The present invention relates to the field of network security. In particular, the present invention relates to a network security system that controls access to a network at the edges of the network.
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawings hereto: Copyright © 2001, Extreme Networks, Inc., All Rights Reserved.
In recent history, the architecture of computer network topologies has changed dramatically. In the past, computer networks were mainly private networks contained within a private office. Now, however, an entire building with multiple offices of different companies may make up a single local area network (LAN), a user may use a laptop to access a wireless LAN in a public place, or a student may plug a laptop into network ports in various classrooms. Situations like these open a network to potential cyber-attacks that may compromise the security of network resources and also prevent access by legitimate users. As a consequence, network resource providers are under enormous pressure to provide bulletproof security and foolproof access control, so that no matter what type of method a user uses to access the network, whether it be via a modem, network interface card (NIC), or by some other means, private information and network resources remain secure. Security mechanisms in the devices at the network edge, such as LAN switches, are particularly critical because they grant access to the rest of the network.
The difficulties associated with securing a network have existed ever since computer networks were first introduced. Over the years a variety of techniques have been employed to provide network security. Generally most of these security techniques take place between network nodes (a node is an end point for data transmissions, such as a computer workstation, network server, CD-ROM jukebox, or some other such device) and not between connection points (a connection point is an intermediate point in the network, such as a router, hub, or a switch). Some of those methods include encryption techniques to prevent unauthorized access to a network resource, such as a network server or network printer. For example, techniques like private key and public key encryption codes transmit encrypted data between individual machines.
A common network security technique is the login procedure, which occurs when a network node attaches to a network resource, such as when a user logs into a server. Typically, the user is prompted for authentication information, such as a username and password or an identification card. Once the user inputs the authentication information, a user authentication system compares the user's input to user authentication and authorization information stored in a database. If the user's input is valid the user is granted access to certain administrator-defined network resources.
An example of a user authentication system employed in login procedures is the Novell Directory Services database or the Remote Authentication Dial-In User Service (RADIUS). The RADIUS service is actually a protocol for carrying authentication, authorization, and configuration information between an access server and an authentication server. The RADIUS protocol has been documented as an Internet standard protocol, the most recent version of which is Request For Comment (RFC) 2865, Rigney, C., Willens, Rubens, A., Simpson, W., RADIUS, June 2000.
A login procedure using the RADIUS protocol secures networks against unauthorized access using a centralized authentication server (“the RADIUS server”) in communication with an access server (“the RADIUS client”) using the RADIUS protocols. All of the user information necessary for authenticating users seeking access to the network and various network services resides on the RADIUS server. A network access server operates as a RADIUS client by sending authentication requests to the RADIUS server using the client protocols. In response the RADIUS server either accepts, rejects, or challenges the authentication request, and the RADIUS client acts on that response to permit or deny access to the network and various network services, or to request more information from the user. A drawback to prior art login procedures is that a user who plugs a computer into a network port has immediate access to the network, although they may not necessarily have access to any of the resources on the network (i.e. they have not yet successfully completed the login procedure).
Other prior art network security techniques have been implemented at a connection point (i.e. at the LAN switch level) to prevent intruder and hacker attacks. For example, algorithms and techniques have been designed and implemented in LAN switches to prohibit cyber-attacks, such as access control lists (ACLs), Denial of Service (DoS) attack protection as documented in Request for Comments (RFC) 2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, January 1998, and Synchronize (SYN) attack protection.
For example, access lists were developed to combat cyber-attacks on the LAN switch by providing an administrator-controlled list of Internet Protocol (IP) addresses or media access control (MAC) addresses that were authorized to access the network. DoS and SYN attack protections are based on similar concepts. For example, when a hacker overloads a targeted connection point such as a router or a LAN switch with incoming data packets, the router or LAN switch is prevented from accepting new legitimate requests for services, resulting in a denial of service. When the targeted device is behind a firewall, an access list protects against such attacks by explicitly restricting inbound access to the device to a select few IP addresses.
A major drawback to access lists, DoS, and SYN attack protections is that access to the network is machine- or hardware-based instead of user-based. Therefore, an unauthorized user who has access to an authorized machine can still gain access to the network, completely bypassing the intended security protection. Moreover, publicly accessed network resources, e.g. a web server not protected by a firewall, are more susceptible since access to a public resource cannot usually be restricted to certain machines or IP addresses. Finally, most of the security measures currently in place to defend against such attacks are proprietary and therefore expensive to implement.
The Institute of Electrical and Electronics Engineers (IEEE) has proposed a solution to providing controlled access to networks using port-based security measures, as documented in IEEE protocol 802.1x, Mar. 21, 2001. While still in draft form, the IEEE proposal has already gained the support of several wireless technology based companies. IEEE 802.1x uses the Point-to-Point Extensible Authentication Protocol (EAP), documented in RFC 2284, and published in March 1998, and layer-2 communication methods to prevent access to a network.
A drawback to the IEEE 802.1x approach to network access control is that it creates an entirely new communications protocol that requires software and, in some cases, hardware upgrades to bring devices on the network into compliance with the new protocol. Specifically, adoption of the IEEE 802.1x approach forces software companies to update software to comply with the standard, which in turns means that individual users would have to download and install those software updates in order to use the features proposed by the new protocol. This applies not only to human computer users, but also to network printers, network servers, and any other device that is capable of accessing a network. The IEEE 802.1x approach may also force users to update older hardware to comply with the new technology standard, since hardware companies may not find it viable to invest time and money into updating old hardware driver files and providing the necessary read-only memory (ROM) updates for older devices, such as an old network printer.
What is needed, therefore, is a way to prevent a user from accessing not only network resources and services, but also the network itself, until the user is authorized. To provide such controlled network access without requiring expensive hardware and software upgrades presents a unique set of challenges requiring a new and novel solution.
According to one aspect of the invention, a method is provided to control the admission of a user to a network by preventing a port through which the user connects to the network from forwarding data packets until the user is authorized. A network login controller operates in conjunction with a user interface to receive a user identification data from the port user. The network login controller further operates in conjunction with an authorization server to authenticate the user by sending a user authentication request containing the user identification data to the authentication server. The network login controller grants or denies permission to the user to access the network based on the user authentication response from the authentication server. If permission is granted, then the network login controller unblocks the port through which the user is connected to place it in packet-forwarding mode. If permission is denied, then the port remains in packet non-forwarding mode (i.e. it remains blocked).
According to one aspect of the invention, the authentication server further provides the network login controller with user policy configuration data for configuring the port for authorized users. The policy configuration data may include reassigning the user's IP address to a different VLAN (i.e. a permanent VLAN) than the one with which they initially connected to the port.
According to one aspect of the invention, the network login controller operates in conjunction with an address server to provide the user with an initial IP address with which to authenticate the user. Alternatively, the initial IP address may be a static IP address such as a MAC address or other IP address previously assigned to the user's computer prior to connecting to the port.
According to one aspect of the invention, the network login controller, user interface, authentication server, and address server may be implemented on one or more network devices, such as a switch or other packet-forwarding device, a network server computer, and an end station or host computer.
In accordance with these and other aspects of the present invention, apparatus are provided for carrying out the above and other methods.
The present invention will be described by way of exemplary embodiments, but not limitations, illustrated in the accompanying drawings in which like references denote similar elements, and in which:
In the following description various aspects of the present invention, a method and apparatus for network login authorization will be described. Specific details will be set forth in order to provide a thorough understanding of the present invention. However, it will be apparent to those skilled in the art that the present invention may be practiced with only some or all of the described aspects of the present invention, and with or without some or all of the specific details. In some instances, well known architectures, steps, and techniques have not been shown to avoid unnecessarily obscuring the present invention. For example, specific details are not provided as to whether the method and apparatus is implemented in a switch, router, bridge, server or gateway, as a software routine, hardware circuit, firmware, or a combination thereof.
Parts of the description will be presented using terminology commonly employed by those skilled in the art to convey the substance of their work to others skilled in the art, including terms of operations performed by a network operating system, and their operands, such as transmitting, receiving, routing, login, packets, messages, user name, command, and the like. As well understood by those skilled in the art, these operands take the form of electrical, magnetic, or optical signals, and the operations involve storing, transferring, combining, and otherwise manipulating the signals through electrical, magnetic or optical components of a system. The term system includes general purpose as well as special purpose arrangements of these components that are standalone, adjunct or embedded.
Various operations will be described as multiple discrete steps performed in turn in a manner that is most helpful in understanding the present invention. However, the order of description should not be construed as to imply that these operations are necessarily performed in the order they are presented, or even order dependent. Lastly, repeated usage of the phrase “in one embodiment” does not necessarily refer to the same embodiment, although it may.
It should be noted that while the description that follows addresses the method and apparatus as it applies to a Local Area Network (LAN), it is appreciated by those of ordinary skill in the art that method is generally applicable to any Transport Control Protocol/Internet Protocol (TCP/IP)-based network including, but not limited to, internetworks, Virtual Local Area Networks (VLANs), Metropolitan Area Networks (MANs), and Wide Area Networks (WANs), as well as networks organized into subnets.
End stations H11 211, H12 212, H21 221, and H22 222, connect to corporate network 300 using SW1 200, but are prevented from accessing corporate network 300 until after successfully using network login authorization 100. The network login authorization 100 may include a network login controller 110 which operates in conjunction with a login user interface 120 and a user authentication server 140 to block SW1 200 from forwarding packets from end stations H11 211, H12 212, H21 221, and H22 222 to corporate network 300 until the identity of the end station's user has been authenticated using data from user authentication database 150. This results in preventing the user from accessing the entire corporate network 300 until the network login controller 110 authorizes the user to do so.
In one embodiment, the user interface 120 may comprise a web browser facility such as the Microsoft Internet Explorer, or the Netscape browsers, that is resident on the end station/hosts (e.g. H11 211), with the network login controller 110 functioning as a web server that accepts the user identification data 121 and relays it to the authentication server 140. The web server also serves informational data regarding the success or failure of the network login authorization 100 as well as reports on status inquiries on the authorization state of the port and the like. Alternatively, the user interface 120 may be a text-based interface, or a command-line interface without departing from the scope of the invention.
The method and apparatus for network login authorization 100 is suitable for operating in a variety of networked environments. One environment is the “campus environment,” where the typical user is a roaming user that connects to the network at various locations throughout the campus. In the campus environment, the port through which the user connects is not assigned to a permanent VLAN (i.e. layer-2 domain) until the user is authorized through the network login authorization 100. The other environment is the network provider (e.g. an Internet service provider) environment, where the typical user is stationary. In the network provider environment, the port and VLAN through which the user connects is constant, i.e. the port is already assigned to a permanent VLAN.
In the campus environment, the authentication server 140 is usually a RADIUS server, and the RADIUS server provides the necessary configuration details (e.g. the permanent VLAN ID to which the port will be assigned) of what will happen to the port once a successful authentication takes place. In both the campus and network provider environments, prior to authorization through network login authorization 100, the user must obtain a temporary layer-3 address in order to gain access to the network login controller 110 and user interface 120 on packet-forwarding device 200. In one embodiment, the network login authorization 100 includes a layer-3 address server 130 accessible to the packet-forwarding device 200 to dynamically assign a temporary layer-3 address to the user's end station (e.g. H11 211). In an alternate embodiment, a static layer-2 address, such as the user's end station MAC address may be adequate for purposes of obtaining access to the network login controller 110 and user interface 120 on packet-forwarding device 200. The temporary layer-3 address is discarded upon successful authentication through network login authorization 100, after which the user must obtain another layer-3 address, this time a permanent one, through an address server 130 on the permanent VLAN to which the port has been assigned (which may or may not be the same address server 130 which assigned the temporary address, as long as it is accessible on the permanent VLAN to which the port has been assigned).
Returning now to
If the data does not compare favorably, then the user authentication server 140 returns a negative user authentication response 112 to the network login controller 110 which indicates that the user cannot be authenticated with the provided user identification data 121. The user interface 120 continues to prompt the user to provide more accurate user identification data 121 and port state 207 remains unauthorized. As a result, port 205 remains in non-forwarding mode 170, which prevents the packet forwarder 160 from forwarding packets for the user connected through port 205 on endstation/host computer H11 211 of VLAN10 210.
In one embodiment, the user authentication server 140 is a RADIUS server, and the network login controller 110 functions as a RADIUS client. In that case, the user authentication request 111 and user authentication response 112 are data packets conforming to the RADIUS communication protocol for communicating authentication data. The operation of the RADIUS server and communication protocol is known in the art and will not be further discussed except as it pertains to the method and apparatus of the present invention.
In an alternate embodiment, the network login controller 110 may use a user authentication database 150 directly instead of through a user authentication server 140. In that case, the user authentication database 150 may comprise an internal database stored on the packet-forwarding device 200, and the user authentication request 111 and user authentication response 112 may be handled through internal communication.
Returning again to
Referring to
In one embodiment, at processing block 405 of
In one embodiment, at processing block 435 of
At processing block 455, the packet forwarder recognizes that the port is in a forwarding mode, and commences sending and receiving packets for the authorized port and port user. The packet forwarding services provided by the packet forwarder continue until, at processing block 460, the network login controller 110 resets the port back into a unauthorized state (i.e. non-forwarding mode). In one embodiment, the resetting is performed when a user successfully logs off the packet forwarding device 200 from the user interface 120, when a connection from the user to the port is disconnected, when no activity from the user occurs on the port for a duration of time, or when an administrator forces the port to change its state. The resetting is completed at block 465 where the network login controller 110, if necessary, blocks the port by placing it into an unauthorized state.
In one embodiment, at processing block 470 of
Accordingly, a novel method and apparatus is described in which a network login authorization 100 prevents a user connected to port from accessing a network until the user has been authorized, on a per-port and per-VLAN basis. From the foregoing description, those skilled in the art will recognize that many other variations of the present invention are possible. In particular, while the present invention has been described as being implemented in a network comprising a packet forwarding device 200, an address server 130 for serving a temporary as well as a permanent layer-3 IP address, a user authentication server 140, a user authentication database 150, network login controller 110 and user interface 120, one or more ports 205/206 and associated port states 207/208, and numerous hosts and VLANs, it should be noted that some of the logic described herein may be distributed in other components of a network or internetwork application without departing from the scope of the present invention.
For example, embodiments of the invention may be represented as a software product stored on a machine-accessible medium (also referred to as a computer-readable medium or a processor-readable medium). The machine-accessible medium may be any type of magnetic, optical, or electrical storage medium including a diskette, CD-ROM, memory device (volatile or non-volatile), or similar storage mechanism. The machine-accessible medium may contain various sets of instructions, code sequences, configuration information, or other data. As an example, the procedures described herein for network login controller 110, the user interface 120, the address server 130, and the authentication server 140, and the associated protocols can be stored on the machine-accessible medium. In addition, the data for the authentication server 140 and associated authentication database 150, or the address server 130 and associated data may be stored in an internal storage area or on an external storage medium that is machine-accessible. Those of ordinary skill in the art will appreciate that other instructions and operations necessary to implement the described invention may also be stored on the machine-accessible medium.
Thus, the present invention is not limited by the details described. Instead, the present invention can be practiced with modifications and alterations within the spirit and scope of the appended claims.
Number | Name | Date | Kind |
---|---|---|---|
5544322 | Cheng et al. | Aug 1996 | A |
5586260 | Hu | Dec 1996 | A |
5752003 | Hart | May 1998 | A |
5764887 | Kells et al. | Jun 1998 | A |
5805801 | Holloway et al. | Sep 1998 | A |
5898780 | Liu et al. | Apr 1999 | A |
6021495 | Jain et al. | Feb 2000 | A |
6085238 | Yuasa et al. | Jul 2000 | A |
6115376 | Sherer et al. | Sep 2000 | A |
6205147 | Mayo et al. | Mar 2001 | B1 |
6298383 | Gutman et al. | Oct 2001 | B1 |
6311218 | Jain et al. | Oct 2001 | B1 |
6339830 | See et al. | Jan 2002 | B1 |
6393484 | Massarani | May 2002 | B1 |
6418466 | Bertram et al. | Jul 2002 | B1 |
6539431 | Sitaraman et al. | Mar 2003 | B1 |
6560236 | Varghese et al. | May 2003 | B1 |
6618757 | Babbitt et al. | Sep 2003 | B1 |
6643782 | Jin et al. | Nov 2003 | B1 |
6657956 | Sigaud | Dec 2003 | B1 |
6684243 | Euget et al. | Jan 2004 | B1 |
6704873 | Underwood | Mar 2004 | B1 |
6724734 | Shabtay et al. | Apr 2004 | B1 |
6741592 | Edsall et al. | May 2004 | B1 |
6748439 | Monachello et al. | Jun 2004 | B1 |
6792474 | Hopprich et al. | Sep 2004 | B1 |
6874090 | See et al. | Mar 2005 | B2 |
6892309 | Richmond et al. | May 2005 | B2 |
6912637 | Herbst | Jun 2005 | B1 |
6954790 | Forslow | Oct 2005 | B2 |
6957199 | Fisher | Oct 2005 | B1 |
6976088 | Gai et al. | Dec 2005 | B1 |
7002936 | Agrawal et al. | Feb 2006 | B2 |
7024478 | Dalgic et al. | Apr 2006 | B1 |
7036143 | Leung et al. | Apr 2006 | B1 |
7039037 | Wang et al. | May 2006 | B2 |
7124189 | Summers et al. | Oct 2006 | B2 |
7127524 | Renda et al. | Oct 2006 | B1 |
7143435 | Droms et al. | Nov 2006 | B1 |
7149219 | Donahue | Dec 2006 | B2 |
7171555 | Salowey et al. | Jan 2007 | B1 |
7197556 | Short et al. | Mar 2007 | B1 |
7216173 | Clayton et al. | May 2007 | B2 |
7356841 | Wilson et al. | Apr 2008 | B2 |
7389534 | He | Jun 2008 | B1 |
7428237 | Gai et al. | Sep 2008 | B1 |
7451220 | Dalgic et al. | Nov 2008 | B1 |
7640287 | Gai et al. | Dec 2009 | B1 |
7848264 | Gai et al. | Dec 2010 | B1 |
20010012296 | Burgess et al. | Aug 2001 | A1 |
20020049655 | Bennett et al. | Apr 2002 | A1 |
20020095573 | O'Brien | Jul 2002 | A1 |
20020120732 | Lee et al. | Aug 2002 | A1 |
20020136226 | Christoffel et al. | Sep 2002 | A1 |
20020144144 | Weiss et al. | Oct 2002 | A1 |
20020146002 | Sato | Oct 2002 | A1 |
20030035409 | Wang et al. | Feb 2003 | A1 |
20030041136 | Cheline et al. | Feb 2003 | A1 |
20030115480 | McDysan | Jun 2003 | A1 |
20030140131 | Chandrashekhar et al. | Jul 2003 | A1 |
20030147403 | Border et al. | Aug 2003 | A1 |
20040006708 | Mukherjee et al. | Jan 2004 | A1 |
20040015728 | Cole et al. | Jan 2004 | A1 |
20040030890 | Chu et al. | Feb 2004 | A1 |
20040034797 | Hof | Feb 2004 | A1 |
20040064604 | Cox | Apr 2004 | A1 |
20040103275 | Ji et al. | May 2004 | A1 |
20040117653 | Shapira et al. | Jun 2004 | A1 |
20040193513 | Pruss et al. | Sep 2004 | A1 |
20040230841 | Savini | Nov 2004 | A1 |
20040255154 | Kwan et al. | Dec 2004 | A1 |
20060168648 | Vank et al. | Jul 2006 | A1 |
20060206625 | Moineau | Sep 2006 | A1 |
20080101240 | Rohilla et al. | May 2008 | A1 |
20120291098 | Janakiraman et al. | Nov 2012 | A1 |
Entry |
---|
Cisco Systems, Inc. “Controlling Access to the Switch Using Authentication”, http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel—5—2/config/authent.html Oct. 1, 1999. |
Network World Fusion “Circuit extensions assist Ethernet over ATM” http://www.nwfusion.com/news/tech/2002/1014techupdate.html Oct. 14, 2002. |
Poger, Elliot, and Mary Baker. “Secure Public Internet Access Handler (SPINACH).” USENIX Symposium on Internet Technologies and Systems. 1997. |
Yemini, Yechiam, Alexander V. Konstantinou, and Danilo Florissi. “NESTOR: An architecture for network self-management and organization.” Selected Areas in Communications, IEEE Journal on 18.5 (2000): 758-766. |
Bahl, P., Anand Balachandran, and Srinivasan Venkatachary. “The Choice network-broadband wireless Internet access in public places.” Microsoft Research (2000). |
Appenzeller, Guido, Mema Roussopoulos, and Mary Baker. “User-friendly access control for public network ports.” INFOCOM'99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE. vol. 2. IEEE, 1999. |
Chen, Mike, Barbara Hohlt, and Tal Lavian. “Popeye-Using Fine-grained Network Access Control to Support Mobile Users and Protect Intranet Hosts.”dated Dec. 11, 2000: 1-8. |
Konstantinou, Alexander V., et al. “Managing Security in Dynamic Networks.”LISA. 1999. |
Bahl, Paramvir, Srinivasan Venkatachary, and Anand Balachandran. “Secure wireless internet access in public places.” Communications, 2001. ICC 2001. IEEE International Conference on. vol. 10. IEEE, 2001. |
Rabinovitch, Eddie. “Enterprise LAN Trends.” Int. CMG Conference. 1999. |
Cisco Systems, Inc., “Controlling Access to the Switch Using Authentication,” http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel—5—2/config/authent.html Oct. 1, 1999, 35 pgs. |
Final Office Action for U.S. Appl. No. 10/645,459, Mailed Feb. 6, 2009, 20 pages. |
Notice of Allowance for U.S. Appl. No. 10/645,459 dated Jun. 2, 2009, 9 pages. |
Office Action for U.S. Appl. No. 10/645,459 dated Oct. 30, 2006, 11 pages. |
Final Office Action for U.S. Appl. No. 10/645,459 dated Apr. 13, 2007, 14 pages. |
Office Action for U.S. Appl. No. 10/645,459 dated Sep. 26, 2007, 15 pages. |
Advisory Action for U.S. Appl. No. 10/645,459 dated Apr. 9, 2009, 3 pages. |
Final Office Action for U.S. Appl. No. 10/645,459 dated Mar. 20, 2008, 18 pages. |
Office Action for U.S. Appl. No. 10/645,459 dated Jul. 24, 2008, 15 pages. |