Patent Grant
7712128
1. Field of the Invention
The present invention relates to a system, method, signal, and computer program product for providing secure wireless access to private databases and applications. More particularly, the present invention relates to providing secure access to private networks for wireless devices without requiring a separate wireless security/authentication infrastructure for the private network.
2. Discussion of the Background Art
Whenever an external computing device is connected to a corporate network, that network is subject to becoming more vulnerable to security breaches. Network Administrators are left with few tools to guard against break-ins. State of the art security systems generally require special hardware or are only compatible with a small number of products. This problem is exacerbated in large networks that have many points of access.
To address this problem, Lucent Technologies InterNetworking Systems has developed a distributed security solution called Remote Authentication Dial-In User Service, or RADIUS. RADIUS is an example of a client-server internetworking security protocol configured to control authentication, accounting, and access-control in a networked, multi-user environment. RADIUS provides a software protocol based approach to security that does not require special hardware. Distributed security separates user authentication and authorization from the communications process and creates a single, central location for user authentication data. The RADIUS protocols are defined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 2138 dated April 1997 and 2139 dated April 1997, the entire contents of both being incorporated herein by reference. RADIUS is a TCP/IP application layer protocol as defined in TCP/IP Illustrated: The Protocols by W. Richard Stevens (1994) and TCP/IP Clearly Explained, Third Edition, by Pete Loshin (1999), the contents of both being incorporated herein by reference.
Based on a model of distributed security previously defined by the IETF, RADIUS provides an open and scaleable client/server security system. The RADIUS server can be easily adapted to work with third-party security products or proprietary security systems. To date, many types of communications servers or network hardware support the RADIUS client protocols and can communicate with a RADIUS server. RADIUS has become a widely accepted remote authentication protocol.
RADIUS supports a system of distributed security that secures systems against unauthorized access. A system based on RADIUS authentication includes a RADIUS authentication server and a RADIUS client. In conventional RADIUS systems, user authentication and network service access information is located on the RADIUS authentication server. RADIUS supports this information being in a variety of formats based on the customer's requirements. RADIUS, in its generic form, will authenticate users against, for example, a UNIX password file, Network Information Service (NIS), as well as a separately maintained RADIUS database. RADIUS-compliant communications servers operate to connect RADIUS clients with RADIUS servers. The RADIUS client sends RADIUS authentication requests to the RADIUS server and acts on responses sent back by the RADIUS server.
RADIUS is used to authenticate users through a protocol including a series of specially formatted messages between the client and the server. Once a RADIUS user is authenticated, the RADIUS client provides that RADIUS user with access to the appropriate network services.
A limitation associated with the above-described capability is that it does not readily accommodate wireless users and their applications. Wireless devices (e.g., Personal Digital Assistants (PDA) and wireless laptops) have become popular productivity tools, and given their portability, have become a desired tool for accessing applications and databases on secure networks from remote locations. Typically, access is via the Internet as accessed through a wireless network provider. Because wireless network providers do not provide the services that an ISP provides, the ability to have RADIUS-authenticated connections from remote wireless devices is limited. Therefore, a tension has been created between providing the convenience of wireless remote access and maintaining a secure network.
One proposed solution to this problem is to provide a parallel authentication capability tailored to the needs of wireless users, wireless data services and communication technologies used in wireless networks. However, maintaining more than one authentication database in an organization is an administrative burden for information security personnel who must update multiple databases when employees or other authorized users arrive, depart, or otherwise change their access posture. Furthermore, maintaining more than one authentication database is an operational annoyance to users who may be required to maintain different passwords and be trained in different information security techniques for wireless and non-wireless access. Even further, as more access paths are provided for a network, more opportunities for a security breach or failure are created.
The present inventors have recognized that there exists a need to provide secure access for wireless devices without compromising the level of security required by the accessed network. The present inventors have further recognized that since many wireless devices have limited processing power, providing a RADIUS capability on a wireless device is not an acceptable solution. The inventors of the present invention have recognized that by providing an ability to translate non-RADIUS authentication messages from a wireless device into RADIUS authentication messages that the existing RADIUS authentication infrastructure can be used to authenticate wireless devices.
Accordingly, one object of the present invention is to provide systems, devices, communications protocols, and methods for providing RADIUS authentication for wireless devices that do not themselves have a RADIUS capability.
A further object of the present invention is to provide methods and communications protocols for maintaining an integrated wireless/non-wireless security infrastructure.
The above-described and other objects are addressed by the present invention, which includes a novel system, method, signal, and computer program product for authenticating, accounting, and controlling access to a secure network from a wireless device. The wireless device desiring remote access to a secure network sends a request for authentication to a wireless access service provider. The wireless access service provider receives the request and creates a formal authentication request or relays the request for authentication originating from the wireless device in compliance with the authentication system of the secure network and forwards the authentication request to the secure network. Since the ultimate authentication request is a formal request, the secure network handles the wireless user in the same way using the same security infrastructure as it does for non-wireless remote users. The result of the authentication request is sent from the secure network to the wireless access service provider via the formal authentication protocol. The wireless access service provider then translates this result into a wireless device compatible format and finally generates and transmits a corresponding access granted/access denied status message to the wireless device over a wireless transmission link.
In one embodiment of the present invention, the wireless device communicates with the wireless access service provider via hypertext transfer protocol (HTTP) messages, and the wireless access service provider and the secure network perform a RADIUS authentication for the wireless user.
In one embodiment of the present invention, the wireless access service provider is a third party that provides a service of managing remote access to secure networks for wireless devices.
In another embodiment of the present invention, the wireless access service provider is housed within the security environment of an organization that has remote wireless users.
A more complete appreciation of the invention and many of the attendant advantages thereof will be readily obtained as the same become better understood by reference to the following detailed description when considered in connection with the accompanying drawings, wherein:
Referring now to the figures,
Figure element 209 represents a third party that provides a service of managing remote access to a secure network. For example, figure element 209 may represent FIBERLINK COMMUNICATIONS CORPORATION that provides a service of managing remote access to secure networks of Company XYZ 210. Access to Company XYZ's 210 secure networks is controlled by a RADIUS authentication server 207 that accesses a RADIUS authentication database 208. As discussed in the Background of the Invention section, RADIUS is a widely accepted remote authentication protocol. It should be understood, however, that the present invention is in no way limited to an implementation based on RADIUS. On the contrary, the concepts of the present invention are equally applicable to any authentication protocol.
The RADIUS protocol requires that a RADIUS client communicate with a RADIUS server to perform the authentication process. A RADIUS client, therefore, must be able to not only receive and unpack a RADIUS message, but also create a RADIUS message that can be sent to the RADIUS server. Accordingly, a client application is necessary to perform this requisite processing. As recognized by the present inventors, it is undesirable to place the processing burden of a RADIUS client onto typical wireless devices. As would be understood, a typical wireless device, such as a PDA, has limited processing capability, and it is more desirable to allocate that processing power to user applications, rather than infrastructure applications such as RADIUS.
It was the present inventors who recognized that the processing requirements of a RADIUS client could be offloaded to, for example, a third party 209 providing a service of managing remote access to the secured networks of Company XYZ 210. Accordingly, as shown in
The present inventors also recognized that the processing requirements of a RADIUS client could be offloaded to, for example, a separate device dedicated to wireless authentication, located within the confines of Company XYZ, and configured to communicate with the RADIUS authentication server 207 of Company XYZ 210 via the IP network 204. Thus, in an alternative embodiment, the wireless access service provider 205 is located within the boundaries of Company XYZ 210 and is configured to communicate with the RADIUS authentication server 207 the wireless user 201, and the wireless application gateway 206 via an IP network 204. In this alternative embodiment, the wireless access service provider 205 communicates with the RADIUS authentication server 207 and the wireless application gateway 206 via Company XYZ's 210 private IP network, and the wireless access service provider 205 communicates with the wireless user 201 over an external network, for example, the Internet. Those skilled in the art will recognize that in this alternative embodiment, the wireless access service provider 205 and the wireless application gateway 206 could both be implemented as computer programs running on the same computer, in which case an IP network is not needed for the two computer programs to communicate.
Continuing with
Upon receipt of the RADIUS authentication request message 309, a RADIUS server residing on Company XYZ's 304 secure network will attempt to authenticate the wireless end user 301 by accessing the RADIUS authentication database. Company XYZ's 304 RADIUS authentication server will then send a RADIUS message 310 indicating that access was either granted or denied back to the wireless access service provider 303. The wireless access service provider will interpret the RADIUS message 310 received from Company XYZ 304, and then create a non-RADIUS message 311 to communicate the result of the authentication request back to the wireless end user 301. As discussed above, the communications between the wireless end user 301 and the wireless access service provider are, in one embodiment of the present invention, HTTP messages.
From a perspective of Company XYZ 304, wireless end user 301 is not unlike a typical dial-in user requesting access to Company XYZ's 304 secure networks through an Internet Service Provider. Accordingly, as recognized by the present inventors, wireless end users 301 may be authenticated taking advantage of the same authentication infrastructure that is used by other remote users.
The process then proceeds to step S505 where the RADIUS authentication server of Company XYZ queries the RADIUS authentication database in an attempt to authenticate the user. The process then proceeds to step S506 where it is determined whether the user is authenticated. If the user is authenticated (i.e., “yes” at step S506), the process proceeds to step S507 where a confirmation message is sent from the RADIUS authentication server of Company XYZ to the third party wireless access service provider. If, on the other hand, the user is not authenticated (i.e., “no” at step S506), the process proceeds to step S508 where the RADIUS authentication server of Company XYZ sends an authentication failure message to the third party wireless access service provider.
After the authentication status message has been sent to the third party wireless access service provider at either step S507 or step S508, the process proceeds to step S509 where the third party wireless access service provider determines whether the end user is a wireless client. If it is determined that the end user requesting authentication is not a wireless client (i.e., “no” at step S509), the process proceeds to step S510 where the RADIUS authentication result message is returned to the RADIUS client that initiated the authentication request. After the authentication result message has been sent to the RADIUS client, the process ends.
If, on the other hand, it is determined that the end user is a wireless client (i.e., “yes” at step S509), the process proceeds to step S511 where the third party wireless access service provider repacks the authentication result message from a RADIUS message into a message compatible with the wireless end user. After the third party wireless access service provider has repacked the authentication result message, the process proceeds to step S512 where the repacked authentication result message is sent to the non-RADIUS end user. After the authentication result has been sent, the process ends.
Based on user information and passwords provided by the remote device, a RADIUS authentication request message is repacked (if the remote device is a wireless device 601) or is relayed (if the remote device is a non-wireless device 605) by the wireless access service provider 607 via the IP network 604 to a RADIUS authentication server 608 located at Company XYZ 614. The RADIUS authentication server 608 checks the information contained in the authentication request message against data contained in the RADIUS authentication database 609 and replies to the wireless access service provider 607 via the IP network 604 with either a RADIUS authentication granted message or a RADIUS authentication denied message. In addition, the wireless access service provider 607 and the RADIUS authentication server 608 exchange RADIUS account management messages via the IP network 604 when a user's account is activated and deactivated.
Optionally, the wireless access service provider 607 may be configured to operate a timer for determining when a wireless session has expired and thereby notifying the remote device (e.g., the wireless device 601 or the non-wireless device 605) and the corresponding gateway device (e.g., the wireless application gateway 610 or the non-wireless application gateway 617). Actual traffic between the remote device (i.e., the wireless device 601 or the non-wireless device 605) and the corresponding gateway device (i.e., the wireless application gateway 610 or the non-wireless application gateway 617) is exchanged via the IP Network 604 over corresponding paths (i.e., wireless data path 616 and non-wireless data path 615). It is also possible to provide different access privileges to different access devices (e.g., when using a wireless device 601 user A may be granted access to secure application one 611, while when using a non-wireless device 605 user A may be granted access to secure application one 611, secure application two 612, and secure application three 613). In another embodiment, the integrated wireless/non-wireless authentication environment may include a wireless access service provider 607 within the boundaries of Company XYZ 614 that communicates with the wireless device 601, the wireless application gateway 610, and the RADIUS authentication server 608 via an IP network 604. In this embodiment, the wireless access service provider 607 communicates with the RADIUS authentication server 608 and the wireless application gateway 610 via Company XYZ's 614 private IP network, and the wireless access service provider 607 communicates with the wireless user 601 over an external network, for example, the Internet. Those skilled in the art will recognize that in this alternative embodiment, the wireless access service provider 607 and the wireless application gateway 610 could both be implemented as computer programs running on the same computer, in which case an 1P network is not needed for the two computer programs to communicate.
The computer system 1201 also includes a disk controller 1206 coupled to the bus 1202 to control one or more storage devices for storing information and instructions, such as a magnetic hard disk 1207, and a removable media drive 1208 (e.g., floppy disk drive, read-only compact disc drive, read/write compact disc drive, compact disc jukebox, tape drive, and removable magneto-optical drive). The storage devices may be added to the computer system 1201 using an appropriate device interface (e.g., small computer system interface (SCSI) integrated device electronics (IDE), enhanced-IDE (E-IDE), direct memory access (DMA), or ultra-DMA).
The computer system 1201 may also include special purpose logic devices (e.g., application specific integrated circuits (ASICs)) or configurable logic devices (e.g., simple programmable logic devices (SPLDs), complex programmable logic devices (CPLDs), and field programmable gate arrays (FPGAs)).
The computer system 1201 may also include a display controller 1209 coupled to the bus 1202 to control a display 1210, such as a cathode ray tube (CRT), for displaying information to a computer user. The computer system includes input devices, such as a keyboard 1211 and a pointing device 1212, for interacting with a computer user and providing information to the processor 1203. The pointing device 1212, for example, may be a mouse, a trackball, or a pointing stick for communicating direction information and command selections to the processor 1203 and for controlling cursor movement on the display 1210. In addition, a printer may provide printed listings of data stored and/or generated by the computer system 1201.
The computer system 1201 performs a portion or all of the processing steps of the invention in response to the processor 1203 executing one or more sequences of one or more instructions contained in a memory, such as the main memory 1204. Such instructions may be read into the main memory 1204 from another computer readable medium, such as a hard disk 1207 or a removable media drive 1208. One or more processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 1204. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions. Thus, embodiments are not limited to any specific combination of hardware circuitry and software.
As stated above, the computer system 1201 includes at least one computer readable medium or memory for holding instructions programmed according to the teachings of the invention and for containing data structures, tables, records, or other data described herein. Examples of computer readable media are compact discs, hard disks, floppy disks, tape, magneto-optical disks, PROMs (EPROM, EEPROM, flash EPROM), DRAM, SRAM, SDRAM, or any other magnetic medium, compact discs (e.g., CD-ROM), or any other optical medium, punch cards, paper tape, or other physical medium with patterns of holes, a carrier wave (described below), or any other medium from which a computer can read.
Stored on any one or on a combination of computer readable media, the present invention includes software for controlling the computer system 1201, for driving a device or devices for implementing the invention, and for enabling the computer system 1201 to interact with a human user. Such software may include, but is not limited to, device drivers, operating systems, development tools, and applications software. Such computer readable media further include the computer program product of the present invention for performing all or a portion (if processing is distributed) of the processing performed in implementing the invention.
The computer code devices of the present invention may be any interpretable or executable code mechanism, including but not limited to scripts, interpretable programs, dynamic link libraries (DLLs), Java classes, and complete executable programs. Moreover, parts of the processing of the present invention may be distributed for better performance, reliability, and/or cost.
The term “computer readable medium” as used herein refers to any medium that participates in providing instructions to the processor 1203 for execution. A computer readable medium may take many forms, including but not limited to, non-volatile media, volatile media, and transmission media. Non-volatile media includes, for example, optical, magnetic disks, and magneto-optical disks, such as the hard disk 1207 or the removable media drive 1208. Volatile media includes dynamic memory, such as the main memory 1204. Transmission media includes coaxial cables, copper wire, and fiber optics, including the wires that make up the bus 1202. Transmission media also may also take the form of acoustic or light waves, such as those generated during radio wave and infrared data communications.
Various forms of computer readable media may be involved in carrying out one or more sequences of one or more instructions to processor 1203 for execution. For example, the instructions may initially be carried on a magnetic disk of a remote computer. The remote computer can load the instructions for implementing all or a portion of the present invention remotely into a dynamic memory and send the instructions over a telephone line using a modem. A modem local to the computer system 1201 may receive the data on the telephone line and use an infrared transmitter to convert the data to an infrared signal. An infrared detector coupled to the bus 1202 can receive the data carried in the infrared signal and place the data on the bus 1202. The bus 1202 carries the data to the main memory 1204, from which the processor 1203 retrieves and executes the instructions. The instructions received by the main memory 1204 may optionally be stored on storage device 1207 or 1208 either before or after execution by processor 1203.
The computer system 1201 also includes a communication interface 1213 coupled to the bus 1202. The communication interface 1213 provides a two-way data communication coupling to the Gateway Device 1299. For example, the communication interface 1213 may be a network interface card to attach to any packet switched LAN. As another example, the communication interface 1213 may be an asymmetrical digital subscriber line (ADSL) card, an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of communications line. In any such implementation, the communication interface 1213 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
The network link 1214 typically provides data communication through one or more networks to other data devices. For example, the network link 1214 may provide a connection to another computer through a local network 1215 (e.g., a LAN) or through equipment operated by a service provider, which provides communication services through a communications network 1216. The local network 1214 and the communications network 1216 use, for example, electrical, electromagnetic, or optical signals that carry digital data streams, and the associated physical layer (e.g., CAT 5 cable, coaxial cable, optical fiber, etc). The signals through the various networks and the signals on the network link 1214 and through the communication interface 1213, which carry the digital data to and from the computer system 1201 may be implemented in baseband signals, or carrier wave based signals. The baseband signals convey the digital data as unmodulated electrical pulses that are descriptive of a stream of digital data bits, where the term “bits” is to be construed broadly to mean symbol, where each symbol conveys at least one or more information bits. The digital data may also be used to modulate a carrier wave, such as with amplitude, phase and/or frequency shift keyed signals that are propagated over a conductive media, or transmitted as electromagnetic waves through a propagation medium. Thus, the digital data may be sent as unmodulated baseband data through a “wired” communication channel and/or sent within a predetermined frequency band, different than baseband, by modulating a carrier wave.
Instructions, parameters, reference data associated with the above-described embodiments may be encoded in software and/or firmware.
Obviously, numerous modifications and variations of the present invention are possible in light of the above teachings. It is therefore to be understood that within the scope of the appended claims, the invention may be practiced otherwise than as specifically described herein.
This application claims priority to commonly owned, U.S. provisional patent application Ser. No. 60/307,172, entitled WIRELESS ACCESS SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT filed in the U.S. patent and Trademark Office on 24 Jul. 2001 and commonly owned, U.S. provisional patent application Ser. No. 60/314,656, entitled WIRELESS ACCESS SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT filed in the U.S. patent and Trademark Office on 27 Aug. 2001, the entire contents of both being incorporated herein by reference.
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/US02/23490 | 7/24/2002 | WO | 00 | 11/30/2004 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO03/010669 | 2/6/2003 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5666411 | McCarty | Sep 1997 | A |
| 5673322 | Pepe et al. | Sep 1997 | A |
| 5732074 | Spaur et al. | Mar 1998 | A |
| 5987611 | Freund | Nov 1999 | A |
| 6012100 | Frailong et al. | Jan 2000 | A |
| 6061650 | Malkin et al. | May 2000 | A |
| 6081508 | West et al. | Jun 2000 | A |
| 6151628 | Xu et al. | Nov 2000 | A |
| 6185609 | Rangarajan et al. | Feb 2001 | B1 |
| 6253327 | Zhang et al. | Jun 2001 | B1 |
| 6377982 | Rai et al. | Apr 2002 | B1 |
| 6453035 | Psarras et al. | Sep 2002 | B1 |
| 6493349 | Casey | Dec 2002 | B1 |
| 6539482 | Blanco et al. | Mar 2003 | B1 |
| 6643782 | Jin et al. | Nov 2003 | B1 |
| 6654891 | Borsato et al. | Nov 2003 | B1 |
| 6694437 | Pao et al. | Feb 2004 | B1 |
| 6732270 | Patzer et al. | May 2004 | B1 |
| 6748543 | Vilhuber | Jun 2004 | B1 |
| 6751729 | Giniger et al. | Jun 2004 | B1 |
| 6753887 | Carolan et al. | Jun 2004 | B2 |
| 6760444 | Leung | Jul 2004 | B1 |
| 6766453 | Nessett et al. | Jul 2004 | B1 |
| 6778498 | McDysan | Aug 2004 | B2 |
| 6785823 | Abrol et al. | Aug 2004 | B1 |
| 6829886 | Nakata | Dec 2004 | B2 |
| 6850943 | Teixeira et al. | Feb 2005 | B2 |
| 6874139 | Krueger et al. | Mar 2005 | B2 |
| 7039021 | Kokudo | May 2006 | B1 |
| 7249374 | Lear et al. | Jul 2007 | B1 |
| 20020138756 | Makofka et al. | Sep 2002 | A1 |
| 20020199203 | Duffy et al. | Dec 2002 | A1 |
| 20030074580 | Knouse et al. | Apr 2003 | A1 |
| 20030105978 | Byrne | Jun 2003 | A1 |
| 20030135611 | Kemp et al. | Jul 2003 | A1 |
| 20040005886 | Oda et al. | Jan 2004 | A1 |
| 20040088565 | Norman et al. | May 2004 | A1 |
| 20040107360 | Herrmann et al. | Jun 2004 | A1 |
| 20040123162 | Antell et al. | Jun 2004 | A1 |
| 20040193907 | Patanella | Sep 2004 | A1 |
| 20040221174 | Le Saint et al. | Nov 2004 | A1 |
| 20050015622 | Williams et al. | Jan 2005 | A1 |
| 20050033596 | Tummolo | Feb 2005 | A1 |
| 20050044418 | Miliefsky | Feb 2005 | A1 |
| 20050060537 | Stamos et al. | Mar 2005 | A1 |
| 20050132225 | Gearhart | Jun 2005 | A1 |
| 20050138408 | Vanover et al. | Jun 2005 | A1 |
| 20050144475 | Sakaki et al. | Jun 2005 | A1 |
| 20050154885 | Viscomi et al. | Jul 2005 | A1 |
| 20050166065 | Eytchison et al. | Jul 2005 | A1 |
| 20050172142 | Shelest et al. | Aug 2005 | A1 |
| 20050188065 | O'Rourke et al. | Aug 2005 | A1 |
| Number | Date | Country |
|---|---|---|
| 2001-111544 | Apr 2001 | JP |
| WO9901969 | Jan 1999 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20050254651 A1 | Nov 2005 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60307172 | Jul 2001 | US | |
| 60314656 | Aug 2001 | US |
