Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1997-01-17
2001-05-15
Trammell, James P. (Department: 2785)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06233686
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to information systems security, in particular to providing access control between one set of automated information systems and another.
BACKGROUND OF THE INVENTION
Known methods for implementing access control for a specific computer on a network are cumbersome and inflexible because access rules must be coded and entered by hand by a system administrator. This is impractical for networks whose members change frequently, or whose members' security needs change frequently.
Effective information systems security prevents the unauthorized disclosure, modification or execution of an automated information system's (AIS) data and processes. As used here, the term AIS refers to a computer, network of computers, internetwork of computers, or any subset thereof. The term “data” refers to any information resident on an AIS, including files and programs. The term “processes” refers to programs in any stage of execution on an AIS.
A “host” is a computer with an assigned network address, e.g., an Internet Protocol (IP) address. A “user” is a computer that does not have a fixed, assigned network address. To obtain connectivity to the Internet, for example, a user must commonly obtain a temporary IP address from a host with a pool of such addresses. Such a temporary IP address is retained by the user only for the duration of a single session of connectivity with the Internet.
Information flows in certain networks in packets. A “packet” is a quantum of information that that has a header containing a source and a destination address. An example of a packet is an IP packet. Packets such as IP packets have a network protocol identifier (“protocol”) as a part of packet header. The protocol identifies the version number of the protocol used to route the packet. An example of a network protocol identifier is the IP protocol field in an IP packet header.
Packets on a network are directed to and from ports. A “port” is a logical address within a computer through which a process executing on the computer communicates with other executing processes. These other processes may reside on the same computer, or on other networked computers.
Information systems security is implemented by means of a security policy, which comprises rules directed towards regulating the flow of information in an AIS. The rules of a security policy are embodied in a “rule base,” a set of rules that specify whether a packet should be passed to the intended recipient or dropped based upon the packet's identifier. A packet identifier is data generally carried in the packet header that serves to identify the packet. An example of a packet identifier is a circuit number, which occurs in the headers of packets flowing in connection-oriented (i.e., circuit-switched) packet switched networks. Another example of a packet identifier is a packet 5-tuple, which is the packet's source and destination address, source and destination port, and protocol. Packets with 5-tuples flow in connectionless packet switched networks.
A rule base may be global or local. A global rule base is a uniform set of rules (“global rules”) that apply to a group of users, hosts, or both. A local rule base is a set of rules (“local rules”) that apply to a single user with a temporary network address or a host. A single user with a temporary network address or a host that has its own rule base is called a “peer.”
Another means for implementing security policy is to restrict access to a network to a predetermined set of users and hosts. When a user or host requests access, its identity must be established and verified before access is granted. This process implicates two steps: identification and authentication.
FIG. 1
shows one method of identification and authentication in the form of a flow chart with each step designated by a reference numeral. A first step requires a source of information to identify itself by name by supplying a string of data called a user id
10
. To prevent an imposter from obtaining the privileges associated with a given user id, the user behind the user id is verified by requiring it to provide a password
11
that is normally kept confidential. Such verification is called “authentication.” The AIS checks the combination of source id and password against a list of valid users,
12
. When the AIS recognizes a valid user id and corresponding password, a user or host is said to have been identified and authenticated
14
. Otherwise, the request for access is denied
13
. Hereinafter, a source that has been identified and authenticated will be said to have been “authenticated” for purposes of brevity.
A security policy rule base is implemented on a network using a device called a filter comprising hardware and software. The rule base is loaded into the filter, which receives packets en route (between their source and destination) and checks the identifier of each packet against the identifier contained in each rule of the rule base for a match, i.e., if the packet corresponds to the rule. A packet corresponds to a rule if the rule applies to the packet. Hence, a rule that is meant to apply to packets with a circuit number of 3254, for example, “corresponds” to all packets with a packet identifier that indicates circuit number 3254. If the network packet identifier corresponds to a rule identifier, the filter carries out the PASS or DROP action prescribed by the rule on the packet. If the PASS action is carried out, the packet is allowed to pass through the filter. If the DROP action is carried out, the packet is eliminated.
A filter is often combined with other hardware and software that helps manage the flow of information through the filter. The combination of hardware and software that carries out and supports packet filtering is called a firewall. A firewall is often positioned between a first network that “owns” the firewall and a second network. The purpose of the firewall is to regulate the flow of information into and out of the first network from the second network by implementing the rule base belonging to the first network for all such information.
A typical application of a firewall is shown in
FIG. 2. A
corporate network
20
may wish to provide access to Internet hosts
21
to its subscribers, but may wish to limit the access that the Internet hosts
21
have to the corporate network
20
, which may contain trade secrets and proprietary information. The corporate network
20
would develop a security policy implemented by a firewall
22
placed at the interface between the corporate network
20
and the Internet hosts
21
. The firewall
22
comprises a filter
23
that would PASS or DROP packets from Internet hosts
21
to corporate network subscribers
20
and vice versa based upon the packets' source and destination addresses. The firewall is said to belong to the corporate network, and enforces rules that “protect” hosts within the corporate network that have IP addresses. Such hosts are said to be “behind” the corporate network firewall.
An example of a rule base for corporate network
20
having hosts A
24
, B
25
and C
26
, connected through a firewall
22
to the Internet having hosts G
27
, H
28
and I
29
is as follows:
SOURCE
DESTINATION
Address, Port
Address, Port
VERSION
ACTION
A,21
G,32
4
PASS
A,22
H,19
3
DROP
G,11
A,64
4
DROP
C,9
I,23
4
PASS
Every rule base must also have a default action for transactions that are not explicitly specified in the rule base, which is usually the DROP action. Thus, packets from system A,
21
to system G,
33
will be dropped because the above rule base does not expressly include a rule for such a transfer.
A typical architecture for providing users access to the Internet is shown in FIG.
3
. Users
31
and
32
do not have fixed IP addresses. Rather, a user is assigned temporary IP addresses by an Internet Service Provider (ISP) Point of Presence (POP)
33
from a pool of such addresses kept by the POP
33
for this purpose. A POP comprises at least one host (not shown). When a user
31
terminates his s
Dutta Partha P.
London Thomas B.
Siil Karl Andres
Vrsalovic Dalibor F.
Zenchelsky Daniel N.
AT & T Corp.
Elisca P
Kenyon & Kenyon
Trammell James P.
LandOfFree
System and method for providing peer level access control on... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for providing peer level access control on..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for providing peer level access control on... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2450674