Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1998-04-15
2001-03-06
Vu, Viet D. (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S219000, C709S223000, C709S225000, C709S227000, C713S152000
Reexamination Certificate
active
06199113
ABSTRACT:
I. BACKGROUND OF THE INVENTION
A. Field of the Invention
The present invention relates generally to network security, and in particular to apparatus and methods for authenticating a user for allowing access to resources on a trusted network.
B. Description of the Prior Art
Trusted networks provide security limit access to network resources by controlling information passing to, from, and between the resources. For example, information transfer may be controlled by user identification and authentication, access security levels, and physical measures.
Protecting data residing in a company's trusted network is paramount. The most difficult security situations arise when the public is given access to the trusted network, such as through the Internet. Web servers residing between the trusted network and the Internet provide access to databases or legacy applications residing within the trusted network, and may provide unauthorized access to the trusted network from the Internet. Several techniques have been used to make trusted networks more secure from unauthorized access.
Firewalls are one of the most common forms of security. A firewall is a system or structure that limits outside access to a trusted network by limiting the path through which information may flow. For example, whenever the outside web server needs access to the trusted network, the web server submits a request through a firewall port. The port only allows certain protocols, such as HTML, to a specific machine on the trusted network. Firewalls alone are not adequate, however, because they control access based on the location of the user, rather than the identity of the user.
Middleware is also frequently used. Middleware replaces general protocols, such as HTML and SQL, with application-specific protocols. For example, an application issues a request for services in an application-specific form to the middleware residing in the trusted network. The middleware then receives the request and translates it to a general protocol understood by the server. Intruders, however, can monitor communications between the outside web server and trusted network server, and eventually identify the protocol and patterns of the packets being handled by the middleware. Based on the protocol and patterns, an intruder can access the network to request a service.
To prevent an intruder from monitoring communications, encryption can be incorporated into the architecture. Although effective, encryption does not prevent an intruder from breaching security.
Because no security architecture is 100% secure, multiple security measures are often combined. One approach uses a sub-network that isolates databases from the trusted network. If an intruder gains access into the subnet, the worst that can happen is data residing within the subnet is compromised, but the rest of the trusted network remains secure. This scenario may be adequate in cases where there is no need to interface with other databases or legacy systems within the trusted network.
FIG. 1
is a block diagram showing a typical trusted network security system. The goal of the system is to ensure that resources on trusted network
138
are not improperly accessed by outside entities, such as client browser
110
. Access to trusted network
138
is limited in several ways.
Firewall
118
is the first line of defense for providing security to trusted network
138
. Firewall
118
may, for example, limit the types of protocol transferred from Internet
114
to DMZ network
122
. Web host
126
processes URL requests from client browser
110
, and forms a request that is sent over trusted network
138
to database server
142
. The request is sent through firewall
130
, which provides yet another line of defense. Firewall
130
may also limit the types of information sent by web host
126
to database server
142
.
Database server
142
performs a further level of security by insuring that it only processes requests received from web host
126
. When web host
126
makes a request, web host
126
also sends a web server identity code with the request. Database server
142
checks the identifier to authenticate that the request is from web host
126
. If database server
142
determines that the request is from web host
126
, database server
142
retrieves the requested information from database
134
, and returns the information to web host
126
. Web host
126
transmits the requested information to client browser
110
over DMZ network
122
and Internet
114
.
Although firewalls
118
and
130
, and authentication of web host
126
by database server
142
provide some security, it is still possible for an intruder to breach security and improperly access resources on the network, such as DB
134
. The user at client browser
110
may repeatedly attempt various combinations of access to trusted network
138
until one is found that breaks through the system. Therefore, breaches of security are still possible even with two firewalls and the web server verification performed by database server
142
. What is needed then is a higher level of security for trusted network
138
in order to allow access by users on the Internet in a controlled and secure manner.
II. SUMMARY OF THE INVENTION
The present invention relates to trusted networks, and in particular to a method and apparatus for raising security levels of the trusted network.
A system consistent with the present invention comprises a device for processing an original request and key from a requester to form a network request; a device for transferring the network request to a trusted network; a device for processing the network request to extract the key and original request if the request was processed by the device for processing a request and key; and a device for performing the original request if the key is valid.
A method consistent with the present invention comprises processing an original request and key from a requester to form a network request; transferring the network request to a trusted network; processing the network request to extract the key and original request if the request was processed in the step of processing an original request and key; and performing the original request if the key is valid.
Another system for providing access to a resource, consistent with the present invention, comprises a device for storing a key based on requester authentication; a device for forwarding the key to the requester; a device for receiving an original request and the key from the requester; a device for processing the original request and the key from the requester to form a network request; a device for transferring the network request to a trusted network; a device for processing the network request to extract the key if the network request was processed by the device for processing the original request and the key; and a device for performing the original request if the key is valid.
Another method for providing access to a resource, consistent with the present invention, comprises storing a key based on requester authentication; forwarding the key to the requester; receiving an original request and the key from the requester; processing the original request and the key from the requester to form a network request; transferring the network request to a trusted network; processing the network request to extract the key if the network request was processed by the device for processing the original request and the key; and performing the original request if the key is valid.
The invention overcomes the problems of conventional prior art systems described above. Additional advantages of the invention are apparent from the description which follows, and may be learned by practice of the invention. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of th
Alegre Alfred A.
Sha Rong Q.
Soley William R.
Finnegan Henderson Farabow Garrett & Dunner L.L.P.
Sun Microsystems Inc.
Vu Viet D.
LandOfFree
Apparatus and method for providing trusted network security does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Apparatus and method for providing trusted network security, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus and method for providing trusted network security will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2442050