DETERMINING WHETHER A DEVICE IS INSIDE A NETWORK
Background
[0001] Many computing devices are mobile devices that can be easily transported to
different locations. These mobile devices can sometimes operate in different manners
based on whether they are considered to be inside a particular network. However, it can
be difficult to reliably determine when a mobile device is inside a particular network at
any particular time.
Summary
[0002] This Summary is provided to introduce a selection of concepts in a simplified
form that are further described below in the Detailed Description. This Summary is not
intended to identify key features or essential features of the claimed subject matter, nor is
it intended to be used to limit the scope of the claimed subject matter.
[0003] In accordance with one or more aspects, a network address of a computing
device is obtained. A check is made as to whether the network address is within a desired
range of network addresses and/or whether a resource access manager for a particular
network can be accessed. A determination is made that the computing device is inside the
particular network if both the network address is within the desired range of network
addresses and the resource access manager can be accessed, otherwise a determination is
made that the computing device is outside the particular network.
[0004] In accordance with one or more aspects, a computing device sends an
unencrypted request to a resource access manager of a particular network. If both a
response is received from the resource access manager and the computing device has a
network address within a desired range of network addresses, then a determination is made
that the resource access manager can be accessed and that the computing device is inside
the particular network. Otherwise, a determination is made that the resource access
manager cannot be accessed and that the computing device is outside the particular
network.
Brief Description of the Drawings
[0005] The same numbers are used throughout the drawings to reference like features.
[0006] Fig. 1 illustrates an example system implementing the determining whether a
device is inside a network in accordance with one or more embodiments.
[0007] Fig. 2 illustrates another example system implementing the determining
whether a device is inside a network in accordance with one or more embodiments.
[0008] Fig. 3 is a flowchart illustrating an example process for a computing device
determining whether it is inside or outside a particular network in accordance with one or
more embodiments.
[0009] Fig. 4 is a flowchart illustrating an example process for a computing device
determining whether a domain controller can be accessed in accordance with one or more
embodiments.
[0010] Fig. 5 illustrates an example computing device that can be configured to
implement the determining whether a device is inside a network in accordance with one or
more embodiments.
Detailed Description
[0011] Determining whether a device is inside a network is discussed herein. A
computing device obtains a network address and attempts to access a resource access
manager (e.g., a domain controller) of a particular network (e.g., a corporate network).
The computing device determines that it is inside that particular network if the network
address of the computing device is within a range of addresses that can be assigned to
devices inside that particular network and the resource access manager of the particular
network can be accessed. Otherwise, the computing device determines that it is outside
the particular network.
[0012] References are made herein to encryption, symmetric key cryptography, public
key cryptography and public/private key pairs. Although such key cryptography is wellknown
to those skilled in the art, a brief overview of such cryptography is included here to
assist the reader. In public key cryptography, an entity (such as a user, hardware or
software component, a device, a domain, and so forth) has associated with it a
public/private key pair. The public key can be made publicly available, but the entity
keeps the private key a secret. Without the private key it is computationally very difficult
to decrypt data that is encrypted using the public key. So, data can be encrypted by any
entity with the public key and only decrypted by an entity with the corresponding private
key. Additionally, a digital signature for data can be generated by using the data and the
private key. Without the private key it is computationally very difficult to create a
signature that can be verified using the public key. Any entity with the public key can use
the public key to verify the digital signature by executing a suitable digital signature
verification algorithm on the public key, the signature, and the data that was signed.
[0013] In symmetric key cryptography, on the other hand, a shared key (also referred
to as a symmetric key) is known by and kept secret by the two entities. Any entity having
the shared key is typically able to decrypt data encrypted with that shared key. Without
the shared key it is computationally very difficult to decrypt data that is encrypted with the
shared key. So, if two entities both know the shared key, each can encrypt data that can be
decrypted by the other, but other entities cannot decrypt the data if the other entities do not
know the shared key. Similarly, an entity with a shared key can encrypt data that can be
decrypted by that same entity, but other entities cannot decrypt the data if the other entities
do not know the shared key. Additionally, digital signatures can be generated based on
symmetric key cryptography, such as using a keyed-hash message authentication code
mechanism. Any entity with the shared key can generate and verify the digital signature.
For example, a trusted third party can generate a symmetric key based on an identity of a
particular entity, and then can both generate and verify digital signatures for that particular
entity (e.g., by encrypting or decrypting the data using the symmetric key).
[0014] Fig. 1 illustrates an example system 100 implementing the determining whether
a device is inside a network in accordance with one or more embodiments. System 100
includes a network 102, which is one or more devices coupled together via a
communication network. The communication network can include wired and/or wireless
communications, and allows various ones of the devices in network 102 to communicate
with various other devices in network 102. The communication network can be, for
example, a local area network (LAN), a public telephone network, a private telephone
network, other public and/or proprietary networks, combinations thereof, and so forth.
[0015] Network 102 includes various devices, including one or more routers 104, one
or more devices implementing a domain name system (DNS) service 106, one or more
gateways 108, one or more devices implementing a domain controller 110, and one or
more other devices 112. Routers 104 route data packets or other information among the
various devices of network 102. Gateways 108 manage connecting network 102 to other
networks (e.g., the Internet) or other devices outside network 102. Communications from
devices inside network 102 to devices outside network 102, as well as communications
from devices outside network 102 to devices inside network 102, are managed by gateway
108.
[0016] DNS service 106 resolves names to network addresses, mapping a particular
name (e.g., domain name) to a corresponding network address that can be used by another
device (e.g., computing device 120) to access a particular device or service. This mapping
of a domain name to a corresponding network address is also referred to as DNS
resolution. In one or more embodiments, DNS service 106 implements a DNS system in
compliance with the well-known DNS protocol (e.g., as discussed in Network Working
Group Request for Comments 1034 (November 1987) and in Network Working Group
Request for Comments 1035 (November 1987)). Alternatively, DNS service 106 can
implement other systems or protocols that perform similar functionality.
[0017] Devices 112 can be a variety of different types of devices, including
computing devices such as a desktop computer, a server computer, a laptop or netbook
computer, a tablet or notepad computer, a mobile station, a database or other storage
device, an entertainment appliance, a set-top box communicatively coupled to a display
device, a television or other display device, a cellular or other wireless phone, a game
console, an automotive computer, and so forth. Devices 112 can also be various types of
input devices, such as a scanner, a camera or other image capture device, and so forth.
Devices 112 can also be various types of output devices, such as printers, facsimile
machines, projectors or other display devices, and so forth.
[0018] Domain controller 110 is a resource access manager that manages
authenticating users (or devices) and access permissions for devices in network 102.
Domain controller 110 allows users to log in and authenticate themselves to domain
controller 110, and gain access to one or more domains or other collections of devices in
network 102. Although the determining whether a device is inside a network techniques
discussed herein refer to a domain controller (e.g., domain controller 110), it should be
noted that other types of resource access managers can alternatively be used in place of
domain controllers. These resource access managers can manage access permissions for
different collections or groups of devices, regardless of whether such collections or groups
are deemed to be part of a domain.
[0019] DNS service 106 and domain controller 110 are each typically implemented on
one or more servers, although one or both of DNS service 106 and domain controller 110
can alternatively be implemented on other types of devices. DNS service 106 and domain
controller 110 can be implemented on the same devices, or alternatively on different
devices.
[0020] Typically network 102 includes multiple devices, including at least one router
104, at least one device implementing at least part of DNS service 106, at least one
gateway 108, at least one device implementing at least part of domain controller 110, and
at least one device 112. However, it should be noted that network 102 can include any
number of routers 104, any number of devices implementing at least part of DNS service
106, any number of gateways 108, any number of devices implementing at least part of
domain controller 110, and any number of devices 112. It should also be noted that not all
such devices need be included in a network (e.g., no devices 112 may be included in a
network). Additionally, it should be noted that one or more of such devices of network
102 can be combined into a single device. For example, a single device may provide the
functionality of a router 104 and a gateway 108. One or more devices of network 102 also
typically operates as a dynamic host configuration protocol (DHCP) server, assigning
network addresses (such as Internet Protocol (IP) addresses) to devices in network 102.
[0021] In example system 100, network 102 also includes a computing device 120
having an inside/outside network determination module 122. Computing device 120 can
also be one of devices 112. Computing device 120 can be a variety of different types of
computing devices, such as a desktop computer, a server computer, a laptop or netbook
computer, a tablet or notepad computer, a mobile station, a database or other storage
device, an entertainment appliance, a set-top box communicatively coupled to a display
device, a television or other display device, a cellular or other wireless phone, a game
console, an automotive computer, and so forth. Computing device 120 is oftentimes a
mobile computing device that can be easily moved to different locations inside network
102, as well as easily moved between locations inside network 102 and locations outside
network 102, such as a cellular or other wireless phone, a laptop or notepad computer, and
so forth. Thus, network 102 can include computing device 120 at times (when computing
device 120 is inside network 102), and not include computing device 120 at other times
(when computing device 120 is outside network 102). Although a single computing
device 120 is illustrated in system 100, it should be noted that multiple computing devices
120 of the same or different types of devices can be included in network 102.
[0022] Devices included in network 102 are configured to communicate with one
another via the communication network. This configuration of a device can be performed
when the device is added to network 102, and can also be performed at various times after
the device is already included as part of network 102. Gateway 108 permits
communication between devices included in network 102 and devices that are not
included in network 102 based on particular policies and/or rules. The particular policies
and/or rules followed by gateway 108 can vary, based on the owner and/or designer of
network 102, an administrator of network 102, and so forth.
[0023] A computing device, such as computing device 120, communicates with other
devices in network 102 by connecting to network 102. Connecting to network 102 refers
to establishing a communication link between the computing device and network 102.
Establishing the communication link includes one or more of obtaining a network address
for the computing device (e.g., assigned by a DHCP server of network 102), authenticating
the computing device or a user of the computing device to a domain controller 110 (e.g.,
using a user name and password, using a digital certificate, etc.), negotiating a protocol
with a device included as part of network 102 (e.g., with a router 104 or gateway 108),
establishing a secure (e.g., encryption) communication channel with a device included as
part of network 102 (e.g., gateway 108), and so forth.
[0024] Establishing of a communication link between the computing device and
network 102 can be initiated by the computing device or another device (e.g., a device
included as part of network 102). Once the communication link is established, the
computing device can communicate with other devices in network 102 (subject to any
access control policies in place in network 102).
[0025] A device, such as computing device 120, can be referred to as being inside a
network or outside a network. A device that is inside (also referred to as internal to) a
network is a device that is included in the network and thus is able to communicate with
other devices included in that network without having to access devices outside that
network. Thus, for example, router 104, gateway 108, device 112, devices implementing
DNS service 106, and devices implementing domain controller 110 in system 100 are
inside network 102 and are configured to communicate with one another via the
communication network of network 102 without accessing devices outside network 102.
Devices inside network 102 can communicate with other devices that are not inside
network 102 by way of gateway 108. It should also be noted that although devices inside
network 102 can communicate with one another via the communication network, various
access control restrictions on which (or the manner in which) devices inside network 102
can access which other devices inside network 102 can be implemented.
[0026] A device that is outside (also referred to as external to) a network is a device
that is not inside that network. Such a device can communicate with devices inside that
network by way of a gateway of that network. Thus, for example, router 104, gateway
108, device 112, devices implementing DNS service 106, and devices implementing
domain controller 110 can receive communications from (and send communications to)
devices outside network 102 via gateway 108, subject to the policies and/or rules used by
gateway 108.
[0027] Which devices are included in network 102 can be defined in different
manners, and can be based at least in part on the desires of an entity implementing
network 102 and/or an administrator of network 102. In one or more embodiments,
network 102 is defined by the devices served by DNS service 106. Devices inside
network 102 submit DNS queries to, and receive DNS responses from, DNS service 106.
A device outside network 102 is unable to access DNS service 106 (e.g., the policies
and/or rules used by gateway 108 prevent the device from accessing DNS service 106).
[0028] In one or more other embodiments, network 102 is defined by the devices that
are able to access one another without communications passing through a firewall (e.g.,
implemented by gateway 108 or another device) or accessing the Internet. Devices inside
network 102 are those devices that can access one another (subject to any access control
policies in place in network 102) without communications passing through the firewall or
accessing the Internet. Devices that communicate with devices inside network 102 by way
of the firewall or Internet are outside network 102.
[0029] Additionally, in one or more embodiments network 102 is a network that is
administered by or for a particular business entity (e.g., a particular company, a particular
division or unit of a company, etc.), and thus is referred to as a corporate network.
Alternatively, network 102 can be other types of networks, such as a home network, an
educational network, a gaming network, and so forth.
[0030] In the example of system 100, computing device 120 is inside network 102.
However, situations can arise in which computing device 120 becomes outside the
network. For example, computing device 120 can be moved to a different location at
which computing device 120 is unable to establish a communication link with network
102 in a manner that would make computing device 120 inside network 102. It should be
noted that, throughout its use, computing device 120 can be moved between being inside
network 102 and outside network 102 numerous times.
[0031] Fig. 2 illustrates another example system 200 implementing the determining
whether a device is inside a network in accordance with one or more embodiments.
System 200 is similar to system 100 of Fig. 1, including network 102, one or more routers
104, a DNS service 106, one or more gateways 108, a domain controller 110, and one or
more other devices 112. System 200 also includes computing device 120. Although a
single computing device 120 is illustrated in system 200, it should be noted that multiple
computing devices 120 of the same or different types of devices can be included in system
200.
[0032] Computing device 120 of Fig. 2 is computing device 120 of Fig. 1. In Fig. 1,
computing device 120 is included inside network 102. However, in Fig. 2 computing
device 1 0 is outside network 102 and establishes a communication link with network 102
via gateway 108. A communication link can be established between computing device
120 and gateway 108 via a variety of other devices or communication networks, such as
via the Internet, via a cellular or other public network, and so forth.
[0033] Computing device 120 can operate in different manners based on whether
computing device 120 determines it is inside network 102 or outside network 102. For
example, computing device 120 may determine whether to use encrypted communication
based on whether computing device 120 is inside network 102, computing device 120 may
enable or disable certain functionality based on whether computing device 120 is inside
network 102, computing device 120 may permit or deny access to files stored on
computing device 120 based on whether computing device 120 is inside network 102, and
so forth. Computing device 120 can optionally make various other determinations or
perform various other operations or functions based on whether computing device 120 is
inside network 102, e.g., based on the design of computing device 120 and/or software or
firmware running on computing device 120.
[0034] Computing device 120 includes inside/outside network determination module
122, which determines whether computing device 120 is inside network 102 or outside
network 102 at any particular time. Generally, inside/outside network determination
module 122 determines whether computing device 120 is inside network 102 or outside
network 102 based on both whether computing device 120 can access domain controller
110 and whether computing device 120 is assigned a network address in a desired range of
addresses. If computing device 120 can access domain controller 110 and computing
device 120 is assigned a network address in a desired range of addresses, then
inside/outside network determination module 122 determines that computing device 120 is
inside network 102. However, if computing device 120 cannot access domain controller
110 and/or computing device 120 is not assigned a network address in that desired range
of addresses, then inside/outside network determination module 122 determines that
computing device 120 is outside network 102.
[0035] Computing device 120 typically obtains a network address from another device
or service (e.g., assigned by a DHCP server), and uses this network address as the network
address of computing device 120. The network addresses discussed herein can be IP
version 4 (IPv4) network addresses, IP version 6 (IPv6) network addresses, Intra-Site
Automatic Tunnel Addressing Protocol (ISATAP) addresses, and so forth. A module or
component of computing device 120 obtains the network address from another device or
service. This module or component can be part of an operating system of computing
device 120, part of a network interface card or chip, inside/outside network determination
module 122, and so forth.
[0036] Inside/outside network determination module 122 obtains the network address
of computing device 120. Inside/outside network determination module 122 can obtain
the network address of computing device 120 from another device or service as discussed
above, or from another component or module of computing device 120 (which obtains, or
previously obtained, the network address of computing device 120 from another device or
service).
[0037] Inside/outside network determination module 122 checks the network address
assigned to computing device 120 and determines whether this network address of
computing device 120 is within a desired range of network addresses. The desired range
of network addresses is one or more network addresses that can be assigned to devices
inside network 102 (e.g., one or more corporate network addresses that can be assigned to
devices in a corporate network). Network addresses can be assigned to devices inside
network 102 in a variety of different manners, such as by a DHCP server of network 102,
by an administrator of network 102, and so forth.
[0038] Inside/outside network determination module 122 also knows what this desired
range of network addresses is. Inside/outside network determination module 122 can be
configured with an indication of the desired range of network addresses, can obtain an
indication of the desired range of network addresses from another device or service, or can
otherwise obtain an indication of the desired range of network addresses. Thus,
inside/outside network determination module 122 can readily determine whether the
network address of computing device 120 is within the desired range of network addresses
(e.g., is a network address included in the desired range of network addresses).
[0039] If the network address of computing device 120 is not within the desired range
of network addresses, then inside/outside network determination module 122 determines
that computing device 120 is outside network 102. However, if the network address of
computing device 120 is within the desired range of network addresses, then inside/outside
network determination module 122 checks whether domain controller 110 can be accessed
by computing device 120. Inside/outside network determination module 122 typically
checks whether domain controller 110 can be accessed by computing device 120 after
determining that the network address of computing device 120 is within the desired range
of network addresses. Alternatively, inside/outside network determination module 122
can check whether domain controller 110 can be accessed by computing device 1 0 before
(or concurrently with) determining whether the network address of computing device 120
is within the desired range of network addresses.
[0040] Inside/outside network determination module 122 checks whether domain
controller 110 can be accessed by attempting to contact domain controller 110.
Inside/outside network determination module 122 can attempt to contact domain controller
110 by causing one or more of a variety of different requests to be sent to domain
controller 110, such as a request to be authenticated by domain controller 110, a request
for information or data from domain controller 110, and so forth. Inside/outside network
determination module 122 can cause such requests to be sent to domain controller 110 by
addressing requests to a network address of domain controller 110 (which could be a
network address of a device implementing domain controller 110). Module 122 can be
configured with the network address of domain controller 110, or can otherwise obtain the
network address of domain controller 110 (e.g., from a DNS server or gateway 108).
Inside/outside network determination module 122 can cause such requests to be sent to
domain controller 110 by module 122 sending such requests or alternatively causing
another component or module of computing device 120 to send such requests to domain
controller 110.
[0041] Communications among devices inside of network 102 are typically not
encrypted, however communications between gateway 108 and devices outside network
102 can be encrypted. Specifically, gateway 108 expects requests directed to domain
controller 110 from a computing device 120 outside network 102 and connected to
network 102 to be encrypted. A device outside network 102 can use encryption, including
symmetric key cryptography and/or public key cryptography, to establish a secure channel
with gateway 108 in a variety of different conventional manners.
[0042] If the network address of computing device 120 is within the desired range of
network addresses, then inside/outside network determination module 122 sends one or
more unencrypted (e.g., plaintext) requests in an attempt to contact domain controller 110.
Inside/outside network determination module sends such unencrypted requests regardless
of whether computing device 120 is actually inside network 102 or outside network 102.
If computing device 120 is inside network 102, then the unencrypted requests will be
received by domain controller 110, which will return an appropriate response. The
particular response returned by domain controller 110 can vary, being based at least in part
on the particular request that was sent to domain controller 110. Inside/outside network
determination module 122 determines that domain controller 110 can be accessed by
computing device 120 if a response is received from domain controller 110.
[0043] However, if computing device 120 is outside network 102, then the one or
more unencrypted requests will be received by gateway 108. Gateway 108 is configured
with one or more policies and/or rules, one of which is that requests to domain controller
110 from a computing device outside network 102 are to be encrypted (e.g., received via a
secure channel). Gateway 108 can readily determine if a request is received from a device
outside network 102 (e.g., based on a communication link via which the request is
received). Accordingly, if gateway 108 receives a request to domain controller 110 from a
computing device outside network 102, gateway 108 does not provide the request to
domain controller 110. Gateway 108 can drop or otherwise ignore the request, or return
an indication to the computing device from which the request was received that there is an
error or other problem with the request. Thus, if computing device 120 sends an
unencrypted request in an attempt to contact domain controller 110 when outside network
102, the request will not be provided to domain controller 110 and no response from
domain controller 110 will be received. Inside/outside network determination module 122
determines that domain controller 110 cannot be accessed by computing device 120 if no
response is received from domain controller 110.
[0044] Thus, if computing device 120 is inside network 102, then the network address
of computing device 120 is within the desired range of network addresses and domain
controller 110 can be accessed. Accordingly, inside/outside network determination
module 122 determines that computing device 120 is inside network 102.
[0045] On the other hand, if computing device 120 is outside network 102, then the
network address of computing device 120 is typically not within the desired range of
network addresses. Accordingly, inside/outside network determination module 122
determines that computing device 120 is outside network 102.
[0046] However, situations may arise in which computing device 120, even though
outside network 102, is given a network address that is within the desired range of
network addresses. Such situations can arise due to an error, coincidence, actions of a
malicious user or program, and so forth. If computing device 120 is outside network 102,
then domain controller 110 cannot be accessed (using unencrypted requests) as discussed
above. Thus, inside/outside network determination module 122 determines that
computing device 120 is outside network 102, even though the network address of
computing device 120 is within the desired range of network addresses.
[0047] It should be noted that even though computing device 120 may be outside
network 102, computing device 120 can still access devices in network 102 via gateway
108. Thus, computing device 120 can access domain controller 110 if requests to domain
controller 110 are encrypted (e.g., sent via a secure channel between computing device
120 and gateway 108).
[0048] In one or more embodiments, all requests sent from computing device 120 (or
from inside/outside network determination module 122) to a device implementing at least
part of domain controller 110 are unencrypted. Thus, even if a secure channel has been
established between computing device 120 and gateway 108, requests sent to domain
controller 110 are exempted from being, and are not, sent via that secure channel.
Alternatively, only particular requests sent from computing device 120 (or from
inside/outside network determination module 122) to a device implementing at least part
of domain controller 110 are unencrypted requests. For example, only requests sent to
DNS and/or Lightweight Directory Access Protocol (LDAP) ports (e.g., User Datagram
Protocol (UDP) port 53 and Transmission Control Protocol (TCP) port 389) of domain
controller 110 are unencrypted requests. These particular requests are exempted from
being sent via the secure channel with gateway 108, whereas other requests from
computing device 120 (or from inside/outside network determination module 122) sent to
devices implementing at least part of domain controller 110 (e.g., sent to other ports of
domain controller 110) are encrypted and sent via the secure channel with gateway 108.
[0049] In one or embodiments, requests that are exempted from being sent via a secure
channel between computing device 120 and gateway 108 are exempted for only a
particular amount of time (e.g., the time during which inside/outside network
determination module 122 is determining whether computing device 120 is inside or
outside network 102). Requests sent by computing device 120 at other times, and/or
requests sent by modules other than inside/outside network determination module 122, are
not exempted and thus are encrypted (e.g., sent via the secure channel with gateway 108).
[0050] Fig. 3 is a flowchart illustrating an example process 300 for a computing
device determining whether it is inside or outside a particular network in accordance with
one or more embodiments. Process 300 can be implemented in software, firmware,
hardware, or combinations thereof. Process 300 is carried out by a computing device,
such as computing device 120 of Figs. 1 and 2, and typically by an inside/outside network
determination module on that computing device (such as module 122 of Figs. 1 and 2).
Process 300 is shown as a set of acts and is not limited to the order shown for performing
the operations of the various acts. Process 300 is an example process for a computing
device determining whether it is inside or outside a particular network; additional
discussions of a computing device determining whether it is inside or outside a particular
network are included herein with reference to different figures.
[0051] In process 300, a network address is obtained (act 302). This network address
is a network address assigned to the computing device implementing process 300, and can
be obtained in a variety of different manners as discussed above.
[0052] A check is made as to whether the network address obtained in act 302 is
within the desired range of network addresses (act 304). This desired range of network
addresses is the set of one or more network addresses that can be assigned to devices
inside a particular network, as discussed above.
[0053] If the network address is not within the desired range of network addresses,
then a determination is made that the computing device implementing process 300 is
outside that particular network (act 306). This determination is made by an inside/outside
network determination module of the computing device implementing process 300 as
discussed above.
[0054] However, if the network address is within the desired range of network
addresses, then a check is made as to whether a domain controller for the particular
network can be accessed (act 308). This check can be made by sending various requests to
a domain controller inside the particular network as discussed above.
[0055] If the domain controller for the particular network cannot be accessed, then a
determination is made that the computing device implementing process 300 is outside that
particular network (act 306).
[0056] However, if the domain controller for the particular network can be accessed
then a determination is made that the computing device implementing process 300 is
inside that particular network (act 310). This determination is made by an inside/outside
network determination module of the computing device implementing process 300 as
discussed above.
[0057] The determination of whether the computing device is inside the particular
network or outside the particular network can then be forwarded to or otherwise made
available to various other components or modules of the computing device. These other
components or modules can then proceed operate in various manners as appropriate based
on whether the computing device is inside the particular network or outside the particular
network.
[0058] Process 300 can be repeated at particular intervals, including regular or
irregular intervals. For example, process 300 can be performed approximately every five
minutes, approximately hourly, and so forth. By way of another example, process 300 can
be performed in response to particular events, such as in response to the computing device
resuming operation from a reduced power mode (e.g., from a sleep or hibernate mode), in
response to movement of the computing device by greater than a threshold amount (e.g.,
100 yards, 1 mile, and so forth) being detected (e.g., by a global positioning system (GPS)
of the computing device), in response to arrival or removal of a network interface of the
computing device (e.g., a network interface of the computing device being enabled), in
response to the computing device determining the computing device is within range of a
new wireless network or no longer within range of a wireless network it was previously
within range of, and so forth.
[0059] Fig. 4 is a flowchart illustrating an example process 400 for a computing
device determining whether a domain controller can be accessed in accordance with one or
more embodiments. Process 400 can be implemented in software, firmware, hardware, or
combinations thereof. Process 400 is carried out by a computing device, such as
computing device 120 of Figs. 1 and 2, and typically by an inside/outside network
determination module on that computing device (such as module 122 of Figs. 1 and 2).
Process 400 can be, for example, act 308 of Fig. 3. Process 400 can thus be performed
after a determination is made that the computing device is assigned a network address
within a desired range of network addresses. Process 400 is shown as a set of acts and is
not limited to the order shown for performing the operations of the various acts. Process
400 is an example process for a computing device determining whether a domain
controller can be accessed; additional discussions of a computing device determining
whether a domain controller can be accessed are included herein with reference to
different figures.
[0060] In process 400, an unencrypted request is sent to a domain controller of a
particular network (act 402). This unencrypted request is not sent via a secure channel
between the computing device implementing process 400 and a gateway of the particular
network, even if the computing device is outside the particular network.
[0061] A check is made as to whether a response is received from the domain
controller (act 404). If no response is received from the domain controller within a
threshold amount of time (e.g., 5 seconds, 20 seconds, and so forth), then the
determination is made that no response is received from the domain controller. Acts 402
and 404 can optionally be repeated multiple times, with multiple unencrypted requests
being sent to the domain controller in an attempt to obtain a response from a domain
controller.
[0062] If no response to the request sent in act 402 is received from the domain
controller, then a determination is made that the domain controller cannot be accessed (act
406). However, if a response to the request sent in act 402 is received from the domain
controller, then a determination is made that the domain controller can be accessed (act
408).
[0063] Returning to Figs. 1 and 2, it should be noted that although a single network
102 is illustrated, the determining whether a device is inside a network techniques
discussed herein can be used with multiple different networks. Computing device 120 can
be configured with, or otherwise obtain, an indication of the desired ranges of network
addresses as well as the domain controllers for each of a variety of different networks.
Inside/outside network determination module 122 can thus readily determine, at any
particular time, whether computing device 120 is inside or outside any one of those
different networks.
[0064] Additionally, it should be noted that although inside/outside network
determination module 122 is shown as being part of computing device 120, alternatively
various functionality of inside/outside network determination module 122 can be
implemented on other devices. For example, computing device 120 can communicate
with one or more other devices or services, which can be part of network 102 or another
network, that can perform various aspects of the determining whether a device is inside a
network techniques discussed herein.
[0065] Thus, the determining whether a device is inside a network techniques
discussed herein allow a computing device to accurately and reliably determine whether
the computing device is inside a particular network at any particular time. By leveraging
the domain controller, the determining whether a device is inside a network techniques
discussed herein use an existing reliable system for making the determination. Domain
controllers are already operating as a reliable system, providing replication, backup, and so
forth as appropriate to maintain a high degree of availability of the domain controller
functionality. Thus, an additional reliable system with a high degree of availability need
not be built and maintained in order to implement the determining whether a device is
inside a network techniques discussed herein.
[0066] Furthermore, the determining whether a device is inside a network techniques
discussed herein operate in various different types of network deployments. For example,
the determining whether a device is inside a network techniques discussed herein can be
used with Internet Protocol (IP) version 4 (IPv4) network addresses, IP version 6 (IPv6)
network addresses, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) addresses
and mechanisms, other protocols and/or mechanisms, combinations thereof, and so forth.
[0067] The determining whether a device is inside a network techniques discussed
herein support a variety of different usage scenarios. For example, a computing device
can operate in an "always on" access mode in which the computing device maintains
connectivity to a particular network (e.g., a corporate network) despite being moved to
different locations varying between inside the particular network and outside the particular
network. The computing device can continue operation, determining whether the
computing device is inside or outside the network at any particular time, and operating in
different manners as appropriate based on this determination.
[0068] Fig. 5 illustrates an example computing device 500 that can be configured to
implement the determining whether a device is inside a network in accordance with one or
more embodiments. Computing device 500 can be, for example, a computing device 120
of Figs. 1 and 2, or one or more of a router 104, gateway 108, and/or device 112 of Figs. 1
and 2, or one more of a device implementing at least part of DNS service 106 and/or at
least part of domain controller 110 of Figs. 1 and 2.
[0069] Computing device 500 includes one or more processors or processing units
502, one or more computer readable media 504 which can include one or more memory
and/or storage components 506, one or more input/output (I/O) devices 508, and a bus 510
that allows the various components and devices to communicate with one another.
Computer readable media 504 and/or one or more I/O devices 508 can be included as part
of, or alternatively may be coupled to, computing device 500. Bus 510 represents one or
more of several types of bus structures, including a memory bus or memory controller, a
peripheral bus, an accelerated graphics port, a processor or local bus, and so forth using a
variety of different bus architectures. Bus 510 can include wired and/or wireless buses.
[0070] Memory/storage component 506 represents one or more computer storage
media. Component 506 can include volatile media (such as random access memory
(RAM)) and/or nonvolatile media (such as read only memory (ROM), Flash memory,
optical disks, magnetic disks, and so forth). Component 506 can include fixed media (e.g.,
RAM, ROM, a fixed hard drive, etc.) as well as removable media (e.g., a Flash memory
drive, a removable hard drive, an optical disk, and so forth).
[0071] The techniques discussed herein can be implemented in software, with
instructions being executed by one or more processing units 502. It is to be appreciated
that different instructions can be stored in different components of computing device 500,
such as in a processing unit 502, in various cache memories of a processing unit 502, in
other cache memories of device 500 (not shown), on other computer readable media, and
so forth. Additionally, it is to be appreciated that the location where instructions are stored
in computing device 500 can change over time.
[0072] One or more input/output devices 508 allow a user to enter commands and
information to computing device 500, and also allows information to be presented to the
user and/or other components or devices. Examples of input devices include a keyboard, a
cursor control device (e.g., a mouse), a microphone, a scanner, and so forth. Examples of
output devices include a display device (e.g., a monitor or projector), speakers, a printer, a
network card, and so forth.
[0073] Various techniques may be described herein in the general context of software
or program modules. Generally, software includes routines, applications, programs,
objects, components, data structures, and so forth that perform particular tasks or
implement particular abstract data types. An implementation of these modules and
techniques may be stored on or transmitted across some form of computer readable media.
Computer readable media can be any available medium or media that can be accessed by a
computing device. By way of example, and not limitation, computer readable media may
comprise "computer storage media" and "communications media."
[0074] "Computer storage media" include volatile and non-volatile, removable and
non-removable media implemented in any method or technology for storage of
information such as computer readable instructions, data structures, program modules, or
other data. Computer storage media include, but are not limited to, RAM, ROM,
EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks
(DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage
or other magnetic storage devices, or any other medium which can be used to store the
desired information and which can be accessed by a computer.
[0075] "Communication media" typically embody computer readable instructions, data
structures, program modules, or other data in a modulated data signal, such as carrier wave
or other transport mechanism. Communication media also include any information
delivery media. The term "modulated data signal" means a signal that has one or more of
its characteristics set or changed in such a manner as to encode information in the signal.
By way of example, and not limitation, communication media include wired media such as
a wired network or direct-wired connection, and wireless media such as acoustic, F,
infrared, and other wireless media. Combinations of any of the above are also included
within the scope of computer readable media.
[0076] Generally, any of the functions or techniques described herein can be
implemented using software, firmware, hardware (e.g., fixed logic circuitry), manual
processing, or a combination of these implementations. The terms "module" and
"component" as used herein generally represent software, firmware, hardware, or
combinations thereof. In the case of a software implementation, the module or component
represents program code that performs specified tasks when executed on a processor (e.g.,
CPU or CPUs). The program code can be stored in one or more computer readable
memory devices, further description of which may be found with reference to Fig. 5. The
features of the determining whether a device is inside a network techniques described
herein are platform-independent, meaning that the techniques can be implemented on a
variety of commercial computing platforms having a variety of processors.
[0077] Although the subject matter has been described in language specific to
structural features and/or methodological acts, it is to be understood that the subject matter
defined in the appended claims is not necessarily limited to the specific features or acts
described above. Rather, the specific features and acts described above are disclosed as
example forms of implementing the claims.
Claims
What is claimed is:
1. A method comprising:
obtaining a network address assigned to a computing device;
checking one or both of whether the network address is within a desired range of
network addresses and whether a resource access manager for a particular network can be
accessed; and
determining that the computing device is inside the particular network if both the
network address is within the desired range of network addresses and the resource access
manager can be accessed, otherwise determining that the computing device is outside the
particular network.
2. A method as recited in claim 1, wherein the resource access manager comprises a
domain controller for the particular network.
3. A method as recited in claim 1, further comprising checking whether the resource
access manager can be accessed only if the network address is within the desired range of
network addresses, otherwise determining that the computing device is outside the
particular network regardless of whether the resource access manager can be accessed.
4. A method as recited in claim 1, wherein checking whether the resource access
manager can be accessed comprises:
causing a request to be sent to the resource access manager;
checking whether a response to the request is received from the resource access
manager; and
determining that the resource access manager can be accessed if the response to the
request is received from the resource access manager, otherwise determining that the
resource access manager cannot be accessed.
5. A method as recited in claim 4, wherein the request sent to the resource access
manager is an unencrypted request regardless of whether the computing device is inside
the particular network or outside the particular network.
6. A computing device comprising:
one or more processors; and
one or more computer readable media having stored thereon multiple instructions
that, when executed by the one or more processors, cause the one or more processors to:
send an unencrypted request to a resource access manager of a particular
network; and
if both a response is received from the resource access manager and the
computing device is assigned a network address within a desired range of network
addresses, then determine that the resource access manager can be accessed and
that the computing device is inside the particular network, otherwise determine that
the resource access manager cannot be accessed and that the computing device is
outside the particular network.
7. A computing device as recited in claim 6, wherein the resource access manager
comprises a domain controller for the particular network.
8. A computing device as recited in claim 6, wherein to send the unencrypted request
only is to send the unencrypted request only if the computing device is assigned network
address within the desired range of network addresses, and otherwise determine that the
computing device is outside the particular network regardless of whether the resource
access manager can be accessed.
9. A computing device as recited in claim 6, wherein to send the unencrypted request
is to send the unencrypted request regardless of whether the computing device is inside or
outside the particular network.
10. A computing device as recited in claim 6, wherein the instructions further cause
the one or more processors to send the unencrypted request to a gateway of the particular
network but encrypt other requests sent to the gateway to access other devices in the
particular network.