Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-09-17
2002-10-22
Wright, Norman M. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S225000, C709S229000
Reexamination Certificate
active
06470453
ABSTRACT:
FIELD OF THE INVENTION
The present invention generally relates to management of computer networks, and relates specifically to validating connections to a network system.
BACKGROUND OF THE INVENTION
A network system generally includes a number of network devices, such as switches, routers, and others, connected so as to allow communication among the devices and end station devices such as desktop machines, servers, hosts, printers, fax machines, and others. Many companies have a desire to provide remote access to their computer networks. By allowing remote access, individuals can connect to the computer network to use it to work and obtain resource information while located at a remote site.
A popular method of providing remote access to a network is through the use of a dial-in network access server (NAS) that controls access to the network. For example, the server model AS5300, commercially available from Cisco Systems Inc., can be used to provide dial-in access to a company's network. Individuals can access the network system by dialing into the network access server from a Remote Node to establish a connection. In this document, the term Remote Node refers to a client device such as a personal computer (PC) or router that can be used to dial in and establish a connection with a network access server. A client/server relationship exists between the Remote Node (client) and the network access server (server).
A drawback associated with providing remote access to a company's network system is that unauthorized individuals can sometimes gain access to the network system, thus potentially allowing the company's resources and information to be accessed, used or compromised. To prevent unauthorized network access, several protocols have been developed that can be used to identify remote nodes that are authorized to remotely connect and access the network system before a connection is actually established.
In general, dial-in connections are typically made using one of the Internet's standard dial-in protocols, either the Point-to-Point Protocol (PPP) or the Serial Line Internet Protocol (SLIP). To prevent unauthorized network access, a “client authentication” phase is typically performed before a remote node is allowed to connect to a network access server. During the client authentication phase, the particular client that is requesting a dial-in connection be established is identified.
The PPP supports an optional authentication phase by providing two authentication protocols, the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Both PAP and CHAP use a set of fixed passwords to authenticate a remote node that is requesting to make a dial-in connection with a network access server. To authenticate the remote node, both PAP and CHAP require the remote node to provide “client access” information that can be used to determine whether the remote node is allowed to remotely connect to the network access server.
For example, if CHAP is used to establish the connection, a “challenge” message is sent by the network access server to the remote node. Upon receiving the challenge message, the remote node calculates a value based on the challenge message using a “one-way” hash function. The remote node then returns the calculated value back to the network access server. Upon receiving the calculated value, the network access server compares the value to its own calculation of the expected hash value. If the values match, the remote node is identified and the network access server establishes a connection with the remote node. A benefit with using CHAP is that it protects against unauthorized attacks as the challenge message value is varied from one authentication phase to the next.
Alternatively, using PAP a user is required to supply client access information in the form of a username and password that is used by the network access server to identify the remote node. If the user is using a “hands on” remote device having a display and input device, such as a PC, the network access server may cause a login window to be displayed on the monitor of the PC. The user is then required to enter a valid username and password in order to establish a connection between the network access server and the remote node. Based on the supplied username and password, the network access server can identify the remote node to determine whether a connection should be established between the network access server and the remote node.
Following the client authentication phase, a “client authorization” phase is performed to determine the functions and operations that may be performed by the remote node during the lifetime of the connection. The client authorization phase is performed by the NAS on behalf of the remote node. To perform the client authorization phase, the NAS determines a set of access privileges based on the identity of the remote node. These access privileges are then assigned to the established connection and control the set of functions and operations that may be performed by the remote node.
One drawback with using dial-in protocols such as PPP or SLIP to establish a dial-in connection is that all connections that are established between a particular remote node and a network access server are provided with the same set of access privileges. For example, when user A connects to a first network access server using remote node X, they are provided the same set of access privileges that are provided to user B when they connect to the first network access server using remote node X. Thus, access privileges cannot be provided on a per user basis.
Another drawback with using dial-in protocols such as PPP or SLIP to establish a dial-in connection is that they require fixed passwords and therefore can not take advantage of the extra security that is provided through the use of a Smart card or Token card. One type of Token card, the SecurID card commercially available from Security Dynamics, Inc., continually generates a series of random one-time passwords that can be used once to login into a network access server. The Token card works in conjunction with a password server, such as Security Dynamics' ACE password server and generates a response that is unique for every login. The result is a one-time password that, if monitored, cannot be reused by an intruder to gain access to an account. To use the Token card, the user typically enters a series of digits and letters displayed on the token-card in the prompt window or inserts the card into a reader that is coupled to the Remote Node. The password server internally generates one-time passwords in synch with the card. The one-time password is then used to verify that the user is allowed to log into the network access server through the remote device to access the network system by comparing the card password to the password server's password at a particular instant in time.
In certain cases, Token cards can provide a greater level of security, as the password is only valid for a single session. For example, sometimes a user selects the “save password” button on the client so that the user does not have to enter the client access information every time they dial in to the network access server. However, if the individual's client computer is stolen, an unauthorized user may potentially dial in and connect to the network access server, thus compromising the information and resources that are accessible through the network access server. Conversely, if a Token card could be used to provide the client access information, even if an individual's computer is stolen, an unauthorized user will not be able to log into the network access server and gain access to the network system without also obtaining the Token card.
In addition, many home office users have begun using access router devices, such as router models 1004 and 1604, commercially available from Cisco Systems Inc., to remotely connect to a company's network access server. Access routers are “hands-off” dev
Cisco Technology Inc.
Hickman Palermo & Truong & Becker LLP
Wright Norman M.
LandOfFree
Validating connections to a network system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Validating connections to a network system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Validating connections to a network system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2986093