U.S. patent application number 11/167745 was filed with the patent office on 2006-04-06 for systems and methods for monitoring and displaying performance metrics.
Invention is credited to Naohisa Fukuda, Raymond T. Gurgone, Robert L. Johnston, Edward W. Laves, David S. Robins, Frank Seiji Sanda, Justin Owen Tidwell, Laura J. Worthington, Karlton Mark Zeitz.
Application Number | 20060072583 11/167745 |
Document ID | / |
Family ID | 35044584 |
Filed Date | 2006-04-06 |
United States Patent
Application |
20060072583 |
Kind Code |
A1 |
Sanda; Frank Seiji ; et
al. |
April 6, 2006 |
Systems and methods for monitoring and displaying performance
metrics
Abstract
Systems and methods for monitoring and displaying performance
metrics are described. One aspect of one described embodiment
includes receiving performance metrics associated with a plurality
of network connections to a plurality of networks, each of the
plurality of network connections associated with a client device;
determining a status of one of the plurality of networks based at
least in part on the performance metrics; and providing the status
of the one of the plurality of networks to a user interface.
Inventors: |
Sanda; Frank Seiji; (Tokyo,
JP) ; Fukuda; Naohisa; (Tokyo, JP) ; Laves;
Edward W.; (Golden, CO) ; Johnston; Robert L.;
(Colorado Springs, CO) ; Tidwell; Justin Owen;
(Aurora, CO) ; Gurgone; Raymond T.; (Woodstock,
IL) ; Robins; David S.; (Buffalo Grove, IL) ;
Worthington; Laura J.; (Centennial, CO) ; Zeitz;
Karlton Mark; (Centennial, CO) |
Correspondence
Address: |
KILPATRICK STOCKTON LLP
1001 WEST FOURTH STREET
WINSTON-SALEM
NC
27101
US
|
Family ID: |
35044584 |
Appl. No.: |
11/167745 |
Filed: |
June 27, 2005 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
60583765 |
Jun 28, 2004 |
|
|
|
60598364 |
Aug 3, 2004 |
|
|
|
60652121 |
Feb 11, 2005 |
|
|
|
60653411 |
Feb 16, 2005 |
|
|
|
Current U.S.
Class: |
370/395.53 |
Current CPC
Class: |
H04L 41/0681 20130101;
H04L 63/145 20130101; H04L 43/045 20130101; H04L 63/0263 20130101;
H04L 63/166 20130101; H04L 67/322 20130101; H04L 67/02 20130101;
H04L 41/5016 20130101; H04L 63/162 20130101; H04L 69/329 20130101;
H04L 63/08 20130101; H04L 2209/56 20130101; H04L 67/14 20130101;
H04L 41/509 20130101; H04W 48/18 20130101; H04L 63/0869 20130101;
H04W 12/088 20210101; H04L 67/04 20130101; H04L 2209/805 20130101;
G06F 21/316 20130101; H04L 41/0213 20130101; G06F 21/6227 20130101;
H04L 9/3273 20130101; H04L 41/5009 20130101; H04L 63/0227 20130101;
H04L 9/321 20130101; H04L 47/24 20130101; H04L 63/0823 20130101;
H04L 2209/60 20130101; H04L 41/5067 20130101; H04L 43/0817
20130101; H04L 67/30 20130101; H04L 47/11 20130101; H04L 47/22
20130101; H04L 63/102 20130101; H04L 63/1408 20130101; H04L 63/20
20130101; H04L 63/0272 20130101 |
Class at
Publication: |
370/395.53 |
International
Class: |
H04L 12/28 20060101
H04L012/28 |
Claims
1. A method comprising: receiving performance metrics associated
with a plurality of network connections to a plurality of networks,
each of the plurality of network connections associated with a
client device; determining a status of one of the plurality of
networks based at least in part on the performance metrics; and
providing the status of one of the plurality of networks to a user
interface.
2. The method of claim 1, wherein receiving performance metrics
comprises receiving an SNMP trap.
3. The method of claim 1, wherein the performance metrics comprise
a VPN status.
4. The method of claim 3, wherein the VPN status comprises the VPN
state and the VPN throughput.
5. The method of claim 1, wherein the performance metrics comprise
a measure of health of the client device.
6. The method of claim 1, wherein the performance metrics comprise
a measure of health of the network.
7. The method of claim 1, wherein the performance metrics comprise
at least one datum selected from the group consisting of a network
node identifier, a transport identifier, a start time, a connection
duration, a bytes sent quantity, a bytes received quantity, a data
rate up quantity, a data rate down quantity, a protocol identifier,
an application identifier, a success code, a signal strength
quantity, a network type code, a packet size quantity, a CPU
utilization quantity, a memory consumption quantity, a power level
quantity, a disk space quantity, a device identifier, and a
termination cause.
8. The method of claim 1, wherein the status of the one of the
plurality of networks comprises a problem.
9. The method of claim 8, wherein the problem comprises
congestion.
10. The method of claim 8, wherein the status of the one of the
plurality of networks comprises a bill reconciliation status.
11. The method of claim 8, wherein the status of the one of the
plurality of networks comprises a capacity planning status.
12. The method of claim 1, further comprising generating a carrier
audit report comprising the status of the one of the plurality of
networks.
13. The method of claim 12, wherein the carrier audit report
comprises a plurality of carriers.
14. The method of claim 1, further comprising generating a
security-related policy based at least in part on the performance
metrics.
15. The method of claim 1, wherein providing the status of the one
of the plurality of networks to a user interface comprises
generating an alert.
16. The method of claim 1, wherein the user interface comprises a
web portal.
17. A computer-readable medium on which is encoded program code,
the program code comprising: program code for receiving performance
metrics associated with a plurality of network connections, each of
the plurality of network connections associated with a client
device and a network; program code for determining a status of the
one of the plurality of networks based at least in part on the
performance metrics; and program code for providing the status of
the one of the plurality of networks to a user interface.
18. A system comprising: a real-time monitor operable to: receive
performance metrics associated with a plurality of network
connections, each of the plurality of network connections
associated with a client device and a network; determine a status
of one of the plurality of networks based at least in part on the
performance metrics; and a portal in communication with the
real-time monitor and operable to provide the status of the one of
the plurality of networks in a user interface.
Description
RELATED APPLICATIONS
[0001] This application claims priority to Application Ser. No.
60/583,765, filed on Jun. 28, 2004, titled "Controlling Use of a
Mobile Work Station Based on Network Environment," Application Ser.
No. 60/598,364, filed on Aug. 3, 2004, titled "Systems and Methods
for Enhancing and Optimizing a User's Experience on an Electronic
Device," Application Ser. No. 60/652,121, filed on Feb. 11, 2005,
titled "Remote Access Services," and Application Ser. No.
60/653,411, filed on Feb. 16, 2005, titled "Creating an Environment
for Secure Mobile Access Anywhere," the entirety of all of which
are incorporated herein by reference.
FIELD OF THE INVENTION
[0002] The present invention relates generally to computer
networking and, more particularly to systems and methods for
monitoring and displaying performance metrics.
BACKGROUND
[0003] As the workforce becomes more mobile, enterprises often must
rely on unfamiliar networks to provide remote network access.
Enterprises and their users have increasing options in selecting
methods of connecting to the enterprise network as well as other
resources, such as the Internet. With this added choice comes added
complexity, both in service offerings and the associated charges,
as well as the potential for inconsistency in service.
[0004] And each remote method for connecting to an enterprise
network offers a tradeoff between cost, performance, and
convenience. For instance, a wired network connection might be
faster and less costly than a cellular network connection, but less
convenient for a mobile user. Also, since each connection type may
be purchased from a different network provider, the enterprise must
reconcile charges from each of the providers for each of the users
accessing the network remotely.
[0005] In conventional networks, enterprises are not able to
determine precisely where problems are occurring in provider
networks. Further, enterprises are unable to determine the best
connection for each individual user given the place where the user
is accessing the enterprise's network, Internet, or other service.
When the data is available, it is often out-of-date and of less
value than real-time data would be.
SUMMARY
[0006] Embodiments of the present invention provide systems and
methods for monitoring and displaying performance metrics. One
aspect of one embodiment of the present invention comprises
receiving performance metrics associated with a plurality of
network connections to a plurality of networks, each of the
plurality of network connections associated with a client device;
determining a status of one of the plurality of networks based at
least in part on the performance metrics; and providing the status
of the one of the plurality of networks to a user interface. In
another embodiment, a computer-readable medium (such as, for
example random access memory or a computer disk) comprises code for
carrying out such a method.
[0007] This illustrative embodiment is mentioned not to limit or
define the invention, but to provide one example to aid
understanding thereof. Illustrative embodiments are discussed in
the Detailed Description, and further description of the invention
is provided there. Advantages offered by the various embodiments of
the present invention may be further understood by examining this
specification.
FIGURES
[0008] These and other features, aspects, and advantages of the
present invention are better understood when the following Detailed
Description is read with reference to the accompanying drawings,
wherein:
[0009] FIG. 1 is a block diagram showing an illustrative
environment for implementation of one embodiment of the present
invention;
[0010] FIG. 2 is a block diagram illustrating the modules present
on a client device 102 in one embodiment of the present
invention;
[0011] FIG. 3 is a block diagram illustrating the modules present
on a security server 104 in one embodiment of the present
invention;
[0012] FIG. 4 is a block diagram illustrating the modules present
on an enterprise server 106 in one embodiment of the present
invention;
[0013] FIG. 5 is a flowchart illustrating a process for collecting
and storing performance metrics in one embodiment of the present
invention;
[0014] FIG. 6 is a flowchart illustrating a process for providing a
network status to a user interface in one embodiment of the present
invention;
[0015] FIG. 7 is a flowchart illustrating a process for determining
a status of the network in one embodiment of the present invention;
and
[0016] FIG. 8 is a flowchart illustrating a method for providing
the status of the network to a user interface in another embodiment
of the present invention.
DETAILED DESCRIPTION
[0017] Embodiments of the present invention provide systems and
methods for monitoring and displaying performance metrics. There
are multiple embodiments of the present invention. By way of
introduction and example, one illustrative embodiment of the
present invention provides a method for receiving and analyzing
performance metrics associated with various network carriers used
by clients of an enterprise to access the enterprise's network.
[0018] The metrics may include information such as throughput rate,
protocol used, application identifier, and other performance and
network-related measures. A Quality of Service ("QoS") server uses
the performance metrics to determine the status of the networks.
For instance, the QoS server may determine that a particular
carrier's network in one city or neighborhood in that city is
unstable based on the throughput rate of that network segment or
based on some other measure.
[0019] The QoS server provides the status of the network to a user
and may provide alerts based on predetermined events and
thresholds. For instance, in one embodiment, the user accesses a
portal. The portal provides a visual alert to the user, indicating
that the network segment is unstable. The portal may provide other
information as well, such as the relative costs of various
networks. In one embodiment, real-time analysis of the data occurs,
and information from that real-time analysis is weighted in terms
of level of urgency. Based on this level of urgency, a
determination is made as to how the information should be dealt
with. For instance the data may simply be stored for logging
purposes or sent to an internal or external customer service
representative.
[0020] In addition to basic performance monitoring, an embodiment
of the present invention may provide the enterprise with the
ability to define certain events that, when they occur, trigger an
alarm on a portal. One example of such a user-defined event might
be "if a single user is logged on more than once in geographically
disparate areas, post an alert."
[0021] This introduction is given to introduce the reader to the
general subject matter of the application. By no means is the
invention limited to such subject matter. Illustrative embodiments
are described below.
System Architecture
[0022] Various systems in accordance with the present invention may
be constructed. Referring now to the drawings in which like
numerals indicate like elements throughout the several figures,
FIG. 1 is a block diagram showing an illustrative environment for
implementation of one embodiment of the present invention. The
system shown in FIG. 1 includes a client 102. The client is in
communication with a security server 104.
[0023] Communication with the security server 104 occurs via a
network 108. The network 108 may comprise a public or private
network and may include the Internet. The network may also comprise
a plurality of networks, including, for example, dedicated phone
lines between the various components. In one embodiment, the client
102 communicates with the security server 104 via a virtual private
network ("VPN") established over the Internet.
[0024] The security server 104 is also in communication with an
enterprise server 106 via a network. The network 108 may comprise
various elements, both wired and wireless. In one embodiment, the
communication between the security server 104 and enterprise server
106 occurs over a static VPN established over dedicated
communication lines.
[0025] In one embodiment, a user connects a client device 102 to
the network 108 using a network access user interface. The network
access user interface is always on and only allows the user to
connect to the network 108 via the interface. The network access
user interface automatically causes the client 102 to connect to
the security server 104 through the network 108. The security
server 104 provides value added services to the client 102 and to
one or more enterprises. Access to other services, such as the
Internet, may be provided via the security server 104.
[0026] Although FIG. 1 includes only a single client 102, security
server 104, and enterprise server 106, an embodiment of the present
invention will typically include a plurality of clients 102 and may
include a plurality of security servers 104 and enterprise servers
106.
Client Devices
[0027] FIG. 2 is a block diagram illustrating the modules present
on a client device 102 in one embodiment of the present invention.
Examples of client device 102 are personal computers, digital
assistants, personal digital assistants, cellular phones, mobile
phones, smart phones, pagers, digital tablets, laptop computers,
Internet appliances, and other processor-based devices. In general,
a client device 102 may be any suitable type of processor-based
platform that is connected to the network 108, and that interacts
with one or more application programs. The client device 102 can
contain a processor coupled to a computer-readable medium, such as
RAM. Client device 102 may operate on any operating system, such as
Microsoft.RTM. Windows.RTM. or Linux. The client device 102 is, for
example, a laptop computer executing a network access user
interface.
[0028] The modules shown in FIG. 2 represent functionality of the
client 102. The modules may be implemented as one or more computer
programs that include one or more modules. For instance, in one
embodiment, all the modules shown in FIG. 2 are contained within a
single network access application. Also, the functionality shown on
the client 102 may be implemented on a server in other embodiments
of the present invention. Likewise, functionality shown in FIGS. 3
and 4 as being on a server may be implemented on the client 102 in
some embodiments of the present invention.
[0029] The client 102 shown in FIG. 2 comprises a VPN client 202.
The VPN client 202 allows the client 102 to connect to the
enterprise server 106. In one embodiment of the present invention,
the VPN client 202 is used to determine whether or not the VPN
client 202 is active and whether or not the VPN client 202 is
connected to a VPN server. For instance, an embodiment of the
present invention may determine whether or not to connect to a
particular service based on whether or not the VPN client 202 is
enabled.
[0030] In another embodiment of the present invention, the VPN
client 202 is used for four purposes: (1) to manage policy files,
which include information, such as a gateway Internet Protocol (IP)
address, secrecy and authentication level, and hash; (2)
automatically connecting a VPN; (3) automatically disconnecting the
VPN; and (4) monitoring the status of the VPN. Each of these four
purposes may be affected by other modules, including, for example,
the connection manager 210.
[0031] The client 102 also comprises a secure vault 204. The secure
vault 204 protects content on the client 102. In one embodiment,
the secure vault 204 is responsible for storing encrypted content
on the client 102 and allowing access to the encrypted content
based on a set of permissions or policies. In such an embodiment, a
content creator can provide access via a viewer to secured content
and allow a recipient of the content read-only access or allow the
recipient to perform other tasks, such as modifying the content and
forwarding it to other users. In another embodiment, the secure
vault 204 allows the user to create and distribute secure content
to other clients 102, the content creator can decide to send a
document to several users and allow two of the users full access
and one of the users read-only access.
[0032] The client 102 shown in FIG. 2 also comprises a firewall
206. The firewall 206 allows port blocking via predefined policies.
For instance, in one embodiment, an information technology ("IT")
manager specifies port blocking based on two zones, a safe zone and
a dangerous zone. The IT manager specifies one of these two zones
for each of the network interface devices installed on the client
102. The IT manager is then able to set port-blocking rules by zone
on the firewall 206.
[0033] For example, the IT manager may classify a Wireless Fidelity
("Wi-Fi") network interface as dangerous since it has traditionally
been considered fairly unsafe. And the IT manager may apply more
restrictive port-blocking rules to the dangerous zone than to the
safe zone and network interface devices, such as those used to
connect to a wired Local Area Network ("LAN") or a Personal
Handyphone System ("PHS") cellular connection. The PHS standard is
a TDD-TDMA based microcellular wireless communications technology
and has been traditionally considered relatively safer than Wi-Fi
connections. The PHS cellular connection may also be referred to as
a wireless wide area network ("WWAN") as opposed to a dial-up
connection providing access to a wide area network ("WAN").
[0034] In various other embodiments, the port-blocking rules of the
firewall 206 may be based on time of day, client IP address,
terminating IP address, terminating and originating port, protocol,
and other variables. In one embodiment, the port-blocking rules are
based on policy data associated with individual users logged into
the client 102.
[0035] In one embodiment, the port-blocking rules of the firewall
206 include a blacklist. The blacklist allows an IT manager to
prevent an application from executing on the client 102. For
instance, an IT manager may blacklist a DVD player so that a user
is unable to view DVD's on the client 102. The firewall 206 may
provide a message to the user informing the user that an
application is unavailable.
[0036] In another embodiment, the firewall 206 implements a white
list. The white list is somewhat more restrictive than the
blacklist described above. The white list allows only specified
applications to execute. For example, an IT manager may allow only
MS Word, Excel, PowerPoint, and Outlook to execute. No other
applications will be permitted to execute. The firewall 206 may be
a custom firewall or a third-party firewall integrated into an
embodiment of the present invention.
[0037] The embodiment shown in FIG. 2 also includes an antivirus
module 208. The antivirus module 208 shown determines whether
policy files, virus dictionary, or other virus-related resources
are out of date and provides the client 102 with a mechanism for
updating the files or data. The antivirus module 208 may restrict
access to various connections, applications, and other
functionality when the policy files are out of date. For instance,
the antivirus module 208 may restrict the client 102 to connecting
to a single gateway through which the policy files are available.
In one embodiment, the antivirus module 208 comprises a third-party
antivirus product that is integrated with the other modules on the
client 102.
[0038] The client 102 also comprises a connection manager 210,
which includes a rules processor. In one embodiment, the connection
manager 210 assigns a priority number to every connection, e.g.,
one to one hundred, and selects the connection with the highest
number to connect to.
[0039] The connection manager 210 may provide a connection to a
variety of networks, including, for example, dial-up, LAN, digital
subscriber line ("DSL"), cable modem, Wi-Fi, wireless local area
network ("WLAN"), PHS, and satellite.
[0040] In one embodiment, the connection manager 210 differentiates
between public and private connections. A public connection is a
connection provided by a service provider who has a relationship
with the administrator of the security server 104, which allows the
security server 104 to authenticate the connection. For instance,
the security server 104 administrator may have a business
arrangement with a hotspot provider. In order to connect, the
client 102 connects to a local access point and the authentication
of the user occurs automatically at the security server 104. In
contrast, a private connection requires that all aspects of the
authentication mechanism for a connection be managed in the absence
of the security server 104, although the connection manager may
provide certain facilities to allow for automated authentication
where possible.
[0041] In one embodiment, the connection manager 210 makes
connections available or unavailable to the client 102 based on
policies present on the client 102. The connection manager 210 may
also download changes to policy data and transmit quality of
service ("QoS") and other data to the security server 104 or the
enterprise server 106.
[0042] In one embodiment, the connection manager 210 determines the
type of connections that are available based on signals provided by
hardware associated with the client 102. For example, when the
client 102 passes near a hotspot, a Wi-Fi card in the client 102
senses the hotspot and sends a signal to the connection manager
210. For instance, the Wi-Fi card may sense a broadcast service set
identifier ("SSID"). Once the signal exceeds a threshold, the
connection manager 210 provides a signal to a user of the client
102 that the network is available or may automatically connect to
the hotspot. Alternatively, the Wi-Fi card may poll for a
non-broadcast SSID. The connection manager 210 may provide a single
connection to the client 102 at one time or may provide multiple
connections to the client 102.
[0043] The client 102 shown in FIG. 2 also comprises a QoS
collector 212. The QoS collector 212 collects data values,
including, for example, the number of bytes sent and received, the
average transfer rate, the average signal strength at connection,
termination cause, failed connections, and a network identifier. In
another embodiment, the QoS collector 212 collects data during the
session to determine when a connection provides inconsistent
performance.
[0044] In one embodiment, the QoS collector 212 collects data
regarding a connection during a session but does not send the data
for a session until the next session. Thus, if a session is
terminated abnormally, the QoS data will still be collected and
transferred successfully. In another embodiment, the QoS collector
212 transfers data only when a particular type of connection is
detected, such as a high-speed or low cost connection.
[0045] The client 102 also comprises a session statistics module
214. The session statistics module stores data representing user
characteristics. For instance, the session statistic module 214 may
store a list of the applications a user generally accesses, how
often the user is connected, the typical CPU and memory utilization
measure, keyboard sequences, and other characteristics of a user.
If a particular user deviates from the expected characteristics by
greater than a threshold, such as N standard deviations, and the
significance of the statistic is more than a specified amount, the
session statistics module 214 can identify the current user as a
potential unauthorized user.
[0046] The session statistics module 214 may perform other tasks as
well. For instance, in one embodiment, the session statistics
module 214 pre-loads applications based on a user's general usage
patterns.
[0047] The client 102 shown in FIG. 2 also comprises a policy
reader 216. In one embodiment, a company's policies are housed on
the enterprise server 106. For instance, individual groups and
users within an enterprise are identified and associated with
policies, such as what types of connections they are able to access
and what a user's VPN profile is. The user may also be able to
specify a VPN policy on the client 102. In such an embodiment, the
policy reader 216 downloads the policy rules from the enterprise
server 106 and accesses local user policies and reconciles any
conflicts between the two.
[0048] For example, an IT manager may establish a VPN profile to be
used by a user when connecting to a Wi-Fi network. However, the
user may wish to create a secondary VPN profile to be used if the
first VPN becomes unavailable. The policy reader 216 loads both
local and enterprise VPN profiles, resolving any conflict between
the two VPN profiles.
[0049] In one embodiment, the policy reader 216 accesses data at an
enterprise, department, and user level. In such an embodiment, some
of the policy rules may be stored in a lightweight directory access
protocol ("LDAP") server on the client 102, security server 104, or
enterprise server 106. In another embodiment, the policy reader 216
receives only changes to policy data and does not typically
download all of the policy data at once. Policies downloaded by the
policy reader 216 may be provided to the rules processor of the
connection manager 210.
[0050] The client 102 may also comprises a client security module
216. In one embodiment, the client security module 216 implements a
client asset protection process. When the client security module
216 receives a signal indicating that the client asset protection
process is to be executed, the client security module 216 may, for
example, disable devices and interfaces on the client device 102
and may, in some embodiments, encrypt the hard drive of the client
device 102 so that the files stored on the drive are not easily
accessible.
[0051] The client 102 may also comprise a user interface 220. The
user interface 220 may control the underlying operating environment
or the user's view of the underlying environment. For example, in
one embodiment, the user interface 220 supplants the Microsoft.RTM.
Windows operating system interface from the user's perspective. In
other words, the user is unable to access many of the standard
Windows features. Such a user interface may be implemented to limit
the applications and configuration setting a user is able to
access. In some embodiments, such as a personal digital assistant
("PDA"), no user interface is provided by an embodiment of the
present invention; the standard PDA user interface is utilized.
[0052] The client 102 shown in FIG. 2 also comprises a security
agent 222. In some embodiments, the security agent 222 is also
referred to as a "bomb." In one embodiment, an IT manager indicates
that the security agent 222 should be activated when the client 102
next connects to the enterprise server 106. The IT manager may do
so because the client 102 has been reported stolen. Subsequently,
the client 102 connects to the enterprise server 106, either
directly or indirectly and receives the message to initiate the
security agent 222.
[0053] In one embodiment, when the security agent 222 activates, it
stops all applications from being able to run and encrypts the data
on the hard drive of the client 102. For instance, the security
agent 222 may implement a white list as described above and then
implement a secure vault for all data on the client 102. The
connection manager 210 may also be configured so that no
connections are possible.
[0054] In one such embodiment, since the data is merely encrypted
by security agent 222, rather than erased, the data may be
recovered if the client 102 is subsequently recovered. For
instance, the enterprise may retain the key needed for decrypting
the local drive. The client 102 is returned to the enterprise,
which then decrypts the drive. In another embodiment, the data on
the local drive of the client is rendered inaccessible by, for
example, writing over the data multiple times.
[0055] The client 102 shown in FIG. 2 also comprises an out-of-band
communication receiver 224. The out-of-band communication receiver
224 allows the client to receive communications other than through
a network-based connection. The connection manager 210 may manage
the out-of-band communication. For instance, the command to
activate the security agent 222 may be transferred via a short
messaging service ("SMS") communication received by the out-of-band
communication receiver 224.
Security Server
[0056] FIG. 3 is a block diagram illustrating the modules present
on a security server 104 in one embodiment of the present
invention. The security server 104 shown in FIG. 3 comprises a
remote authentication dial-in user service ("RADIUS") server 302,
which may also be referred to as an AAA (authentication,
authorization, and accounting) server. RADIUS is the standard by
which applications and devices communicate with an AAA server.
[0057] The RADIUS server 302 provides authentication services on
the security server 104. In some embodiments of the present
invention, the RADIUS server 302 proxies to a RADIUS server on the
enterprise server 106. In one embodiment, the RADIUS server 302
provides mutual authentication for the client 102 using Extensible
Authentication Protocol Transport Layer Security ("EAP-TLS").
Although EAP-TLS itself is strictly an 802.1x authentication
protocol, designed primarily for Wi-Fi connections, the underlying
TLS authentication protocol may be deployed in both wired and
wireless networks. EAP-TLS performs mutual secured sockets layer
("SSL") authentication. This requires both the client device 102
and the RADIUS server 302 to have a certificate. In mutual
authentication, each side may prove its identity to the other using
its certificate and its private key.
[0058] The security server shown in FIG. 3 also comprises an LDAP
server 304. The LDAP server 304 uses the LDAP protocol, which
provides a mechanism for locating users, organizations, and other
resources on the network. In one embodiment of the present
invention, the LDAP server 304 provides access control at the
network layer to various components that an enterprise customer may
or may not purchase. For example, a customer may choose to
implement a secure vault as described in relation to FIG. 1. In
such a case, the customer or users or groups associated with the
customer are also associated with the firewall module. The LDAP
entry is then used to determine that the firewall is to be enabled
on a client.
[0059] In some embodiments, the LDAP server 304 is implemented as a
list of user identifiers not using the LDAP protocol. In another
embodiment, data in the LDAP server 304 is propagated from data
present in the enterprise server 106.
[0060] The security server 104 shown in FIG. 3 also comprises a
session manager 306. The session manager 306 controls sessions,
including sessions between the client 102 and enterprise server
106. In some embodiments, the session manager 306 also determines
how to route data requests. For instance, the session manager 306
may determine that a particular data request should be routed to
the Internet rather than to the enterprise server 106. This may be
referred to as "splitting the pipe" and provides a mechanism to
replace "split tunneling" (a traditional configuration option with
most standard VPN clients) at the client device by the more secure
split of traffic not intended for the enterprise at the security
server, allowing monitoring of all traffic without the enterprise
incurring the expense of the extra bandwidth required.
[0061] In some embodiments, the client 102 and enterprise server
106 establish a VPN for communication. In such an embodiment, the
session manager 306 may be unable to route requests to any location
other than the enterprise--the packets are encrypted and thus,
cannot be separately evaluated.
[0062] In one embodiment, the session manager 306 performs
automated authentication of a client device 102 or user. For
example, if the session manager 306 determines that a client 102 is
approaching a Wi-Fi hotspot, the session manager 306 is able to
pre-populate the hotspot with the certificate that the hotspot
requires to authenticate the user. In this manner, the
authentication appears very fast to the user. The session manager
306 may also control the manner in which data is queued for
download to the client device 102.
[0063] In one such embodiment, the session manager 306 provides two
modes for data queuing. In a first mode, the session manager 306
determines that the network down time will be brief, e.g., the user
is moving through a tunnel, which interferes with network access.
In such a case, the session manager queues a minimal amount of
data. In a second mode, the session manager 306 determines that the
network down time will be of a longer duration, e.g., the user is
boarding a plane from New York to Tokyo. In such a case, the
session manager 306 may queue a larger amount of data. In one such
embodiment, the session manager 306 determines the mode by querying
the user for the downtime interval. When the user reconnects to the
security server 104, the session manager 306 determines the best
manner of downloading the queued data and begins the download.
[0064] In one embodiment, the session manager 306 comprises a
packet shaper (not shown). The packet shaper provides various
functional capabilities to the session manager 306. For example, in
one embodiment, the packet shaper provides a mechanism for
prioritizing packets sent between the enterprise server 106 and the
client 102. In one embodiment, the packet shaper utilizes
Multiprotocol Label Switching ("MPLS"). MPLS allows a specific path
to be specified for a given sequence of packets. MPLS allows most
packets to be forwarded at the switching (layer 2) level rather
than at the (routing) layer 3 level. MPLS provides a means for
providing QoS for data transmissions, particularly as networks
begin to carry more varied traffic.
[0065] The session manager 306 may also provide session persistence
capabilities. For instance, in one embodiment, when a user drops a
connection or moves from one provider network coverage area to
another, the connection manager 306 persists a virtual connection
as the first connection is terminated and the second is
initiated.
[0066] The session manager 306 may include a server-side rules
engine. The server-side rules engine may use historical
information, such as the session statistics described above, for
statistical attack determination. For instance, session manager 306
may access a stored statistic regarding a client device 102 and
based on monitoring of the current statistics for the client device
102 determine that an unauthorized user is using the client device
102.
[0067] The security server 104 shown in FIG. 3 also comprises a
real-time monitor 308. The real-time monitor 308 monitors the
status of communications, such as which clients and users are
logged on, the amount of data being transferred, ongoing QoS
measures, ports in use, and other information.
[0068] When the real-time monitor 308 detects a problem, it may
issue an alert to network support. In one embodiment, data from the
real-time monitor 308 is provided to users via a portal available
on the security server 308. In another embodiment, the real-time
portal 308 transfers information to the enterprise server 106, from
which users access the data.
[0069] The embodiment shown in FIG. 3 also comprises a historical
monitor 310. The historical monitor 310 provides information
similar to the real-time monitor 310. However, the underlying data
is historical in nature. For instance, in one embodiment, the
historical monitor 310 provides audit information for making
intelligent business decisions and for dealing with regulatory
compliance issues.
[0070] The information available via the historical monitor 310 may
include, for example, historical QoS data, registration compliance
data, and metrics consistency data. The historical data monitor 310
may be used to determine that certain clients are not performing
optimally by comparing metrics of various clients over time. For
instance, by evaluating information available via the historical
data monitor 310, a support person may be able to determine that a
radio tuner on a specific client device 102 is failing. If the user
of one client device 102 is complaining about the availability of
service, but other users are able to successfully access service,
then the client device's radio may be the problem.
[0071] The historical data monitor 310 may also be used to
reconcile information captured on the security server 104 regarding
connections and data provided by telecommunication carriers. The
data may be used to determine when certain resources need to be
increased and when a certain carrier is not performing
adequately.
[0072] The security server also comprises a database 312. In
embodiments of the present invention, the database 312 may be any
type of database, including, for example, MySQL, Oracle, or
Microsoft SQL Server relational databases. Also, although the
database 312 is shown as a single database in FIG. 2, the database
312 may actually comprise multiple databases, multiple schemas
within one or more databases, and multiples tables within one or
more schemas. The database 312 may also be present on one or more
other machines, e.g., database servers.
[0073] In one embodiment of the present invention, the database 312
stores customer information regarding enterprises served by the
security server 104, such as a list of valid users, a list of valid
cellular cards, the relationships between the individual users and
groups within the enterprise, and other customer information.
[0074] For example, in one embodiment, the database 312 stores an
association between users and cellular data cards. The enterprise
may allocate a single user to a specific data card. Alternatively,
the enterprise may associate a group of users with a group of
cellular data cards. Other types of data may also be stored in the
database 312, such as billing data.
[0075] The security server 104 shown in FIG. 3 also comprises a QoS
server 314. The QoS server 314 uploads information from the QoS
collector 212 on the client device 102 and stores the QoS data. The
QoS server 314 can collect data from multiple clients and store it
in the database 312.
[0076] The security server also comprises a QoS tools engine 316.
The QoS tools engine 316 displays data made available by the QoS
server 314 and other processes, such as the real-time monitor
308.
[0077] In one embodiment, the QoS tools engine 316 provides an
aggregation of QoS data in a spreadsheet. In another embodiment,
the QoS tools engine 316 provides data using map views, pie charts,
and graphs. The QoS tools engine 316 may also provide the
capability for setting QoS-based alarms and may provide data to
users via a portal.
[0078] In the embodiment shown in FIG. 3, the security server 104
also comprises a portal server 318. The portal server 318 may be,
for example, a web server. Any standard web server application may
be utilized, including Microsoft.RTM. Internet Information Server
("IIS") or Apache.
[0079] Although the security server 104 shown in FIGS. 1 and 3 is
illustrated as a single server, it may comprise multiple servers.
For example, in one embodiment of the present invention, the
security server 104 comprises multiple regional servers.
[0080] Also, the description above suggests that data is provided
to and queried from the security server 104 by the client 102,
i.e., the client pulls the data. However, in some embodiments, the
client 102 also comprises a listener (not shown) so that the
security server 104 can push data to the client 102.
Enterprise Server
[0081] FIG. 4 is a block diagram illustrating the modules present
on an enterprise server 106 in one embodiment of the present
invention. The enterprise server 106 may also be referred to herein
as a customer server and may comprise one or more servers for one
or more enterprises linked to one or more security servers 104.
[0082] The enterprise server 106 shown in FIG. 4 comprises a policy
server 402. The policy server 402 provides a means for managing the
policy rules, including, for example, available VPN profiles,
available transports (e.g. Wi-Fi, LAN, PHS, Dialup), firewall
rules, such as blacklists and white lists, connection rules, and
antivirus rules. The policy server 402 may include other rules as
well, such as the level of data throttling to perform for each
client or group of clients. Data throttling limits the data
transfer rate to a particular client 102 so that connection
resources can be optimized.
[0083] The policies may be managed at one or more levels. For
example, an IT manager may wish to create a VPN profile for the
enterprise as a whole, but a different VPN profile for an
engineering group since the engineering group needs access to
various unique applications.
[0084] The policy server 412 may also provide a mechanism for
configuring the location of various servers that the client 102
will utilize. For instance, the policy server 412 may allow an IT
manager to specify the IP address of an acceleration server 404 or
a vault server 406
[0085] In one embodiment, the policy server also allows the IT
manager to specify which users receive updates for various
components on the client 102. The policy server 402 may also allow
the IT manager to perform connection configuration. For instance,
the IT manager may use the policy server to specify phone numbers
for PHS connections, Wi-Fi SSID's for private connections, and
other connection configuration information.
[0086] The enterprise server 106 shown in FIG. 4 also comprises an
acceleration server 404. The acceleration server 404 performs
processes to improve the performance of data transfer. For
instance, the acceleration server 404 may automatically compress
images that are to be transferred to a client 102.
[0087] In one embodiment, the acceleration server 404 communicates
with the policy server 402. An IT manager sets acceleration rules
using the policy server 402, and the acceleration server 404 uses
these rules to determine what level of acceleration to use for a
particular communication. In one embodiment, the IT manager sets a
default level of acceleration for all communication and a specific
level of acceleration for one group of users. The specific level of
acceleration may be referred to as an override.
[0088] The enterprise server 106 also comprises a vault server 406.
The vault server comprises two components, an automatic component
and an administration component. In one embodiment, the automatic
component integrates with an enterprise's mail server (not shown)
and performs operations on emails to and from the mail server. For
instance, the vault server 406 may quarantine an email,
automatically encrypt the email before it is sent, add a legal
disclaimer to an email, or perform other functions on the
email.
[0089] In one embodiment, the automatic component of the vault
server 406 searches an email based on words or based on the domain
or specific address to which the email is addressed or from which
the email originated. Using this information, the user can perform
functions on the email, such as those described above.
[0090] The administration component of the vault server 406 allows
a user to terminate access to secure content, either by a specific
user or by all users. It also logs activity. Using one embodiment
of the vault server 406, a user can indicate that a set of users
whose employment has been terminated will no longer have access to
any secure content. In an alternative embodiment of the vault
server 406, a user can indicate that a given element of secure
content, say a price list, is now out of date, and so that piece of
secure content will no longer be viewable by any user. When each
user accesses the secure content, the vault server 406 logs the
event. So for each secure content element, the vault server 406
creates a log of all activity on the secure content.
[0091] In one embodiment, the vault server 406 also compresses
data. For instance, one embodiment utilizes standard PKZIP
compression to compress all content. In another embodiment, an IT
manager may identify three types of images and specify a different
level of compression for each type of image based on the level of
resolution necessary for each type of image.
[0092] The enterprise server 108 also comprises a RADIUS server 408
and LDAP server 410, which are similar to those described above in
relation to the security server 104. The RADIUS server 302 on the
security server 104 may proxy to the RADIUS server 408 on the
enterprise server 106. Similarly, data in the LDAP server 410 may
be propagated to the LDAP server 204 on the security server
104.
[0093] The enterprise server 106 also comprises a one-time password
("OTP") server 412. The OTP server 412 provides a mechanism for
authentication. For instance, in one embodiment of the present
invention, the enterprise server 106 uses the OTP server 412 to
perform a mutual authentication process.
[0094] The enterprise server 106 also comprises a concentrator 414.
The concentrator 414 provides remote access capability to the
client 102. For instance, the concentrator 414 may serve as a means
for terminating a VPN between the client 102 and enterprise server
106.
[0095] The enterprise server 104 shown in FIG. 4 also comprises a
portal server 416. The portal server 416 may comprise a standard
web server, such as IIS or Apache. The portal server 416 may
provide one or more portals. For example, in one embodiment, the
portal server 416 provides two portals, portal one and portal
two.
[0096] Portal one provides a configuration interface for managing
the various elements shown in FIGS. 2 and 3, including, for
example, the policy server 402 and LDAP server 410. Portal two
provides an interface for accessing data, such as QoS data and
session data.
[0097] For instance, a user may use historical QoS data on portal
two to determine how a particular provider is performing in terms
of throughput, user connections, and other QoS metrics. Portal two
may also provide real-time information, such as how many users are
currently connected.
[0098] For instance, in one embodiment, an IT manager determines
that twenty users have been rejected by a carrier in the last three
minutes due to authentication failure and five users with the same
user identifier are currently logged on to five different devices.
The IT manager uses this information to detect a potential security
problem. Portal two may also be used to set alerts as described
above.
[0099] It should be noted that the present invention may comprise
systems having a different architecture than that which is shown in
FIG. 1. For example, in some systems according to the present
invention, first authentication server 118 and final authentication
server 126 may be combined in a single server. The system 100 shown
in FIG. 1 is merely illustrative, and is used to help explain the
illustrative systems and processes discussed below.
Illustrative Methods of Monitoring and Displaying Performance
Metrics
[0100] In one embodiment of the present invention, performance
metrics are initially collected and stored on a client device 102.
The performance metrics may be based on a variety of factors, such
as the VPN status, the health of the client device, and the health
of the network. The client device 102 uploads performance metrics
to a QoS server 314. Performance metrics may be uploaded on a
real-time or a periodic basis (e.g. daily, weekly, or monthly).
FIG. 5 is a flowchart illustrating a process for collecting and
storing performance metrics in one embodiment of the present
invention.
[0101] In the embodiment shown in FIG. 5, the client device 102
attempts to open a network connection 502. For example, the
connection manager 210 may attempt to re-establish the last
successful connection. The connection may occur over any available
connection type, such as via a LAN or WWAN.
[0102] The client device 102 then determines whether the network
connection was successful 504. If the network connection fails, the
client device 102 logs the failed connection attempt 506. For
example, the client device may store the time when the connection
was attempted, the number of unsuccessful attempts, and the network
identifier. The failure may be logged with other performance
metrics or separately.
[0103] In the embodiment shown in FIG. 5, if the network connection
is successful, the QoS collector 212 sends the performance metrics
captured from the previous session to the QoS server 314. By
waiting until a subsequent session to send performance metrics, an
embodiment of the present invention helps to ensure that the data
is successfully transferred. In one embodiment, the transfer does
not occur until the connection manager 210 identifies a high-speed
connection over which to transmit the data. In other embodiments,
slow-speed and high-speed connections are utilized.
[0104] In one embodiment of the present invention, a client device
102 will establish a connection with the security server 104 and
upload QoS data to the QoS server 314 in a manner that is
transparent to the user. For instance, the upload process may run
as a service, and each time the client device 102 connects to a
network, the upload process executes.
[0105] Once a connection failure is logged 506 or performance
metrics from the previous session are uploaded 508, the QoS
collector 212 begins collecting performance metrics 510.
Performance metrics may comprise, for example, QoS statistics, a
network node (e.g., base station) identifier, client device
performance measures, and other data. In one embodiment, the
performance metrics comprise a transport identifier, a start time,
a connection duration, a bytes sent quantity, a bytes received
quantity, a data rate up quantity, a data rate down quantity, a
protocol identifier, an application identifier, a success code, a
signal strength quantity, a network type code, a packet size
quantity, a CPU utilization quantity, a memory consumption
quantity, a power level quantity, applications executing, a disk
space quantity, a device identifier, and a termination cause. In
one embodiment of the present invention the client device stores
averages of certain metrics, such as data rate up and packet
size.
[0106] Once the QoS collector 212 has collected performance
metrics, the QoS collector 212 stores the performance metrics 512.
In one embodiment, the QoS collector 212 stores the performance
metrics as a text file. In another embodiment, the QoS collector
212 stores the performance metrics in a data store, such as a
database.
[0107] In one embodiment, storage and transmission of QoS data is
minimized by only collecting and storing QoS exceptions. For
instance, the number of bytes sent may only be stored and
transmitted by the QoS collector 212 if the number falls below a
certain threshold or outside a certain predefined range. In another
embodiment, only summary data is sent unless the QoS collector 212,
QoS server 314, or some other component or process determines that
detailed data should be sent as well. For example, a network
support person may determine that a connection appears to be
suffering from intermittent outages. The network support person can
cause the QoS collector 212 and QoS server 314 to begin collecting
and storing detailed information regarding the segment of the
network that appears to be having problems.
[0108] FIG. 6 is a flowchart illustrating a process for providing a
network status to a user interface in one embodiment of the present
invention. In the embodiment shown in FIG. 6, the QoS server 314
first receives performance metrics 602. For instance, the QoS
server 314 may receive performance metrics from the QoS collector
212.
[0109] The QoS server 314 may also receive performance metrics by
receiving a Simple Network Management Protocol ("SNMP") trap. A
SNMP trap is a notification event or alert issued by a managed
device to a network management device when a significant event
occurs. A significant event may be a device start or stop, an
outage, a fault, or a security violation but is not limited to
these events.
[0110] The server relies on SNMP traps for components on the
security server 104 that are SNMP aware. In one embodiment, for
components that are not SNMP aware or to augment SNMP traps, the
QoS collector 314 monitors log files, such as flat files or
databases where information is logged. The data captured from SNMP
traps and from direct monitoring of log files is then combined and
stored in a data store. In one embodiment, the captured data is
used to generate a multi-dimensional database so that support
personnel or others can query information.
[0111] In some embodiments, performance metrics may be discarded
based on various criteria. For instance, in one embodiment, a user
can choose to discard performance metrics from a particular
session. In another embodiment, performance metrics from sessions
lasting less than a predetermined duration, such as thirty seconds,
may be discarded automatically. Performance metrics may also be
discarded after a predetermined period of time, e.g., performance
metrics collected and stored for more than three months may be
discarded.
[0112] In one embodiment, the QoS server 314 also polls client
devices 102 or checks log files or database tables. For instance,
the QoS server may utilize a server/agent model to pull information
from each device on the network, including, for example, servers,
routers, and switches. This data collected may comprise the
following: VPN status from client devices 102 to the security
server 104 (including up state and throughput); static VPNs from
the security server 104 to the enterprise server 106 (including up
state and throughput); health of each of the physical devices on
the network; and health of the services that the network
provides.
[0113] The QoS server 314 next determines a status of the network
604. The status of the network may comprise information identifying
a problem, such as congestion. The status may also comprise other
information, such as the cost, stability, or speed of the network
or of a portion of the network.
[0114] Once the QoS server 314 has received performance metrics and
determined a status of the network, the QoS server 314 provides the
status of the network to a user interface 606. Providing the status
of the network to a user interface may comprise generating an
alert. Alternatively, the user interface may comprise a web portal
for providing the status of the network. The portal may be capable
of displaying an alert.
[0115] FIG. 7 is a flowchart illustrating a process for determining
a status of the network in one embodiment of the present invention.
In the embodiment shown, the QoS tools engine 316 on the security
server 104 loads performance metrics 702. For instance, the
performance metrics may exist in an XML file, which the QoS tools
engine 316 opens and reads.
[0116] The QoS tools engine 316 then determines a status of the
network 604. In one embodiment of the present invention, the status
of the network is based on the performance metrics alone. In other
embodiments, the performance metrics are used in conjunction with
other information to determine a status of the network.
[0117] The QoS tools engine 316 may determine the status of the
network is a problem, such as congestion 704. In other embodiments,
the QoS tools engine 316 may generate a bill reconciliation status
706, provide a capacity planning status 708, generate a carrier
audit report 710, or generate a security related policy 712.
Alternatively, the network status may be sent to the policy server
402 or the enterprise server 106.
[0118] In one embodiment, an enterprise monitors the particular
protocols a user or client device is using when accessing the
network. The enterprise uses this information to determine policies
to put into place on the policy server 402. For instance, a user
may use an application that utilizes HTTP to access various web
sites. Based on the URLs of the web sites that the user is
accessing, the network usage is mainly streaming media. If the
enterprise determines it is necessary, a policy can be set to limit
the amount of bandwidth available for these downloads or to
blacklist the site or sites that the user is accessing.
[0119] In one embodiment, the QoS server 314 helps carriers to
identify problems before they become outages. For instance,
wireless base stations often degrade in performance before they
stop passing data, e.g., a user can send a short message but not a
long one. When degradation is sensed, an alert can be provided to
the appropriate support person.
[0120] FIG. 8 is a flowchart illustrating a method for providing
the status of the network to a user interface in another embodiment
of the present invention. In the embodiment shown, the QoS tools
engine 316 determines a status of the network 604. The status of
the network is then provided to a user interface 606. In one
embodiment, providing the status of the network to the user
interface comprises generating an alert 802. An example of an alert
may be an auditory buzz or a message. In another embodiment, the
status of the network may be provided to a web portal 804. In yet
another embodiment, the user interface may be a spreadsheet
806.
[0121] In one embodiment, data from the QoS server 314 is used by
the policy server 402. For instance, the fact that a particular
connection is more stable or faster than another connection may be
used to determine connection preferences. The enterprise is able to
weigh such information based on factors internal to the enterprise
as part of the process of determining rules for the policy server.
In such an embodiment, two users sitting in the same location may
connect in different ways to the user's respective enterprise
network depending on the weighting each enterprise gives to each
factor in determining a policy.
[0122] For example, in one embodiment portal server 416 accesses
data collected by the QoS server 314. The portal server 416 may
access this data by connecting to the security server 104 or by
storing the data in a data store on the enterprise server. The data
accessed by the portal server 416 may be a subset of the data that
is collected by the QoS server 314. In such an embodiment, a user
accesses the portal server 416 to view network status information
in real-time. Such real-time access enables effective and efficient
troubleshooting of the network connections and the ability to
determine particular carrier's stability. If a network problem
exists, the portal may cause an auditory buzz to be output when
information is displayed on the portal in relation to the
problem.
[0123] In another embodiment, the user is provided with summary
data. The summary data provides information that can be used to
perform historical analysis and trend analysis on network
connections.
[0124] In one embodiment, a statistical model is applied to the
data in the QoS server 314. In another embodiment, a predetermined
threshold is set for various measures. When the threshold is
exceeded, an alert is generated. For instance, if the QoS server
314 determines that a single login account is logged into more than
five devices or in more than one geographic location
simultaneously, an alert is generated identifying a possible
intrusion. In such an embodiment, an enterprise can set its own
security events based on its particular needs.
[0125] Once the customer identifies a potential problem, the
customer can alert the carrier or other service provider of the
potential problem. In this way, the customer is able to identify
the party responsible for the problem without the need to contact
multiple service providers, e.g., the carrier and network equipment
providers.
[0126] In another embodiment, a network support person accesses the
portal server 318 on the security server 104. The portal server 318
accesses the QoS server 314 or a data store to obtain the data
collected by the QoS server 314. The data available on the security
provider's portal server 318 may be more extensive than that
available via the enterprise's portal server 416. The network
support person uses the data available on the portal server 318 to
analyze the performance of the network, troubleshoot potential
network problems, and perform other support functions, such as
capacity planning.
[0127] For example, a carrier may use an embodiment of the present
invention to determine where an additional hotspot is necessary to
adequately support the carrier's user base. The network may not be
experiencing any problems; it just may be less expensive to switch
to another type of network, such as from a cellular network to a
Wi-Fi network.
[0128] In one embodiment of the present invention, the QoS server
314 identifies potential problems with client device 102. For
instance, the QoS server 314 may detect that the CPU or memory
utilization of a particular client is above a predefined threshold.
In such an embodiment, problems with the client device 102 can be
eliminated before attempting to diagnose a problem with the
network.
[0129] The portal server 318 provides data that is highly granular.
The data provides information on aspects of performance that can
indicate that a problem is occurring or may soon occur. For
example, one page provided by the portal server 318 displays a
schematic view of the VPNs to and from the security server 104.
When a potential problem is detected with one of the VPNs, the
portal server 314 causes the portion of the schematic illustrating
that VPN to become highlighted. A network support person accessing
the portal can then easily detect a problem or potential problem.
The user can then drill down to the level of detail necessary to
diagnose and resolve the problem.
[0130] In one embodiment, the information collected by the QoS
server 316 is utilized to audit bills from multiple network
carriers or other service providers. For instance, the duration of
connections made over a particular communication line may be
determined based on performance metrics and compared to the invoice
for services provided by a carrier.
[0131] In another embodiment of the present invention, the QoS
server 314 provides information to a network management system. The
network management system completes a matrix of properties for each
of the networks. The matrix may comprise measures such as
stability, cost, speed, and geography. The matrix is then used to
determine which available connection is best for a particular
client device 102, application, time of day, or based on some other
variable. For instance, a user in the Denver airport has an
available cellular connection with carrier X and an available
cellular connection with carrier Y simultaneously. The connection
manager 210 utilizes the matrix to determine that the congestion on
the base station operated by carrier Y is lower than that of
carrier X and that the base station of carrier Y drops fewer
packets and fewer signals. After evaluating this information, the
connection manager 210 connects the user's client device 102 to
carrier Y's base station.
General
[0132] The foregoing description of the embodiments, including
preferred embodiments, of the invention has been presented only for
the purpose of illustration and description and is not intended to
be exhaustive or to limit the invention to the precise forms
disclosed. Numerous modifications and adaptations thereof will be
apparent to those skilled in the art without departing from the
spirit and scope of the present invention.
* * * * *