Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-06-30
2004-03-02
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C380S247000, C379S142010, C379S142050, C370S385000, C370S356000
Reexamination Certificate
active
06701439
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to the art of internet protocols and, more specifically, to providing call rejection in the case of potential hackers or faulty internet telephony.
Typically, internet and data networks use a number of challenges and password routines on dial-up connections to ensure that hackers or otherwise unauthorized users cannot enter these networks using an assumed identity of another. On privileged access connections, such as wide area network (WAN) connections using frame relay or asynchronous transfer mode (ATM), the users are often assumed to be secure users or within the privileges defined by a firewall. The firewall is a sub-system of computer software and/or hardware that intercepts data packets before allowing them into or out of a data network, such as a local area network (LAN). The firewall makes decisions on whether or not to allow data to pass based upon a security policy.
Likewise, with tunneling protocols that allow dial-up connections to be transferred over WANs, a mixture of dial-up challenges, passwords and fraud detection programs are used to protect the network from hackers. Generally, tunneling, also known as encapsulation, refers to the practice of encapsulating a message from one protocol in a second, and using the facilities of the second protocol to traverse some number of network hops. In other words, the data packets are “wrapped” with another protocol so that they can pass through firewalls and then “unwrapped” once they reach their destination. This means that the user has a way to securely work through firewalls so that he can access network resources as if the firewalls do not exist.
Typically however, in these tunneling protocols, such as layer 2 tunneling protocol (L2TP), which is the emerging Internet Engineering Task Force (IETF) standard, the tunnel is torn down when a hacker is suspected on the connection. Since many users use the same tunnel, this effects the service of many users. Moreover, it does not allow the opportunity to discover the true identity of the hacker, and typically, the data network is not otherwise equipped with the proper resources or capability to accurately identify or surveil the hacker.
Additionally, in the case of, e.g., internet telephony, when a call is faulty or a data network handling the call is otherwise unable to handle the call due to, perhaps, routing problems, congestion, or the like, the call is merely dropped. This limitation is particularly significant in the case of toll calls where an access charge is paid even though ultimately the call is dropped and not completed.
The present invention contemplates a new and improved call rejection technique and/or protocol which overcomes the above-referenced problems and others.
SUMMARY OF THE INVENTION
In accordance with one aspect of the present invention, a method of call rejection is provided for use in connection with a data network. It includes establishing a point-of-presence which serves as a termination point for receiving calls from clients. Received calls are then multiplexed into a tunnel as separate identifiable tunnel sessions. The tunnel sessions are received at a network server of the data network. Next, it is determined for each tunnel session if access to the data network is to be denied. If access is denied, then a call rejection message is returned to the point-of-presence via the tunnel.
In accordance with a more limited aspect of the present invention, the point-of-presence is established at a telephone company central office having a telecommunications switch which is connected to a public switched telephone network.
In accordance with a more limited aspect of the present invention, the call rejection message identifies the tunnel session for which access is denied.
In accordance with a more limited aspect of the present invention, the call rejection message identifies a reason for access denial.
In accordance with a more limited aspect of the present invention, the method further includes receiving and interpreting the call rejection message at the point-of-presence. Then, the switch is controlled in response to the call rejection message.
In accordance with a more limited aspect of the present invention, if the reason for access denial is suspected intrusion into the data network by an unauthorized entity, then the method further includes holding the tunnel session identified until a call trace is completed.
In accordance with a more limited aspect of the present invention, if the reason for access denial is suspected intrusion into the data network by an unauthorized entity, then controlling the switch includes at least one of the following: identifying a phone number from which the unauthorized entity is calling; marking the unauthorized entity's line; monitoring the unauthorized entity's line; disconnecting the unauthorized entity's telephone service; blocking calls from the unauthorized entity; and/or reporting activities of the unauthorized entity to governmental or regulatory authorities or operators of the data network or operators of other data networks.
In accordance with a more limited aspect of the present invention, the method further includes storing telephone numbers from which unauthorized entities attempt to access the data network.
In accordance with a more limited aspect of the present invention, if the reason for access denial is an inability of the data network to handle an internet telephony call, then controlling the switch includes cranking back the call to reroute it.
In accordance with another aspect of the present invention, a call rejection system for use by a data network is provided. It includes a local access concentrator located at a point-of-presence for the data network. A tunnel is supported at one end by the local access concentrator and at an opposing end by a network server for the data network. A call rejection interface runs on the network server. In response to a tunnel session for which access to the data network is denied, the call rejection interface returns, via the tunnel, a call rejection message to the point-of-presence.
In accordance with a more limited aspect of the present invention, the local access concentrator includes a pool of voice band modems which act as a termination point for incoming analog calls. Also included is a multiplexer which multiplexes multiple incoming calls into the tunnel as separate identifiable tunnel sessions.
In accordance with a more limited aspect of the present invention, the data network is an internet service provider.
In accordance with a more limited aspect of the present invention, the tunnel employs layer two tunneling protocol.
In accordance with a more limited aspect of the present invention, the call rejection message identifies the tunnel session and indicates a reason for denying access.
In accordance with a more limited aspect of the present invention, the tunnel includes a control channel over which the call rejection message is returned. The control channel is secure from tunnel sessions.
In accordance with a more limited aspect of the present invention, the point-of-presence is a telephone company central office having a telecommunications switch which is connected to a public switched telephone network.
In accordance with a more limited aspect of the present invention, the system further includes a control processor located at the point-of-presence. The control processor receives and interprets returned call rejection messages and in response thereto controls the switch to take a course of action based on the identified tunnel session and the reason for denying access.
In accordance with a more limited aspect of the present invention, if the reason for denying access is suspected intrusion into the data network by an unauthorized entity, then the course of action includes employing fraud detection and nuisance reporting features of the telephone switch to discourage the unauthorized entity from attempting to access the data network and to surveil the unauthorized entity.
In accor
Lucent Technologies - Inc.
Nobahar A.
Peeso Thomas R.
LandOfFree
Call rejection interface for internet protocols does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Call rejection interface for internet protocols, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Call rejection interface for internet protocols will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3248546