Abstract: Various technologies and techniques are disclosed that provide a centralized model to assign, monitor, and manage security on home electronic devices. A three-dimensional security matrix uses a role-based model that allows users to map security into groupings. Users can be assigned security levels based on application role (what activity is involved), user role (what each family member or guest is allowed to do), and device role (what this device is allowed to do while preserving system integrity). An authorization service determines whether a particular activity requested by the user should be granted or denied based upon whether the user has authorization to access the particular activity and whether the particular device can support the particular activity without comprising the security of the network.

Abstract: An object-oriented programming framework allows developers to write applications for services and devices that are automatically “discoverable” by applications associated with other devices and services on a network. An attribute is added to a class in an application or web service object and an associated, generic discoverable base class is appended to the application to make the application discoverable on the network. The discovery framework imposes minimal requirements on the application in which it is embedded, so nearly every application can be converted into a “discoverable” application. The discovery protocol-dependent details are hidden from the application itself, so exchanging the discovery protocol can be done without affecting the application.

Abstract: A network address translator (NAT) can be provided as part of a gateway between a private network and a public network. In situations where an entity in a private network requires establishment of a TCP connection to another entity in a separate private network, it is often the case that two NATs must be traversed one for each private network. In addition, these NATs may have associated one-way firewalls which block unsolicited incoming connections but allow outgoing connections. In this type of situation it is difficult to establish a TCP connection directly between the two entities in a simple and effective manner. We describe a method for achieving this which makes use of a redirection server in the public network to establish the connection but not to carry traffic during the communication session. We exploit features of the TCP simultaneous open process to establish a TCP connection directly between the entities.

Abstract: An object-oriented programming framework allows developers to write applications for services and devices that are automatically “discoverable” by applications associated with other devices and services on a network. An attribute is added to a class in an application or web service object and an associated, generic discoverable base class is appended to the application to make the application discoverable on the network. The discovery framework imposes minimal requirements on the application in which it is embedded, so nearly every application can be converted into a “discoverable” application. The discovery protocol-dependent details are hidden from the application itself, so exchanging the discovery protocol can be done without affecting the application.

Abstract: Various technologies and techniques are disclosed that provide a centralized model to assign, monitor, and manage security on home electronic devices. A three-dimensional security matrix uses a role-based model that allows users to map security into groupings. Users can be assigned security levels based on application role (what activity is involved), user role (what each family member or guest is allowed to do), and device role (what this device is allowed to do while preserving system integrity). An authorization service determines whether a particular activity requested by the user should be granted or denied based upon whether the user has authorization to access the particular activity and whether the particular device can support the particular activity without comprising the security of the network.

Abstract: The invention provides for authorization of devices entering a network. A new device entering a network sends an authorization request. Another device in the network may receive the request and display a User Interface (UI) which prompts the user to approve the device. The user can use a device identifier provided by the new device in approving the new device. Assuming the identifier provided by the new device matches an identifier accessible by the authorizing device, the user authorizes the new device. A key is then generated for the new device, which allows access to an appropriate range of network services. Authorization decisions can be synchronized among the various devices in a network, so even if an authorizing device leaves the network, the new device key can be validated. A security service can be replicated in a new device once the device is authorized to access the network.