ACCESS VALIDATION SYSTEM
Field of the Invention
The invention relates to a system for permitting the continued access of a user to computer resources. More particularly, the invention relates to a system that utilizes a time-dependent firewall to administrate the continued access of validated users to computer resources.
Background of the Invention
The problem of preventing the unauthorized access to a computer
workstation has been addressed in the art. Several solutions have been
offered during the years, ranging from mechanical solutions, such as the
use of a key, to logical solutions, such as the use of passwords to be
keyed-in, and including electronic solutions, such as the use of magnetic or
smart cards for gaining access to the workstation.
Most early solutions did not solve a very critical problem, viz., that of the
unauthorized access to a workstation when the authorized user, who has
logged into the workstation, temporarily leaves his position without turning
off the workstation or relevant program. Some attempts have been made to
solve the problem by providing programs which automatically turn-off the
workstation after a given idle time, or require a renewed access procedure
to gain access again to the workstation. These solutions, however, are
unpractical and cumbersome, and have not been very successful.
An improved solution to the problem is based on proximity sensors that
auto-detect whether the user (token) left the computer site and
automatically disable any access to all or selected computer resources. The
proximity sensor uses contactless communication technology, such as RF,
IR, sound, ultra-sound, etc. Although prior art systems employing proximity
sensors are convenient for the users, the present severe drawbacks,
particularly inasmuch as they do not afford a high level of security against
unauthorized access, since they can be duplicated, and because of the low
flexibility of the system which pairs a user (token) with a predetermined
workstation.
The problem is relatively simple when a stand-alone workstation is involved. However, most systems of interest are large LANs or WANs, involving a large number of users, sometimes up to several hundreds, and a plurality of servers, all of which may be decentralized and may operate from a number of remote sites. All the existing solutions present a severe drawback inasmuch as they require that suitable security software be installed in the server (s) and workstation(s), so that the servers and the workstations may cooperate in maintaining a preset security policy. This need is accompanied by the need to maintain and service the servers constantly, in order to update security policies, user's data, software versions, etc. This is a severe drawback inasmuch as it is undesirable to upload and service software on servers that serve the regular needs of the LAN or WAN, which may cause downtime, compatibility and maintenance
problems, particularly when a number of physically remote servers is involved. Additionally, the initial installation of the software is normally complicated and time consuming, and may also require some downtime. However, the art has so far failed to provide means to obviate this severe problem.
It is therefore an object of this invention to provide a method and a security system that overcomes the aforementioned drawbacks of the prior art.
It is another purpose of this invention is to provide a system which does not require the presence of complicated security software on the servers of the LAN or WAN.
It is yet another object of the invention to provide a security system that can be put in place quickly and simply, without the need for complicated software installation on the server (s).
Other purposes and advantages of this invention will appear as the description proceeds.
Summary of the Invention
In one aspect the invention is directed to a method of controlling the connection of a workstation to a server so as to allow its access when a token/workstation validation process is successfully completed, and to prevent or discontinue the connection of the workstation to the server when
a token/workstation validation process fails to identify an authorized user, comprising: a) providing a firewall coupled to, or integral with, a communication gate located between the workstation and the server; b) providing user/workstation validation means suitable to determine whether the user is physically located within a predefined distance from the workstation; c) validating the user to the firewall; and d) disallowing access to one or more resources of the workstation if the user is not validated or, if the security policy so requires, transmitting to the firewall a command to disconnect the workstation from the server.
According to a preferred embodiment of the invention, the method further comprises generating an indication that the user is not within a predefined distance from the workstation and that the security policy requires that access be discontinued, by carrying out the following steps: e) determining whether the user is physically located within said predefined distance from the workstation; and f) when the distance of the user from the workstation exceeds said predefined value, disallowing access to one or more resources of the workstation or, if the security policy so requires, transmitting to the firewall a command to disconnect the workstation from the server.
The decision on whether a user who is physically absent from his workstation will cause the workstation to become inactive in some aspects, viz., to have its input devices deactivated, or whether the workstation must
be logged-off altogether from the server, is a decision that is taken, according to a preferred embodiment of the invention, at the workstation level. Different security policies may result in different commands to the firewall. However, the server is not involved in any part of the process, since the physical proximity of the user, as well as the logical results thereof, are supervised by the workstation security software, and the connection or disconnection of the user to the server or network is carried out by the firewall, as a result of input received from the workstation security software.
According to a preferred embodiment of the invention step (d) above is repeated periodically, at a preselected time interval, and the relevant decisions are also made by the workstation security software at the appropriate time intervals.
According to a preferred embodiment of the invention the communication gate is a switch.
According to another preferred embodiment of the invention the user/workstation validation means comprise a token and a transceiver connected to the workstation.
According to a preferred embodiment of the invention, when the distance of the user from the workstation is less than a predefined value, a signal indicative of a presence state is generated and transmitted to the firewall. According to this particular embodiment of the invention, the firewall is provided with preset instructions and with logic means, and the decision as
to whether the connection of the workstation to the server should be reset is made at the firewall level, rather than at the workstation security software level, and this decision is made on the basis of signals received from the workstation. In a typical embodiment of the invention the firewall will allow the workstation to connect to the server when a signal indicative of a presence state is received by it.
According to another preferred embodiment of the invention the firewall allows the connection between the workstation and the server to continue, as long as signals are sent by the workstation and are received by the firewall at preset time intervals.
In another aspect the invention is directed to a system for controlling the connection of a workstation to a server so as to allow its access when a token/workstation validation process is successfully completed, and to prevent or discontinue the connection of the workstation to the server when a token/workstation validation process fails to identify an authorized user, or results in an indication that the user is not within a predefined distance from the workstation and that the security policy requires that access be discontinued, comprising:
a) a firewall coupled to, or integral with, a communication gate located between the workstation and the server; b) user/workstation validation means suitable to determine whether the user is physically located within a predefined distance from the workstation;
c) signal generating means to generate signals indicative of successful validation or connection reset and to transmit said signal to said firewall when the user/workstation validation means determine that a security policy so requires; and d) circuitry provided in said firewall for discontinuing and/or preventing the connection of the workstation to the server for a predefined period of time, when a command is sent by the security software of the workstation to the firewall.
A time-dependent firewall assembly according to a preferred embodiment of the invention comprises firewall circuitry coupled to communication gate means. According to a preferred embodiment of the invention the firewall circuitry is integral with the gate means. Preferably, but non limitatively, the gate means is a switch.
Brief Description of the Drawing
- Fig. 1 is a schematic representation of a LAN, according to a preferred embodiment of the invention.
Detailed Description of Preferred Embodiments
Looking now at Fig. 1, a simple IAN is schematically shown, in which a plurality of workstations, la - le, each of which is coupled with a token, 2a - 2e. The workstations are connected to a server 3, through a switch 4. The switch 4 is equipped with firewall circuitry that performs the following activities:
1. It identifies the workstation connecting to the server via the switch;
2. It determines whether the workstation is being operated using a valid token, which grants access rights to the server;
3. It determines whether any other preset security policies are been observed, such as the time of the day or the day of the week during which access must be denied;
4. If all security policies are observed, the firewall circuitry does not intervene. If any of the security policies has been violated, however, the firewall circuitry resets the connection with the server, thereby preventing the workstation user from accessing it.
5. It repeats the above operations every time a user logs-in, after logging-off from his workstation.
The operation of the firewall, and the means used to reset the communication between the user and the server, are well known in the art and are therefore not discussed herein in detail, for the sake of brevity. Likewise, the means for authenticating a user with a workstation are also well known in the art, for instance from WO 97/39553 or from PCT/IL99/00115 of the same applicants hereof, and the skilled person will easily select the validation method that is best suited for a specific purpose.
Although, as said, the way in which the access of the user is prevented is conventional, the firewall coupled to the switch, according to the invention, does not operate in any other sense as prior art firewalls. Prior art firewalls determine whether a user is authorized to access a given server and, if the user is authorized, allow him to connect. At this point, the role of the firewall has ended, and any other task (such as the establishment of
permissions to access given folders, areas or resources) is handed over by the firewall to the server. The firewall is no longer concerned with the activities of the user. Thus, prior art firewalls operate in what can be termed a "time-independent mode". Furthermore, prior art firewalls require an independent firewall server, which is connected to the LAN and is logically located before the server.
According to the invention, however, the firewall is not only coupled to, and preferably integral with, the switch, hub or the like communication gate, but it also operates in cooperation with the distance-dependent security software and hardware coupled to the workstation, which is responsible for ensuring in a time-dependent mode, that the resources of the workstation are not made available if a user has left his working position by a distance greater than a predetermined value. According to the invention the validation of the user is carried out at the firewall, while his presence near the workstation is determined as a function of token proximity data received from the workstation, which data is analyzed by the software running on the workstation level. In other words, the identity of the user is validated at the firewall server at the time of log-in, while his continued presence is checked at the workstation level. The workstation security software may decide to disallow access to certain resources, such as the keyboard or the mouse, or may decide, under certain conditions, to log-off the user entirely. If the workstation software decides to log-off the user, a corresponding signal is transmitted from the workstation to the firewall that resets the communication of the user with the server(s).
As will be appreciated by the skilled person, the invention solves a number of problems: it is simple in operation, since it does not require the installation of complicated software on the server(s). It is efficient, inasmuch as access to the workstation resources can be prevented, when the token/workstation validation procedure reveals that the user is no longer near the workstation, and a physical disconnection of the workstation from the network can be effected at the firewall level, as a result of a security policy determination made at the workstation level. Furthermore, the time-dependent firewall of the invention is essentially plug-and-play with respect to the server, and only requires a simple installation of hardware and software at the workstations.
While embodiments of the invention have been described by way of illustration, it will be understood that the invention can be carried out by persons skilled in the art with many modifications, variations and adaptations, without departing from its spirit or exceeding the scope of the claims.