Patents by Inventor Gerardo Diaz-Cuellar
Gerardo Diaz-Cuellar has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 8201234Abstract: Computer-readable medium having a data structure stored thereon for defining a schema for expressing a network security policy. The data structure includes a first data field including data defining a parameter to be applied based on the network security policy. The network security policy defines at least one of the following: a firewall rule and a connection security rule. The data structure also includes a second data field having data specifying restrictions of the parameter included in the first data field. The parameter in the first data field and the restrictions in the second data field form the schema for expressing the network security policy to be processed. The network security policy manages communications between a computing device and at least one other computing device.Type: GrantFiled: May 9, 2007Date of Patent: June 12, 2012Assignee: Microsoft CorporationInventors: Gerardo Diaz-Cuellar, David Abzarian, Lokesh Srinivas Koppolu, Eran Yariv
-
Patent number: 8166534Abstract: Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.Type: GrantFiled: May 18, 2007Date of Patent: April 24, 2012Assignee: Microsoft CorporationInventors: Eran Yariv, Gerardo Diaz Cuellar, David Abzarian
-
Patent number: 8099774Abstract: The dynamic updating of firewall parameters is described. One exemplary embodiment includes receiving a policy rule that includes a reference to a predefined container that specifies a permissible value range of at least one firewall parameter allowable under the policy rule, receiving a firewall parameter value, and populating the predefined container with the firewall parameter value if the firewall parameter value is within the permissible value range, thereby updating the policy rule.Type: GrantFiled: October 30, 2006Date of Patent: January 17, 2012Assignee: Microsoft CorporationInventors: David Abzarian, Gerardo Diaz Cuellar, Eran Yariv
-
Patent number: 7941838Abstract: A networked computer with a software firewall that may be configured for any of a number of network contexts may be quickly configured with an appropriate set of rules for a current network context. The computer has multiple profiles, each containing rules applicable to a different network context. When a change in network context is detected, a difference between the profile for the current context and the profile with which the firewall was previously configured is determined. These differences are applied to quickly reconfigure the firewall without blocking, even temporarily, communications that are allowed in the previously configured and current profiles. Additionally, when the networked computer is connected to multiple networks simultaneously, an appropriate profile may be selected.Type: GrantFiled: August 10, 2007Date of Patent: May 10, 2011Assignee: Microsoft CorporationInventors: Gerardo Diaz Cuellar, David Abzarian
-
Patent number: 7836495Abstract: A proxy service receives requests from a remote caller to configure a main service. The proxy service authenticates the caller and validates the request. The proxy service then passes the request along to the main service if the caller can be authenticated and if the request can be validated. The proxy service runs at a non-privileged level, but when the proxy service passes the request to the main service, the proxy service impersonates the caller so that the request to the main service is made at the original caller's level of privilege. The main service can block all inbound network traffic, since network requests to configure the main service are received by the proxy, which is a local object from the perspective of the main service. Additionally, the proxy can block inbound traffic other than a certain class of requests (e.g., Remote Procedure Calls).Type: GrantFiled: July 28, 2006Date of Patent: November 16, 2010Assignee: Microsoft CorporationInventors: Gerardo Diaz-Cuellar, Eran Yariv, David Abzarian
-
Publication number: 20100107240Abstract: A client computer that supports different behaviors when connected to a private network behind a network firewall than when outside the network firewall and connected indirectly through an access device. The client computer is configured to attempt communication with a device on the network. Based on the response, the client computer can determine that it is behind the network firewall, and therefore can operate with less restrictive security or settings for other parameters appropriate for when the client is directly connected to the network. Alternatively, the client computer may determine that it is indirectly connected to the network through the Internet or other outside network, and therefore, because it is outside the private network firewall, should operate with more restrictive security or settings of other parameters more appropriate for use in that network location.Type: ApplicationFiled: January 22, 2009Publication date: April 29, 2010Applicant: Microsoft CorporationInventors: David Thaler, Rob M. Trace, Deon C. Brewis, Arun K. Buduri, Bill Begorre, Scott Roberts, Srinivas Raghu Gatta, Gerardo Diaz Cuellar
-
Publication number: 20090063584Abstract: Versioning management provides for efficient and effective handling of varying policy versions, client versions and client platform versions in one system. Software version negotiation provides for simplified, secure policy management in an environment supporting varying versions of the same software product. In conjunction with parameter stripping, which resolves differences among varying minor versions of a software policy, software version negotiation allows for management tools of one version to manage client software, clients and/or client platforms of another version. Policy schema translation, in conjunction with parameter stripping as needed, provides a mechanism for converting policies that normally would be impossible to interpret on varying clients and/or client platforms to policy versions that can be understood by these clients and/or client platforms.Type: ApplicationFiled: August 31, 2007Publication date: March 5, 2009Applicant: Microsoft CorporationInventors: David Abzarian, Gerardo Diaz Cuellar
-
Publication number: 20090007251Abstract: A host firewall can determine and consider whether unsolicited traffic is inbound from beyond the edge of the network and allow or block such traffic based at least in part upon this characteristic. In one implementation, an edge traversal parameter can be set on a host firewall rule, which typically includes other parameters such as port, protocol, etc. If the unsolicited traffic received via an edge traversal interface matches a host firewall rule that has the edge traversal criterion, then the firewall does not block the traffic. On the other hand, if the unsolicited traffic received via an edge traversal interface fails to satisfy the edge traversal criterion on any firewall rule, then the firewall blocks the traffic.Type: ApplicationFiled: June 26, 2007Publication date: January 1, 2009Applicant: Microsoft CorporationInventors: David Abzarian, Michael R. Surkan, Salahuddin C.J. Khan, Amit A. Sehgal, Eran Yariv, Emanuel Paleologu, Gerardo Diaz Cuellar
-
Publication number: 20090007219Abstract: Embodiments of the invention described herein are directed to a mechanism for determining whether at least one operation will be effective in view of at least one security policy. In exemplary implementations, determining whether at least one operation will be effective in view of at least one security policy may comprise determining a merged security policy for a computer system by merging security policies for the computer system from two or more sources. The security policies may be security policies set by a user and/or an administrator of the computer system, may be security policies of a computer network to which the computer system is connected, or may be security policies of one or more other computer systems that are above the computer system in a computer network hierarchy.Type: ApplicationFiled: June 28, 2007Publication date: January 1, 2009Applicant: Microsoft CorporationInventors: David Abzarian, Gerardo Diaz Cuellar, Mark Vayman, Eran Yariv
-
Publication number: 20090006847Abstract: Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.Type: ApplicationFiled: June 28, 2007Publication date: January 1, 2009Applicant: Microsoft CorporationInventors: David Abzarian, Salahuddin Khan, Eran Yariv, Gerardo Diaz Cuellar
-
Publication number: 20080289027Abstract: Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.Type: ApplicationFiled: May 18, 2007Publication date: November 20, 2008Applicant: Microsoft CorporationInventors: Eran Yariv, Gerardo Diaz Cuellar, David Abzarian
-
Publication number: 20080289026Abstract: Embodiments of the invention are directed to a firewall installer that receives a set of configuration instructions for configuring a firewall in a declarative format that describes one or more rules to be implemented by the firewall, and that automatically configures the firewall. Providing a firewall installer that is capable of configuring a firewall based upon declarative input rather than procedural process-oriented input facilitates administration of a firewall by allowing an administrator to specify desired firewall configuration at a higher, declarative level and frees the administrator from the need to specify procedures for implementing configuration changes in the firewall. In one embodiment of the invention, the firewall installer can receive and store input for configuring a firewall even when the firewall is not running, such that the firewall executes on those configuration changes when it next comes online.Type: ApplicationFiled: May 18, 2007Publication date: November 20, 2008Applicant: Microsoft CorporationInventors: David Abzarian, Eran Yariv, Emanuel Paleologu, Ian Carbaugh, Gerardo Diaz Cuellar
-
Publication number: 20080282336Abstract: A networked computer with a software firewall that may be configured for any of a number of network contexts may be quickly configured with an appropriate set of rules for a current network context. The computer has multiple profiles, each containing rules applicable to a different network context. When a change in network context is detected, a difference between the profile for the current context and the profile with which the firewall was previously configured is determined. These differences are applied to quickly reconfigure the firewall without blocking, even temporarily, communications that are allowed in the previously configured and current profiles. Additionally, when the networked computer is connected to multiple networks simultaneously, an appropriate profile may be selected.Type: ApplicationFiled: August 10, 2007Publication date: November 13, 2008Applicant: Microsoft CorporationInventors: Gerardo Diaz Cuellar, David Abzarian
-
Publication number: 20080282335Abstract: A software firewall that may be simply configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be translated to firewall filters for network interfaces of that network type. The translation may be performed automatically and may be updated based on network location awareness information.Type: ApplicationFiled: May 9, 2007Publication date: November 13, 2008Applicant: Microsoft CorporationInventors: David Abzarian, Gerardo Diaz Cuellar
-
Publication number: 20080282314Abstract: A firewall helps a user make a decision regarding network access for an application executing on a computing device by providing “hints” to the user about an appropriate network access policy. If at least one previously set firewall policy for the application exists in a context different from a current context, the user may be presented with information based on a previously set firewall policy. The information may be prioritized based on a source of the previously set firewall policy and other factors, to provide the user with a hint that facilitates making the decision appropriate in the current context. A programming interface to the firewall allows third party applications to specify a format in which hints are provided to the user.Type: ApplicationFiled: May 9, 2007Publication date: November 13, 2008Applicant: Microsoft CorporationInventors: David Abzarian, Gerardo Diaz Cuellar, Satheesh S. Dabbiru
-
Publication number: 20080282313Abstract: Computer-readable medium having a data structure stored thereon for defining a schema for expressing a network security policy. The data structure includes a first data field including data defining a parameter to be applied based on the network security policy. The network security policy defines at least one of the following: a firewall rule and a connection security rule. The data structure also includes a second data field having data specifying restrictions of the parameter included in the first data field. The parameter in the first data field and the restrictions in the second data field form the schema for expressing the network security policy to be processed. The network security policy manages communications between a computing device and at least one other computing device.Type: ApplicationFiled: May 9, 2007Publication date: November 13, 2008Applicant: MICROSOFT CORPORATIONInventors: Gerardo Diaz-Cuellar, David Abzarian, Lokesh Srinivas Koppolu, Eran Yariv
-
Publication number: 20080148380Abstract: The dynamic updating of firewall parameters is described. One exemplary embodiment includes receiving a policy rule that includes a reference to a predefined container that specifies a permissible value range of at least one firewall parameter allowable under the policy rule, receiving a firewall parameter value, and populating the predefined container with the firewall parameter value if the firewall parameter value is within the permissible value range, thereby updating the policy rule.Type: ApplicationFiled: October 30, 2006Publication date: June 19, 2008Applicant: Microsoft CorporationInventors: David Abzarian, Gerardo Diaz Cuellar, Eran Yariv
-
Publication number: 20080109890Abstract: Management of security firewall settings in a networked computing environment is described. One example embodiment includes applying security settings and exceptions to the security settings based on network class for network communication, and upon detection of an event, revoking at least one exception for at least one network in a specified class.Type: ApplicationFiled: November 3, 2006Publication date: May 8, 2008Applicant: Microsoft CorporationInventors: Pradeep Bahl, Gerardo Diaz Cuellar, Rajesh Dadhia
-
Publication number: 20080028457Abstract: A proxy service receives requests from a remote caller to configure a main service. The proxy service authenticates the caller and validates the request. The proxy service then passes the request along to the main service if the caller can be authenticated and if the request can be validated. The proxy service runs at a non-privileged level, but when the proxy service passes the request to the main service, the proxy service impersonates the caller so that the request to the main service is made at the original caller's level of privilege. The main service can block all inbound network traffic, since network requests to configure the main service are received by the proxy, which is a local object from the perspective of the main service. Additionally, the proxy can block inbound traffic other than a certain class of requests (e.g., Remote Procedure Calls).Type: ApplicationFiled: July 28, 2006Publication date: January 31, 2008Applicant: Microsoft CorporationInventors: Gerardo Diaz-Cuellar, Eran Yariv, David Abzarian