Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-12-23
2001-11-27
Wright, Norman M. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C380S029000, C709S229000
Reexamination Certificate
active
06324648
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates generally to communications systems and networks, and, more particularly, to a secure gateway for providing access from a client computer over an insecure public network to one of a plurality of destination servers on a secure private network.
2. Description of the Related Art
Computer networks are known generally as including a wide variety of computing devices, such as client computers and servers, interconnected by various connection media. In particular, it is commonplace for an institution, such as a corporation, to provide such a network. Such network may include a multiplicity of servers executing a corresponding number of application programs (“applications”). The corporation's employees may use one or more of these applications to carry out the business of the corporation. Such a network may be characterized as a private, secure network, since it is accessible under normal, expected operating conditions only by suitably authorized individuals.
It has become increasingly popular, and in many instances a business necessity, for users (“clients”) to remotely access the private network. While the remote access is sometimes accomplished through dedicated, secure lines, it is increasingly done through the global communications network known as the Internet. Computer networks, particularly the Internet, can be vulnerable to security breaches. In particular, the Internet is generally considered insecure, in view of its widespread access and use by the public at-large. Accordingly, a problem arises as to how to securely allow the client access to the resources available on the private, secure network (e.g., the applications) over a generally insecure public network, such as the Internet.
One general approach taken in the art has been to employ various encryption schemes. For example, a protocol known as a Secure Sockets Layer (SSL) protocol protects information transmitted across the insecure Internet using encryption. Another known authentication scheme involves the use of a so-called digital certificate, which also uses encryption. As used, the digital certificate can be attached to an electronic message to verify to the recipient that the sender is who the sender claims to be. A well-known and widely accepted standard for digital certificates is ITU X.509.
While the above-described techniques are effective for what they purport to accomplish, providing access to a private, secure network over an insecure network such as the Internet requires a comprehensive combination of many security features. Accordingly, it is also known in the art to securely provide remote access by way of a gateway architecture. One known gateway architecture includes a firewall, a web server, an information collector (IC), an application message router (AMR), and an authorization handler.
The firewall is between the private, secure network and the public, insecure network. The web server and the information collector are on the insecure, public network side of the firewall. The web server communicates with the information collector using the well-known Gateway Interface (CGI), the specification for transferring information between a web server and a CGI program. The AMR and the authorization handler are on the private, secure network side of the firewall. The IC and AMR communicate through the firewall by way of an interprocess communication (IPC) mechanism. In this known gateway architecture, a user wishing to gain access to an application on the private network first accesses the web server using a conventional web browser. The user authenticates him or herself by providing a digital certificate.
The web server forwards the particulars of the digital certificate to the IC according to a CGI script. The information collector, in turn, forwards the digital certificate through the firewall to the AMR via the IPC mechanism. The AMR, also via an IPC mechanism, queries the authorization handler to authenticate the user. The authorization handler's response is sent back to the AMR. If the user is successfully authenticated, access is permitted. There are, however, several shortcomings to this approach.
First, the information collector and application message router are custom programmed software applications. Accordingly, they must be ported for each new platform used. This platform dependence results in increased costs (and delays) when implemented on new platforms.
Second, the known gateway has throughput limitations. The CGI interface is relatively slow, as is the IC-to-AMR link because, among other things, the IPC mechanism is single-threaded.
Third, certain data (e.g., static HTML, graphics, etc.) is more vulnerable to security breaches (i.e., being “hacked”) because it is maintained on the web server, on the Internet (insecure) side of the private network firewall. This situation is undesirable.
Another known gateway for providing access to a private network over an insecure network involves a two-level client-side digital certificate authentication mechanism. One proxy server is provided for every application on the private network, which are disposed on the Internet side of the firewall. One of the proxy servers performs a first level check of the digital certificate, and then passes the digital certificate data through the firewall via HTTPS for the second-level check by an authorization server. While this configuration addresses some of the shortcomings described above, routing in this approach is relatively inefficient for multiple applications (i.e., requires multiple proxy servers).
In addition, some applications on the private network do not require digital certificate strength authentication. In these situations for known gateway architectures there is no authentication of the user outside of the firewall (i.e., the gateways described above authenticate, at least at some level, before allowing further access across the firewall for complete authentication).
There is therefore a need to provide an improved gateway that minimizes or eliminates one or more of the shortcomings as set forth above.
SUMMARY OF THE INVENTION
One advantage of a computer system according to the present invention is that it authenticates a user of a remote client computer where use of digital certificates is undesirable or simply unavailable. Another advantage is that the authentication, which preferably involves a user identification (ID) and password, is performed on the insecure side of a firewall system separating the private secure network and the insecure public network (i.e., Internet). Authentication must be successfully performed prior to allowing access to the private network. In addition, the architecture of a computer system according to the invention maintains sensitive authentication data on an authorization server, which is on the secure, private network side of the firewall, reducing the likelihood of a successful “hacker” intrusion.
A computer system is provided according to the present invention that allows access from a client computer over an insecure private network. The computer system includes a firewall system, a proxy server, an authorization server, a web server and a gateway. The firewall system is disposed between the insecure public network (e.g., the Internet) and the secure, private network. The proxy server and the web server are on the insecure network side of the firewall system and the gateway and the authorization server are on the private, secure network side of the firewall system.
The authentication server is configured to authenticate the user of the client computer based on a user identification (ID) and password from the user of the client computer. The web server is configured to pass the user ID and password through the firewall to the authorization server. The web server is further configured to build an authentication cookie having a valid condition when the authorization server authenticates the user of the client computer based on the user ID and password.
According to the pre
GTE Service Corporation
Suchyta Leonard Charles
Weixel James K.
Wright Norman M.
LandOfFree
Secure gateway having user identification and password... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Secure gateway having user identification and password..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Secure gateway having user identification and password... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2608951