Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing
Reexamination Certificate
1999-04-12
2002-05-21
Najjar, Saleh (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
C709S225000, C709S228000, C709S229000, C709S238000
Reexamination Certificate
active
06393484
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to information networks and methods of operation. More particularly, the invention relates to a system and method for controlled access to shared-medium public and semi-public IP networks.
2. Description of the Prior Art
With the vast increase of private, semi-public and public shared-medium IP networks, a growing problem for network and service administrators is how to control and restrict access to the networks only to authorized and registered devices and users. One example of the problem relates to corporate IP network administrators who deal with an increasingly mobile work force that have deployed IP network access ports (typically IEEE 802.X or similar medium) throughout their corporate facilities for shared use by their corporate employees. Such shared network access ports work in conjunction with Dynamic Host Control Protocol (DHCP) servers to dynamically assign the appropriate IP address and other parameters to a mobile employee's device. A strong concern in the use of such networks is preventing visitors or unauthorized persons from taking advantage of the exposed network access ports to gain IP connectivity to the internal corporate network (intranet).
Another example relates to Internet Service Providers (ISPs) offering public services over shared-medium, such as the increasingly popular cable-modem technology, which in many cases simulates IEEE 802.X medium access over cable TV plants. The distribution medium (cable TV plant) is shared among thousands of homes (users), of which only a subset is paying for internet access using cable modems. The DHCP protocol is also typically used as a means to assign an IP address and other parameters to the cable-modem user attempting to gain network services. In such case, the ISP has a strong interest to prevent unauthorized (non-paying) users from using the IP/internet services by obtaining a usable address for a particular cable plant segment, which is easily accomplished.
Variations of the previous examples also exist using a variety of wire line and wireless access technology and access devices (personal computers, smart internet phones) for internet and intranet services to users sharing a common network medium.
Prior art related to such examples includes:
U.S. Pat. No. 5,732,137 entitled “Method and Apparatus for Secure Remote Authentication in a Pubic Network”, issued Mar. 24, 1998, discloses a method and apparatus for user authentication in a network environment between a client computer (workstation) and a remote destination server coupled to a network. A user operating the client workstation provides a log-in address as anonymous file transfer protocol and a password as the user's e-mail address. The destination server compares the user's e-mail address provided as a password to a list of authorized user addresses. If the user e-mail address provided is not on the destination service list of authorized users' addresses, then the user logon request is automatically denied. If the user's e-mail address is located on the list of authorized user's addresses maintained by the destination server, the destination server generates a random number (X) and encrypts the random number in an ASCII representation using encryption techniques provided by the Internet Privacy-Enhanced Mail (PEM). The encrypted random number is stored in the file as the user's anonymous directory. The server further establishes the encrypted random number as a one-time password for the user. The client workstation initiates a file transfer request to obtain the encrypted PEM random number as a file transfer from the destination server. The destination server then sends the PEM encrypted password's random number as the file transfer file over the internet to the client workstation. The client workstation decrypts the PEM encrypted file utilizing the user's private RSA key in accordance with established PEM decryption techniques. The client workstation then provides the destination server with the decrypted random number password which is sent in the clear over the internet to log-in to the destination server. Upon receipt of the decrypted random number password, the destination server permits the user to log-in to the anonymous directory thereby completing the user's authentication procedure and accomplishing log-in.
U.S. Pat. No. 5,757,924 entitled “Network Security Device Which Performs MAC Address Translation Without Affecting the IP Address,” issued Mar. 26, 1998 discloses a network security device connected between a protected client and a network. The network security device negotiates a session key with any other protected client. The security device is self-configuring and locks itself to the IP address of the client. Thus, the client cannot change its IP address once set and, therefore, cannot emulate the IP address of another client. When a packet is transferred in from the protected host, the security device translates the MAC address of the client to its own MAC address before transmitting the packet into the network. Packets addressed to the host contain the MAC address of the security device. The security device translates its MAC address to the client's MAC address before transmitting the packet to the client.
U.S. Pat. No. 5,774,652 entitled “Restricted Access Computer System,” issued Jun. 30, 1998 discloses a general purpose computing platform in a controlled system including a control hardware device and a control software program. The control hardware device is connected to the computing platform into an access-status device such as a coin hopper or the like. The control software program runs on the computing platform and, in a secure mode, replaces the graphical user interface portion of the operating system of the general purpose computing platform. The control hardware device control software program interoperates to allow access to application software programs on the computing program platform only when certain conditions are satisfied. The control hardware device resets the computing platform if the control software program fails to communicate therewith. The control hardware device also restricts operation of the user keyboard therewith. The control hardware device also restricts operation of the user keyboard and display monitor to reduce the possibility of unauthorized use to the computer system.
The prior art for controlled access to networks is implemented in a combination of dedicated hardware control servers and specialized software. Moreover, the prior art requires extensive modifications to end systems or requires specialized and dedicated hardware to be inserted in front of every network client device. Such systems rely on encryption and sophisticated key management system which makes such techniques expensive, inflexible, and not suitable for shared-medium public and semi-public IP networks.
What is needed is a system and method that is applicable to existing and future network access infrastructures which works in conjunction with popular and established IP protocols and communication layer network equipment without requiring any modifications to currently used internet protocols.
SUMMARY OF INVENTION
An object of the invention is a system and method which makes it impossible or very difficult for unauthorized devices and users to obtain IP network services on shared-medium public and semi-public networks.
Another object is a system and method for controlling access to shared-medium public and semi-public networks using standard network protocols and communication layers without modification.
Another object is a system and method for preventing unauthorized devices and users from obtaining network services in a dynamic user address environment.
These and other objects, features and advantages are achieved in a system comprising communication layers (OSI
2
and
3
) and work equipment (routers and/or switches) which work in conjunction with Dynamic Host Control Protocols (DHCP) and Ad
International Business Machines Corp.
Morgan & Finnegan , LLP
Najjar Saleh
Redmond, Jr. Esq. Joseph C.
Tonlin, Esq. Richard A.
LandOfFree
System and method for controlled access to shared-medium... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for controlled access to shared-medium..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for controlled access to shared-medium... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2895630