Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
2000-03-23
2004-08-31
Caldwell, Andrew (Department: 2151)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C713S152000, C345S215000
Reexamination Certificate
active
06785728
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The invention relates generally to control of access to data and relates more specifically to control of access to data in a distributed environment.
2. Description of Related Art
The Internet has revolutionized data communications. It has done so by providing protocols and addressing schemes which make it possible for any computer system anywhere in the world to exchange information with any other computer system anywhere in the world, regardless of the computer system's physical hardware, the kind of physical network it is connected to, or the kinds of physical networks that are used to send the information from the one computer system to the other computer system. All that is required for the two computer systems to exchange information is that each computer system have an Internet address and the software necessary for the protocols and that there be a route between the two machines by way of some combination of the many physical networks that may be used to carry messages constructed according to the protocols.
The very ease with which computer systems may exchange information via the Internet has, however, caused problems. On the one hand, it has made accessing information easier and cheaper than it ever was before; on the other hand, it has made it much harder to protect information. The Internet has made it harder to protect information in two ways:
It is harder to restrict access. If information may be accessed at all via the Internet, it is potentially accessible to anyone with access to the Internet. Once there is Internet access to information, blocking skilled intruders becomes a difficult technical problem.
It is harder to maintain security en route through the Internet. The Internet is implemented as a packet switching network. It is impossible to predict what route a message will take through the network. It is further impossible to ensure the security of all of the switches, or to ensure that the portions of the message, including those which specify its source or destination, have not been read or altered en route.
FIG. 1
shows techniques presently used to increase security in networks that are accessible via the Internet.
FIG. 1
shows network
101
, which is made up of two separate internal networks
103
(A) and
103
(B) that are connected by Internet
111
. Networks
103
(A) and
103
(B) are not generally accessible, but are part of the Internet in the sense that computer systems in these networks have Internet addresses and employ Internet protocols to exchange information. Two such computer systems appear in
FIG. 1
as requestor
105
in network
103
(A) and server
113
in network
103
(
b
). Requestor
105
is requesting access to data which can be provided by server
113
. Attached to server
113
is a mass storage device
115
that contains data
117
which is being requested by requester
105
. Of course, for other data, server
113
may be the requester and requestor
105
the server. Moreover, access is to be understood in the present context as any operation which can read or change data stored on server
113
or which can change the state of server
113
. In making the request, requestor
105
is using one of the standard TCP/IP protocols. As used here, a protocol is a description of a set of messages that can be used to exchange information between computer systems. The actual messages that are sent between computer systems that are communicating according to a protocol are collectively termed a session. During the session, Requestor
105
sends messages according to the protocol to server
113
's Internet address and server
113
sends messages according to the protocol to requester
105
's Internet address. Both the request and response will travel between internal network
103
(A) and
103
(B) by Internet
111
. If server
113
permits requestor
105
to access the data, some of the messages flowing from server
113
to requestor
105
in the session will include the requested data
117
. The software components of server
113
which respond to the messages as required by the protocol are termed a service.
If the owner of internal networks
103
(A and B) wants to be sure that only users of computer systems connected directly to networks
103
(A and B) can access data
117
and that the contents of the request and response are not known outside those networks, the owner must solve two problems: making sure that server
113
does not respond to requests from computer systems other than those connected to the internal networks and making sure that people with access to Internet
111
cannot access or modify the request and response while they are in transit through Internet
111
. Two techniques which make it possible to achieve these goals are firewalls and tunneling using encryption.
Conceptually, a firewall is a barrier between an internal network and the rest of Internet
111
. Firewalls appear at
109
(A) and (B). Firewall
109
(A) protects internal network
103
(A) and firewall
109
(B) protects internal network
103
(B). Firewalls are implemented by means of a gateway running in a computer system that is installed at the point where an internal network is connected to the Internet. Included in the gateway is an access filter: a set of software and hardware components in the computer system which checks all requests from outside the internal network for information stored inside the internal network and only sends a request on into the internal network if it is from a sources that has the right to access the information. Otherwise, it discards the request. Two such access filters, access filter
107
(A), and access filter
107
(B), appear in FIG.
1
.
A source has the right to access the requested information if two questions can be answered affirmatively:
Is the source in fact who or what it claims to be?
Does the source have the right to access the data?
The process of finding the answer to the first question is termed authentication. A user authenticates himself or herself to the firewall by providing information to the firewall that identifies the user. Among such information is the following:
information provided by an authentication token (sometimes called a smart card) in the possession of the user,
the operating system identification for the user's machine; and
the IP address and the Internet domain name of the user's machine.
The information that the firewall uses for authentication can either be in band, that is, it is part of the protocol, or it can be out of band, that is, it is provided by a separate protocol.
As is clear from the above list of identification information, the degree to which a firewall can trust identification information to authenticate a user depends on the kind of identification information. For example, the IP address in a packet can be changed by anyone who can intercept the packet; consequently, the firewall can put little trust in it and authentication by means of the IP address is said to have a very low trust level On the other hand, when the identification information comes from a token, the firewall can give the identification a much higher trust level, since the token would fail to identify the user only if it had come into someone else's possession. For a discussion on authentication generally, see S. Bellovin and W. Cheswick,
Firewalls and Internet Security
, Addison Wesley, Reading, Mass., 1994.
In modern access filters, access is checked at two levels, the Internet packet, or IP level, and the application level. Beginning with the IP level, the messages used in Internet protocols are carried in packets called data grams. Each such packet has a header which contains information indicating the source and destination of the packet. The source and destination are each expressed in terms of IP address and port number. A port number is a number from 1 to 65535 used to individuate multiple streams of traffic within a computer. Services for well-known Internet protocols (such as HTTP or FTP) are assign
Jensen Daniel
Lipstone Laurence R.
Ribet Michael B.
Schneider David S.
Caldwell Andrew
Nelson Gordon E.
LandOfFree
Distributed administration of access to information does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Distributed administration of access to information, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Distributed administration of access to information will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3349357