Patent Application
20080141360
This invention relates to computer communications, and to a method, an apparatus and computer software for implementing them. More particularly, it relates to computer communications involving information which may have security marking.
Methods of connecting laptop computers to fixed computer networks by wireless links (radio or optical links) are well-known in the prior art, and are defined by standards referred to as the IEEE 802.11 standards: these standards are specifications for radio-based digital Local Area Networks (LANs); WPA (Wi-Fi Protected Access) is an interoperability certification standard which provides security for wireless products based on the IEEE 802.11i standard; and Wi-Fi (Wireless Fidelity) is a body which certifies products for compliance with IEEE 802.11 standards.
The standards referred to include the following:
Products are commercially available from more than one company for securely connecting computers to remote networks via wired telephone links available in the conventional way by dialling a number. Here “wired” includes wired communications paths such as via the public switched telephone network (PSTN, which may include radiated microwave path sections) used by public telecommunications operators (PTOs). These products can reasonably be accredited as suitable for use in passing UK classified information. A list of such products is available from the Communication Electronics Security Group (CESG), the UK Government's National Technical Authority for Communications.
A manufacturer of wireless equipment may apply to have it tested by CESG and accredited as suitable for use with classified information, in a similar manner to that implemented for wired links. However, accreditation is a time-consuming process and requires the manufacturer to freeze the wireless equipment design. CESG only approves a specific design: an approved design which is altered in any way, such as by fixing a bug, automatically becomes non-approved.
An alternative accreditation route is provided by a document published by CESG and known as Manual V. Equipment in conformity with principles set out in Manual V should obtain CESG approval. However, although Manual V specifies some requirements, it intentionally does not go into detail to leave room for equipment design flexibility.
It is an object of the invention to provide an alternative technique for wireless communications.
The present invention provides a method for computer communications having the steps of:
The invention makes it possible to use a range of existing wired access techniques to provide access in a wireless scenario. Moreover, if accredited wired access has been obtained, it becomes possible to re-use such access for wireless applications without the need for new techniques or infrastructure or staff retraining.
The step of applying both protocols may comprise applying the VPN protocol to a message to render it VPN-secured and applying the wireless-linking protocol to the VPN-secured message to render it doubly secured.
The receiving network may have a logical LAN configuration protecting it against unauthorised access. The logical LAN configuration may have first and second logical LANs, the first logical LAN:
The first logical LAN may include:
The first logical LAN may be associated with firewall functionality configured to monitor data flow within and to and from that LAN but excluded from management of elements of that LAN.
The wireless-linking protocol may involve certificate-based authentication and be implemented by means of a RADIUS server. It may alternatively be implemented by means of a pre-shared key (PSK). It may involve authentication by EAP-TLS, EAP-TTLS, PEAP or LEAP as hereinafter defined.
The step of applying both protocols may involve producing secured status by encryption to provide a VPN-encrypted message and to provide for the doubly secured message to be doubly encrypted, and the step of processing the doubly secured message to recover the message then involves double decryption.
The receiving network may have classified and unclassified virtual networks and the method may include allowing the doubly secured message access to the classified virtual network, and also allowing wireless messages access to the unclassified virtual network if such messages are secured by the wireless-linking protocol but not the VPN protocol. It may be associated with offline and root certificate servers and the method may include authenticating wireless messages using certificates from such servers. It may have an unclassified RADIUS server and the method may include authenticating wireless messages using certificates from that server. It may have an unclassified certificate server arranged to supply certificates marked to indicate use by wireless only and the method may include authenticating messages by wireless using certificates so marked from that server.
The method may include counteracting a security threat posed by potential computer theft by arranging for the computer apparatus to be screen locked when it becomes unattended by authorised personnel.
In another aspect, the present invention provides an apparatus for computer communications incorporating:
The means for applying both protocols may be arranged to apply the VPN protocol to a message to render it VPN-secured and to apply the wireless-linking protocol to the VPN-secured message to render it doubly secured.
The receiving network may have a logical LAN configuration protecting it against unauthorised access. The logical LAN configuration may have first and second logical LANs; the first logical LAN:
The first logical LAN may include:
The first logical LAN may be associated with firewall functionality configured to monitor data flow within and to and from that LAN but excluded from management of elements of that LAN.
The apparatus may include means for implementing a RADIUS server arranged to provide the wireless-linking protocol in a form which involves certificate-based authentication. It may alternatively include means for implementing a pre-shared key (PSK) to provide the wireless-linking protocol. As a further alternative, it may include means for providing the wireless-linking protocol using authentication by ESP-TLS, EAP-TTLS, PEAP or LEAP.
The means for applying both protocols may be arranged to produce secured status by encryption to provide a VPN-encrypted message and to provide for the doubly secured message to be doubly encrypted, and the means for processing the doubly secured message to recover the message is then arranged to provide double decryption.
The receiving network may have classified and unclassified virtual networks and the apparatus may be arranged to allow the doubly secured message access to the classified virtual network and also to allow wireless messages access to the unclassified virtual network if such messages are secured by the wireless-linking protocol but not the VPN protocol. It may be associated with offline and root certificate servers and the apparatus may be arranged to authenticate wireless messages using certificates from such servers. It may have an unclassified RADIUS server and the apparatus may be arranged to authenticate wireless messages using certificates from that server. It may have an unclassified certificate server arranged to supply certificates marked to indicate use by wireless only and the apparatus may be arranged to authenticate messages by wireless using certificates so marked from that server.
The apparatus may be arranged to counteract a security threat posed by potential computer theft by providing for the computer apparatus to become screen locked when unattended by authorised personnel.
In a further aspect, the present invention provides computer software for computer communications, the software having instructions for controlling a computerised communications network to execute the steps of:
The software may have instructions for implementing application of both protocols by applying, the VPN protocol to a message to render it VPN-secured and applying the wireless-linking protocol to the VPN-secured message to render it doubly secured.
The software may have instructions for implementing a logical LAN configuration protecting the receiving network against unauthorised access. The logical LAN configuration may have first and second logical LANs; the first logical LAN:
The first logical LAN may include:
The first logical LAN may be associated with firewall functionality configured to monitor data flow within and to and from that LAN but excluded from management of elements of that LAN.
The software may have instructions for implementing a RADIUS server to provide the wireless-linking protocol, which may involve certificate-based authentication. It may alternatively have instructions for implementing a pre-shared key (PSK) to provide the wireless-linking protocol. As a further alternative, it may include instructions for implementing the wireless-linking protocol with authentication by EAP-TLS, EAP-TTLS, PEAP or LEAP.
The software may have instructions for applying both protocols to produce secured status by encryption to provide a VPN-encrypted message and to provide for the doubly secured message to be doubly encrypted, and for processing the doubly secured message to recover the message by double decryption.
The receiving network may have classified and unclassified virtual networks and the software may have instructions for allowing the doubly secured message access to the classified virtual network and for allowing wireless messages access to the unclassified virtual network if they are secured by the wireless-linking protocol but not the VPN protocol. It may be associated with offline and root certificate servers and the software may have instructions for authenticating wireless messages using certificates from such servers. The software may have instructions for authenticating wireless messages using certificates from an unclassified RADIUS server which the receiving network incorporates. The receiving network may have an unclassified certificate server arranged to supply certificates marked to indicate use by wireless only, and the software may have instructions for authenticating messages by wireless using certificates so marked from that server.
The software may include instructions for counteracting a security threat posed by potential computer theft by providing for the computer apparatus to be screen locked when it becomes unattended by authorised personnel.
In order that the invention might be more fully understood, embodiments thereof will now be described, by way of example only, with reference to the accompanying drawings, in which:
Referring to
In practice the term VPN could be used to cover any networking technology which offers a level of security to the networking traffic that uses it. For example, HTTPS (secure web sites such as Internet Banking), SSH (secure shell—defined below), IPSec (the most suitable to be termed a pure VPN technology), PPP (Point-to-Point Protocol), GPRS (General Packet Radio Service used on mobile telephones), 3G (3rd Generation of mobile telephone technology), WPA (Wi-Fi Protected Access used in wireless networks) and Bluetooth (used for short range, low bandwidth wireless links) all offer some level of security to the traffic they carry.
However, for clarity of this document the term VPN will only cover technologies not specifically designed for wireless links. For example, the term VPN includes HTTPS, SSH, IPSec and PPP but exclude GPRS, 3G, WPA and Bluetooth.
The Check Point VPN software is approved by CESG as suitable for use in passing classified information to remote recipients via wired communications links. It is configured to use “secure tunnelling” through the wired links T1, T3 and E1. The expression “secure tunnelling” arises as follows: a computer adds a protocol P1 (e.g. IP Internet Protocol) to message data D. The VPN software encrypts the protocol combination P1D and adds a second protocol P2 (e.g. IPSec ESP Encapsulating Security Payload) which merely shows the message has been encrypted. A third protocol P3 (e.g. IP) is required to render the protocol combination P2P1D suitable for onward transmission to Firewall F1, Ethernet E1 and Firewall F2, and so it is added by the computer. Firewall F2 then removes Protocols P3 and P2, and decrypts the protocol combination P1D. This is then suitable for onward transmission through DMZ Z1 to a recipient or recipients. Upon receipt the first protocol P1 will be removed and the data D consumed. The first protocol combination P1D is said to tunnel through the third protocol P3.
Data from the PSTN N3 which is allowed to pass by the first firewall F1 reaches an Ethernet LAN E1, to which the first WAN N1 is connected via a second firewall F2, a first demilitarised zone (DMZ) Z1 and a third firewall F3. The first DMZ Z1 contains computers such as C1 for use by system administrators only. The second and third firewalls F2 and F3 are of different types, so unwanted communications which manage to breach the first and second firewalls F1 and F2 are unlikely to breach the third firewall F3. This arrangement is conventional for provision of a high level of security for a network intended to be suitable for dealing with classified data, and hence the first WAN N1 is designated a “classified” network.
When the classified laptop LT1 requests a VPN tunnel communication (defined above) with the classified WAN N1 via the PSTN N3, the first firewall F1 passes the request to the second firewall F2 The two parties LT1 and F2 are then able to negotiate authentication and encryption protection for transfer of classified data. The negotiation occurs using a secure message exchange in which the second firewall F2 attempts to validate credentials stored on the classified laptop LT1. This may also occur in the opposite direction, with the classified laptop LT1 validating credentials stored on the second firewall F2. If the validation is successful, keys derived from the message exchange are then used for VPN encryption between the classified laptop LT1 and the second firewall F2. This procedure creates a path or tunnel from the classified laptop LT1 to the second firewall F2: the path is unclassified from the classified laptop LT1 as far as the second firewall F2, and classified from the classified laptop LT1 to the DMZ Z1.
The second WAN N2 is connected to the Ethernet LAN E1 via a single firewall, i.e. a fourth firewall F4: it is designated an “unclassified” network because the first and fourth firewalls F1 and F4 only provide a moderate level of security for communications from the unclassified laptop LT2. A network time protocol (NTP) server provides time synchronisation for all devices communicating with the Ethernet LAN E1, which is connected via a fifth firewall F5 to a public communications medium PC1 providing a public DMZ. User computers such as U1 are connected to the public communications medium PC1, and communicate with the Internet I via a sixth firewall F6. This sixth firewall F6 provides a low level of security for the public DMZ, which is tolerated in the interests of allowing many types of communications traffic to pass between the public DMZ and the Internet, e.g. email and web browsing. It allows browsing from the Internet I to the public DMZ, but the fifth firewall F5 inhibits browsing from the Internet I to the Ethernet LAN E1.
For the purposes of the description below, the following terms of art will be used:
In addition, a variety of prior art computer-based user authentication techniques may be used in the following example, a number of which are described in the following references:
Referring now to
The certificate server CS creates certificates for and issues them to users. It also keeps a store of the certificates issued and updates certificate revocation lists for users whose access has become revoked. It copies valid certificates and notifies revoked certificates to the RADIUS server RS, which carries out authentication. A user certificate generated originally by the certificate server CS is validated every time the associated user wirelessly connects, against credentials stored at any convenient point (in this case the RADIUS server RS).
In order to communicate with the classified WAN N1 via the first firewall F1, a user of the wireless-linked classified laptop WLT1 firstly initiates a mutual authentication process with the access point AP using a published authentication technique such as EAP-TLS previously referenced: i.e. the wireless-linked classified laptop WLT1 and the RADIUS server RS authenticate one another. This process is an exchange which is encapsulated in the IEEE 802.1x protocol, and it is implemented over the wireless link 10 between the classified laptop WLT1 and the access point AP. The access point AP translates the IEEE 802.1x exchange into a RADIUS exchange which is conveyed via the first firewall F1 to the RADIUS server RS for validation. If the user of the wireless-linked classified laptop WLT1 is authenticated by virtue, of presenting a valid certificate, wireless encryption keys K1 derived from the authentication technique (EAP-TLS) are set up in the access point AP and the wireless-linked classified laptop WLT1. The encryption keys K1 are used to encrypt and decrypt messages as they are transmitted and received over the wireless link 10.
Using this now secured wireless link 10, the wireless-linked classified laptop WLT1 requests a VPN “tunnel” as described earlier for the wire-linked classified laptop LT1, from the second firewall F2. This process results in two layers of security from the wireless-linked classified laptop, one of which is removed by the access point AP, and the other of which is removed by the second firewall F2.
The foregoing wireless security technique described with reference to
It is an important step towards having a demonstrably secure system by protecting wireless access to the classified WAN N1 using the same VPN certification process that is used to protect wired dial-up access from laptop LT1 via PSTN N3. However, the VPN certification process assumes that an attacker needs physical access to a communications path in order to intercept communications upon it, and that the attacker's physical presence makes it liable to be identified. That is a reasonable assumption for a wired communications link but less so for a wireless link: a wireless link can be tapped into or altered without an attacker's physical presence, so a VPN certification process used with a wireless link does not provide protection sufficient for CESG approval.
A further problem is that the RADIUS server RS and the certificate server CS are computer-based products which are vulnerable to attack. The RADIUS and certificate management functionality, the access point AP and the computer hosting the RADIUS Server RS and the certificate server CS cannot be trusted to defend themselves against any serious attack without additional functionality. If the requirement is for a higher level of security, these items should collectively have security equivalent to that of the PSTN N3 and links T1 and T3.
In many scenarios, to achieve a higher level of security, it is for example desirable to guard against an attacker stealing an unclassified laptop WLT2 and using its certificate to attack the configuration of the access point AP so that a certificate is not needed for wireless access. Other possible attacks are to attack the layer 3 switch configuration, or the certificate server CS to insert rogue certificates, or the RADIUS server RS to give an unauthorised instruction to the access point AP to grant permission to pass an undesirable message or messages.
The solution to this higher level security problem is to subdivide into logical LANs the physical LAN consisting of the access point AP, the first firewall F1, the TEMPEST barrier B, the layer 3 switch L3S, the RADIUS server RS, the Certificate server CS and their wired connections 14: this physical LAN together with the first firewall F1 defines a receiving network RN. Logical LANs are two or more LANs using the same physical wired links but with communications separated by encryption, data tagging or trusted hardware. The logical LANs are implemented as follows: a first logical LAN, referred to as the management LAN, includes and manages the following elements: the layer 3 switch L3S, the access point AP, the RADIUS server RS and the Certificate server CS. The management LAN treats the first firewall F1 as untrusted because it is connected to the Ethernet LAN E1, which is unclassified and therefore more at risk of coming under hostile attack. The first firewall F1 is therefore not allowed to participate in management of any element of the management LAN, and merely monitors data flow. For this reason it is not treated as part of the management LAN, even though it provides data flow paths for certificate authentication and communication with the Ethernet LAN E1.
The access point AP is configured so that it cannot be remotely managed except by items that are on the management LAN. The layer 3 switch L3S is trusted to enforce a rule that message traffic from ports on the management LAN can only go to other ports on the management LAN. In addition, the access point AP and layer 3 switch L3S are configured so that all their remote management has to be done via SSH. The management LAN is also configured to permit the access point AP to contact RADIUS server RS to make authentication requests on behalf of a user of either of the wireless-linked laptops WLT1 and WLT2.
The first firewall F1 is configured to enforce a rule that the only traffic allowed to reach the access point AP is SSH traffic from the RADIUS server RS, NTP packets and RADIUS traffic. The layer 3 switch L3S is configured so that it cannot be remotely managed except by the RADIUS server. The first firewall F1 and layer 3 switch L3S are further configured so that all items on the management LAN synchronize their time to the NTP server and all NTP packets arriving from elsewhere are discarded.
A second logical LAN (communications LAN) is defined which allows the wireless-linked laptops WLT1 and WLT2 to communicate via the first firewall F1 with the Ethernet LAN E1 and then onwards either with the classified WAN N1 or with the unclassified WAN N2. The first firewall F1 is configured so that message traffic to and from the wireless-linked laptops WLT1 and WLT2 cannot go to either the RADIUS server RS or the Certificate server CS, thereby protecting these servers from attack via the wireless network defined by wireless links 10 and 12 or via an Unclassified network defined by the Ethernet LAN E1: computers connected to these networks could potentially be used by Trojan horse or other attacker software to breach the security of the wireless system defined by the physical network WN consisting of the access point AP, the first firewall F1, the TEMPEST barrier B, the layer 3 switch L3S, the RADIUS server RS, the Certificate server CS and their wired connections 14, and the networks E1, N1, N2, DMZ Z1 and firewalls F2 to F4 connected to it. However, with these two logical LANs, a hostile wireless-linked laptop has no path to the RADIUS server RS unless it achieves access to the wired links 14, in which case it could simulate being on either of the logical LANS. It is therefore important for the logical LANs to be kept separate and for the wired links 14 to be protected from unauthorised access.
As an alternative to the use of the RADIUS server RS and Certificate server CS in user authentication, a pre-shared key (PSK) could be used. PSK involves a cryptographic key being shared between a user and an access point AP before being used. The sharing is by some physical action such as a user manually entering it at an access point AP; i.e. the key is not transmitted over a communications link (wired or wireless) to avoid it becoming accessible to an attacker. It has the disadvantage that every access point (when there is more than one) is required the key input to it: use of the RADIUS server RS merely requires a single certificate to be entered on to each wireless-linked laptop WLT1 or WLT2, the certificate having been issued by the Certificate server CS. As a further alternative to using the certificate-based authentication technique described earlier (EAP-TLS), a number of other techniques may be employed. These rely on the user presenting a username and password, or other credentials that the user holds and has shared with the RADIUS server RS, instead of a certificate. Examples of this type of authentication are: EAP-TTLS, PEAP and LEAP which are standards similar to EAP-TLS.
Use of either of the RADIUS and PSK authentication techniques provides security protection for wireless access that is more secure than wired access, because for example:
In the example of the invention described with reference to
Different VPN techniques offer differing types of security to the traffic they carry. In the foregoing embodiment of the invention the Check Point VPN is used to provide integrity and confidentiality by applying authentication and encryption. However, such a VPN technology could be used to provide integrity only through only using authentication and not encryption. It is also possible but unlikely that encryption without authentication may be performed. In a similar fashion the wireless technique used to secure the wireless link (in the above embodiment RADIUS-based or PSK-based) could also provide either authentication or encryption or both.
These options give rise to a number of combinations, the most logical of which are:
The invention makes it possible to design a secure communications system for passing government classified information over wireless networks without input from a relevant national technical authority. Security that is as least as good as that obtainable with a wired communications system is obtained using WPA with:
In addition to wireless systems implementing IEEE 802.11, the invention is applicable to any non-wired communication system, e.g.:
As an alternative to the use of WPA for providing wireless protection, WPA2 (second generation WPA) could also be used as providing a stronger commercial level of encryption than WPA.
The invention is particularly advantageous for organisations that already have accredited or approved secure wired access techniques, for those techniques may also be used in a wireless scenario. Such an organisation does not have to develop new techniques or retrain its staff: it can continue to use existing infrastructure.
Message transfer as described above has been largely confined to that in one direction. However, in practice message transfer is bidirectional, and messages are sent both from the wireless-linked classified laptop WLT1 to the access point AP and from the access point to ink classified laptop.
The embodiment of the invention described above relates to a method of applying two independent security techniques to achieve a greater level of security across a wireless communications link: one of these security techniques originates from a VPN technology not originally designed for dedicated use on wireless links, and the other technique is designed specifically for use with a wireless communications medium linking the wireless-linked classified laptop WLT1 to the access point AP.
Referring now to
The box 34 has a classified client software application (e.g. word processing, email) indicated by “C client” to the left of which there are successively VPN FW and 802.11+802.1x sub-boxes, and to the right an 802.1x sub-box. The VPN FW, and 802.11+802.1x and 802.1x sub-boxes have respective input/output (I/O) links 34a, 34b and 34c: of these, link 34a is a wireless link to a wireless access point AP2; link 34b is a dial up wired telephone link to a firewall F7 in the prior art network 32; and link 34c is a wired link to the prior art network 32.
The box 36 is associated with an unauthorised client software application but has no VPN FW, 802.11 or 802.1x sub-boxes. It has an I/O link 36a which is a wired link to the prior art network 32. Even if the user of unauthorised box 36 were to add VPN FW, 802.11 or 802.1x sub-boxes, they would not be recognised by the prior art system because they would lack the necessary certificates that authorise access.
The box 38 has an unclassified client software application indicated by “U client”: to the left of U client there is an 802.11+802.1x sub-box, and to the right an 802.1x sub-box. The 802.11+802.1x and 802.1x sub-boxes have respective I/O links 38a and 38b: of these, link 38a is a wireless link to the access point AP2, and link 38b is a wired link to the prior art network 32.
A further box 40 outside the prior art network 32 is associated with an external “Other” client. It has an 802.11 Wired Equivalent Privacy (WEP) or other WEP sub-box with an I/O link 40a, which is a wireless link to the access point AP2.
The prior art network 32 incorporates a first element 50 referred to as an SMVI, which implements a switch, management of virtual WANs (VWAN) and Internet Authentication Service (IAS) proxy software. The SMVI 50 communicates via respective RADIUS-only firewalls FR1 and FR2 with classified “C” and unclassified “U” RADIUS servers 52C and 52U linked with respective certificate servers “CS” 54C and 54U. The certificate servers 54C and 54U receive their certificates from respective offline certificate servers 56C and 56U, which in turn receive their certificates from a root certificate server 58. Here the expression “offline” means there is no direct electronic or other link: instead transfers are implemented by recording data from one server on to a recording medium such as a compact disc, taking the disc to another server and loading the recorded data into the latter. This gives a high level of security as demonstrably no information flows in the reverse direction.
The SMVI 50 controls access to a single physical connection shown as two virtual connections 60C and 60U. These virtual connections give access to classified and unclassified virtual WANs (VWANs, not shown) in a similar way to that described with reference to
In accordance with the invention, the prior art network 32 is modified to replicate items 50 to 54U for use in wireless access. These replicated items are referenced 70 to 74U, and they appear outside the box 32 to indicate they are not part of the prior art network. The access point AP2 communicates via a link 62 with a second SMVI 70, which implements a switch, management of virtual WANs (VWANs) and Internet Authentication Service (IAS) proxy software. The second SMVI 70 communicates via respective RADIUS-only firewalls FR3 and FR4 with classified “C” and unclassified “U” wireless RADIUS servers 72C and 72U linked with respective certificate servers “CS” 74C and 74U. The certificate servers 74C and 74U communicate with respective offline certificate servers 76C and 76U, which in turn communicate offline with the root certificate server 58.
The embodiment 30 operates as follows. At this point, the software applications 34, 36 and 38 are treated as part of the wired prior art network 32 as they make use of wired links 34c, 36a and 38b to communicate with it. The first SMVI 50 communicates with the C client 34 and U client 38 via the 802.1x sub-box (a software application) to the right in each case: this indicates that communications from both of these applications are authenticated; however, the absence of a VPN FW sub-box in each of the message paths from the C client and U client software applications 34 and 38 via links 34c and 38b to the first SMVI 50 indicates that communications from these applications are not VPN encrypted, and so they are only appropriate for directly wired access via paths 34c and 38b. The first SMVI 50 denies all clients access to the classified VWAN virtual connection 60C and to the unclassified VWAN connection 60U until they have been authenticated. The SMVI 50 forwards the authentication of U client 38 to the U RADIUS server 52U via the firewall FR2, which allows only RADIUS traffic to pass through in either direction. If authenticated by the U RADIUS server 52U, U client 38 is allowed access to the unclassified VWAN via virtual connection 60U. Similarly, if authenticated by the C RADIUS server 52C, C client 34 is allowed access to the classified VWAN via virtual connection 60C.
The unauthorised client 36 has no 802.1x sub-box with an appropriate certificate, and so communications from it to the first SMVI 50 via the wired I/O link 36a are not authenticated. Consequently, the first SMVI 50 denies the unauthorised client 36 access both to the classified VWAN and to the unclassified VWAN.
The clients 34 and 38 are now treated as not being part of the prior art network 32. A communication from the C client 34 passes to the access point AP2 from its 802.11+802.1x sub-box (software application). The VPN FW sub-box between the C client 34 and the 802.11+802.1x sub-box indicates that subsequent communications will be VPN encrypted. Via the link 62, the communication passes for authentication to the second SMVI 70, which initiates authentication using the classified wireless C RADIUS server 72C and certificate server 74C via the RADIUS-only firewall FR3. If authenticated by the server 72C, the C client 34 is allowed access to the firewall F7, which checks its, VPN credentials and if appropriate allows it access to the classified VWAN via virtual connection 60C.
The C client 34 can also communicate with the firewall F7 by dial-up telephone access using its I/O link 34b, to which a communication passes via its VPN FW sub-box only, indicating that such a communication is VPN encrypted but not otherwise authenticated. The firewall F7 checks the communication's VPN credentials and if appropriate allows it access to the classified VWAN.
Communications from the U Client 38 pass via its 802.11+802.1x sub-box to the access point AP2 indicating that such communications are authenticated but not VPN encrypted. Via an analogous authentication route using firewall FR4, unclassified U RADIUS and certificate servers 72U and 74U, it is authenticated and given access to the unclassified VWAN 60U.
Communications from the Other client 40 pass to the access point AP2 via an 802.11 sub-box only. They do not have 802.1x authentication. They have WEP encryption, to which the access point AP2 has a key. The access point AP2 notes the absence of 802.1x authentication in these communications, and instructs the SMVI 70 to pass them only towards firewall F8 and thence to the Internet. One use of such technology would be to permit laptop computers owned by a different organisation to the one owning the infrastructure depicted in
Referring now to
It is possible to provide a further degree of protection for computer-based communications in accordance with the invention. A laptop may be stolen while it is in use, e.g. while its user is temporarily absent from his or her workstation. A laptop containing stored certificates may be stolen after its user has entered a cryptographic key to access the laptop's hard disk. In such circumstances, encryption of the hard disk and other well-known protective techniques will fail to provide security for the laptop's contents. However, the security threat posed by laptop theft may be counteracted by techniques known for other purposes: i.e. programming techniques and software are known which are designed to screen lock a computer when the computer's authorised user leaves it unattended, e.g. Radio-Frequency Identification (RFID) tags. Such techniques may also be adopted to provide security for the contents of a stolen laptop, certificates stored on the laptop's hard disk in particular.
It is a straightforward matter presenting no difficulty to those of ordinary skill in the art of computerised communications to produce appropriate computer software for implementing the computer-based communications system embodiments described herein. Such software may be recorded on carrier media for running on a conventional computerised communications network. It may be implemented without requiring invention, because individual procedures described above are well known. Such software and communications system will therefore not be described further.
| Number | Date | Country | Kind |
|---|---|---|---|
| 0424292.1 | Nov 2004 | GB | national |
| 0426774.6 | Dec 2004 | GB | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/GB05/04057 | 10/21/2005 | WO | 00 | 5/1/2007 |
