
`laptops 1, 2, 3 and 4 illustrate laptops provided with a
`personal firewall.
`0030 FIG. 2 illustrates the basic principle of a personal
`firewall installed in a laptop. Physical and network layers
`
`200 refer to all protocols and physical connections required
`for transferring protocol data units (PDUs) of the upper
`layers. The upper layerS 200 include applications and any
`transmission protocols employed, Such as Internet protocol
`(IP) transmission control protocol (TCP), NetPEUI, IPX,
`etc. Basically the personal firewall protection layer 201
`operates in a manner analogue to a firewall between net
`WorkS. More particularly, the personal firewall protection
`layer 201 operates at the same time as a connector and a
`Separator between the underlying layerS and the upper layer
`in a Sense that the personal firewall keeps track of the traffic
`that passes through it from underlying layers to the upper
`layers, and Vice versa, and restricts connections and packets
`that are defined as unwanted according to the Security rules
`used. The personal firewall protection layer 201 is imple
`mented or controlled by a personal firewall application 203
`run in the laptop. In a preferred embodiment of the inven
`tion, the personal firewall application 203 carries out the
`location detection and the location-dependent functions
`described below, Such as the selection of the active rule base
`according to the current location of the laptop. However, it
`should be appreciated that the present invention is not
`intended to be restricted to any specific practical implemen
`tation of the personal firewall.
`0031. In accordance with the principles of the present
`invention, the personal firewall has different sets of rules for
`the home network (such as the private company network 10)
`and foreign network, Such as the public Internet 12, or the
`foreign private network 13, or a network of another depart
`ment of the company. It is not relevant to the present
`invention what kind of Security rules are applied, but Some
`examples are given in FIG. 3. For example, a rule base 301
`for the foreign company network may list as allowed con
`nections of protocols: hypertext transfer protocol (http),
`Secured http (Https), domain name Service (DNS), single
`message transfer protocol (SMTP) and a VPN connection
`with IPsec. In the preferred embodiment of the invention
`these rules are exclusive, in other words, other protocols and
`connections are denied and blocked by the personal firewall.
`For a default network, which may be the public Internet 12,
`the rule base 302 is similar to the rule base 301, except that
`the SMTP protocol is no longer allowed. For the home
`network 10, a rule base 300 is defined. The allowed proto
`cols include, in addition to the http, https and the SMTP, also
`other transmission protocols, such as NetBEUI and IPX. The
`rule base 300 also allows a disc-share for predefined servers
`using NetBIOS. Other protocols and connections are denied.
`It is also possible that the rule base 300 allows all protocols
`and connections in the home network. Since the home
`network is protected by a company firewall, the use of a
`personal firewall in the home network may be regarded as
`unnecessary. However, the company firewall gives protec
`tion only against attacks from the outside of the home
`network, and the use of a personal firewall protection may
`be necessary for protecting against attacks from within the
`home network.
`0032. The different rule bases could be activated manu
`ally by a user. However, according to the basic principle of
`the present invention, the personal firewall automatically
`Selects and activates the proper rule base according to the
`current location of the laptop.
`0033 FIG. 4 is a flow diagram illustrating the selection
`of the rule base according to one embodiment of the present
`
`Lenovo
`Ex. 1016 - Page 8
`
`

`

`US 2003/0097590 A1
`
`May 22, 2003
`
`invention. The Simplest way to determine the current loca
`tion of the laptop is to do it on the basis of the currently used
`IP address only. This is possible in the cases where the laptop
`has a different IP address, either a fixed or a dynamic
`address, in different networks. AS is well known in the art,
`a part of the IP address identifies the network, and can thus
`be used for detecting the current network of the laptop. The
`personal firewall may, for example, contain information on
`the IP address Space of home network, and optionally,
`foreign networks, or a list of addresses available for the
`laptop in the home network.
`0034. When the current IP address of the laptop matches
`to a given address Space or a list of addresses of the home
`network 10, for example, it can be assumed that the laptop
`is located in the home network 10 and the rule base 300 of
`the home network 10 is used. Thus, the current IP address is
`used as a selection rule for activating the rule base 300.
`However, there is Some uncertainty in determining the
`location based on the current IP address only, and Some
`approaches to overcome this problem are described with
`reference to further embodiments of the invention below.
`0.035
`Referring again to the generic flow diagram shown
`in FIG. 4, the current IP address of the laptop is firstly
`determined in the step 401. The current IP address may be
`obtained Simply by asking for it from the operating System
`of the laptop by means of using IP configuration routine. The
`current location of the laptop is monitored constantly, and
`therefore the personal firewall may be configured to peri
`odically query the current IP address from the operating
`System. More preferably, the operating System of the laptop
`may be configured to inform any changes in the IP address
`to the personal firewall, and therefore a need for query the
`IP address time-to-time can be avoided. The step 401 may
`also include Verification of the location determined based on
`the IP address by a verification procedure described below.
`In step 402, the personal firewall compares the current IP
`address with the current IP address stored in the personal
`firewall. If the IP address has not changed, the present active
`rule base can be maintained. However, if the IP address has
`changed, the personal firewall checks whether the new IP
`address matches to any IP address space or IP address
`belonging to one of the networks on the Selection rule list in
`the personal firewall (step 403). If the new IP address does
`not belong to any of the networks on the Selection rule list,
`the personal firewall considers the current network an uni
`dentified network, and a default rule base 302 is selected
`(step 404). If the network cannot be identified and the
`default rule base must be used, it is normally assumed that
`the laptop is in a potentially hostile environment, most likely
`in the public Internet 12. Therefore, the default rule base is
`typically defined to provide the maximum protection
`needed. If the new IP address belongs to one of the networks
`defined on the selection rule list in step 403, it means that the
`network has been identified and a rule base linked to the
`identified network (or the corresponding Selection rule) is
`selected and activated (step 405). In the simplest implemen
`tation, the Selection rules include only the home network of
`the laptop and the corresponding IP address Space or list of
`addresses. If the current IP address belongs to the home
`network, the rule base 300 of the home network 10 is used.
`Otherwise the rule base 310 for foreign network or the
`default rule base 302 is used. In a more complicated imple
`mentation, there are Selection rules (i.e. IP addresses and
`
`associated rule bases) also for at least one foreign network
`and/or different segments of the home network 10.
`0036). In the examples described above there are two or
`more rule bases which are enabled or disabled on the basis
`of the current location of the laptop. However, there are also
`alternative ways to implement different rule bases. One
`alternative is to provide only one rule base in which the rules
`are enabled and disabled in different combinations on the
`basis of the current location of the laptop.
`0037 AS noted above, there are situations where the
`location (the current network) determined on the basis of the
`current IP address is uncertain, i.e. the IP address fails to
`indicate the current location of the laptop. If the IP address
`does not match the current network, use of the Internet
`protocol (IP) to attack against the laptop is not likely, and
`one may reason that in that case a personal firewall does not
`need to be used. However, there is still a possibility that
`there is an attack using other protocols, such NetBEUI or
`IPX. By detecting the situation where the IP address of the
`laptop is not an IP address of the current network, it is
`possible to block Such protocols while in foreign networkS.
`Further, NAT (network address translation) and private IP
`addresses are frequently used. This means that the Same IP
`address is in use in Several networks. In that case it is not
`enough to trust IP address information only when determin
`ing the location of the laptop. It is even possible that while
`being connected to a hostile network, the DHCP (dynamic
`host configuration protocol) gives familiar IP address to
`make it easier to attack the laptop. Basically, the DHCP
`enables individual computers on a network to connect to a
`DHCP server, such as the server 9 in FIG. 1, and be assigned
`a dynamic IP address of the current network.
`0038. Thus, according to an aspect of the invention, in
`addition to the detection of location based on the current IP
`address described above, a further l