WO2004086716A2 - Method ans system of accessing a plurality of network elements - Google Patents

Method ans system of accessing a plurality of network elements Download PDF

Info

Publication number
WO2004086716A2
WO2004086716A2 PCT/EP2003/012460 EP0312460W WO2004086716A2 WO 2004086716 A2 WO2004086716 A2 WO 2004086716A2 EP 0312460 W EP0312460 W EP 0312460W WO 2004086716 A2 WO2004086716 A2 WO 2004086716A2
Authority
WO
WIPO (PCT)
Prior art keywords
password
username
network elements
network
nemp
Prior art date
Application number
PCT/EP2003/012460
Other languages
French (fr)
Other versions
WO2004086716A3 (en
Inventor
David J. Axel
Navin Gupta
Kenneth Harris
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2004086716A2 publication Critical patent/WO2004086716A2/en
Publication of WO2004086716A3 publication Critical patent/WO2004086716A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]

Definitions

  • FIG 1 illustrates a typical problem encountered in a networ element management system employed by corporate entities and organizations today.
  • Access to the network elements are provided to users via one or more interactive devices (element manager) such like computer terminals, workstations, computers which are coupled to a network (e.g. a TCP/IP network) and on which a network element management program is active.
  • the network element supports e.g. SNMP (Simple Network Management Protocol) whereby the network element management pro- gram can be running e.g. on a Windows or Unix operating system.
  • SNMP Simple Network Management Protocol
  • management of network elements is handled by a management system simply opening a web browser, which is directed to the network elements IP (Internet Protocol) address.
  • IP Internet Protocol
  • the network element is then managed via a built-in Flash web interface. Since the management system uses the web interface and this interface is secure, the user must enter his username and password again each time as he accesses any network element.
  • the security system of the network element is straightforward.
  • the network element houses an internal user- name/password database containing a limited number of users and their access levels.
  • a challenge box is presented.
  • the user must then enter his username and password in order to gain access into the network element web interface. This is true regardless of how the user tries to gain access to the network element : via the network element management system or directly from a web browser.
  • Windows uses two authentication procedures to log the user on locally (FIGURE 2) :
  • Kerberos is a service that runs an all domain controllers and Works with Active Directory and Kerberos security authentication services.
  • Windows uses Windows NT LanManager (NTLM) security to authenticate users in the local Security Accounts Manager (SAM) database.
  • NTLM Windows NT LanManager
  • SAM Security Accounts Manager
  • Identification and Authentication (GINA) component collects the users username and password.
  • GINA passes the secure information to the Local Security Authority (LSA) for authentication.
  • LSA Local Security Authority
  • the LSA passes the information to the Security Support Provider Interface (SSPI) .
  • SSPI is an interface that communicates to both Kerberos and NTLM services and allows developers to Write security aware applications without knowing Kerberos or NTLM specifics.
  • SSPI passes the username and password to Kerberos SSP (Security Service Package) . Kerberos SSP checks to see if the target Computer name is the local Computer or the domain name. Kerberos passes an error message to SSPI if it is the local Computer name. The Computer generates an in- ternal error not visible to the user. The following error message is passed back if the network was checked and no KDC could be found:
  • Kerberos SSP Security Service Package
  • the internal error message triggers SSPI to start the process over again with GINA.
  • GINA passes the information to LSA again, and then LSA passes the information to SSPI again.
  • SSPI passes the username and password to the NTLM driver MSV1-0 SSP.
  • the NTLM driver uses the NetLogon service to validate the user against the local SAM data- base.
  • the user receives the following error message only if both Kerberos and NTLM fail to authenticate the user's account :
  • a method of accessing a plurality of network elements with at least one network element management program including the steps of capturing a username and a password within said network element management program, and submitting said captured username and password to each of said plu- rality of network elements so as to effect administrative address privileges for each of said plurality of network elements without re-capturing and/or re-encrypting said username and said password.
  • this so called "Auto Login” feature in the network element management system is a transparent function to the user.
  • the purpose of the feature is to capture the username and password of the user in order to log the user into individual network elements without having to reenter his username and password.
  • the Auto Login feature the username and password is automatically sent to the network element by the network element management system whenever the user requests access to an network element. If the username/password combination is valid the user is given access; otherwise the user sees a standard "access denied" screen.
  • FIGURE 1 is an exemplary block diagram of a conventional implementation of a network element management system
  • FIGURE 2 is a simplified Windows Login Overview Diagram
  • FIGURE 3 is a flow chart representation showing the capturing and storing of username and password from the Windows 2000 login
  • FIGURE 4 is a flow chart representation showing the retrieval of the stored username and password by the "Auto Login" routine.
  • the GINA described above as part of the Windows authentica- tion process can be replaced in order to develop additional security measures.
  • the main component of the Auto Login feature is in the form of a DLL file (so called Auto Login replacement DLL) that replaces the standard Windows GINA.
  • the Code skeleton for the DLL is part of the MSDN library.
  • Windows uses the Auto Login replacement DLL located on the element manager to perform all user authentication from the Windows login screen.
  • the replacement DLL Code As part of the replacement DLL Code, the username and password entered by the user are captured and stored in a database DB, e.g. in the registry of the Windows operating system located in the element manager as encoded values .
  • the network element management system retrieves, decrypts, and passes these values from the element manager to the network element as needed via a standard HTTP header (FIGURE 4) .
  • the management system also deletes the encoded username and password from the registry. These information could be overwritten when the next- user logs into the system.
  • the new GINA shows the same logon screens and provides all the functionality of the original GINA. The user sees no differences. This makes this solution totally transparent to the user.
  • the current version of Auto Login assumes the client is running an a Windows based computer. It also assumes the DLL file can be placed onto the client machine in the proper directory (which is c: ⁇ winnt ⁇ system in most cases) and that the registry and the client machine can be edited by the network element management system.
  • Auto Login encrypts the username and password entered by the user.
  • the network element management system also unen- crypts the username and password before passing them to the web server on the network element .
  • the element manager sends the captured username and Password to any network element the user request to view. It is the responsibility of the network element to authenticate the user and allow of deny access.

Abstract

A method of accessing a plurality of network elements (NE) with at least one network element management program (NEMP) running on at least one element manager (EM) comprises the steps of capturing a username and a password within said net-work element management program (NEMP) and submitting said captured username and password to each of said plurality of network elements (NE) so as to effect administrative address privileges for each of said plurality of network elements (NE) without recapturing said username and said password.The purpose of the method is to capture the username and password of the user in order to log the user into individual network elements (NE) without having to reenter his username and password.

Description

Description
Method and system of accessing a plurality of network elements
FIG 1 illustrates a typical problem encountered in a networ element management system employed by corporate entities and organizations today. Access to the network elements are provided to users via one or more interactive devices (element manager) such like computer terminals, workstations, computers which are coupled to a network (e.g. a TCP/IP network) and on which a network element management program is active. The network element supports e.g. SNMP (Simple Network Management Protocol) whereby the network element management pro- gram can be running e.g. on a Windows or Unix operating system.
At the present time management of network elements is handled by a management system simply opening a web browser, which is directed to the network elements IP (Internet Protocol) address. The network element is then managed via a built-in Flash web interface. Since the management system uses the web interface and this interface is secure, the user must enter his username and password again each time as he accesses any network element.
The security system of the network element is straightforward. The network element houses an internal user- name/password database containing a limited number of users and their access levels. When a user tries to access a network element a challenge box is presented. The user must then enter his username and password in order to gain access into the network element web interface. This is true regardless of how the user tries to gain access to the network element : via the network element management system or directly from a web browser. When a user logs an to a computer running Windows 2000 Professional or Server, Windows uses two authentication procedures to log the user on locally (FIGURE 2) :
1.) Windows attempts to use Kerberos (KDC) as the primary source of user authentication. (KDC is a service that runs an all domain controllers and Works with Active Directory and Kerberos security authentication services) .
2. ) If the KDC service is not available when the user logs on to the Computer, Kerberos cannot authenticate the user. Instead Windows uses Windows NT LanManager (NTLM) security to authenticate users in the local Security Accounts Manager (SAM) database. Windows 2000 uses the NTLM secu- rity system for compatibility with earlier versions of Windows NT.
Local logon authentication uses the following steps:
1. The user types his username and password. The Graphical
Identification and Authentication (GINA) component collects the users username and password.
2. GINA passes the secure information to the Local Security Authority (LSA) for authentication.
3. The LSA passes the information to the Security Support Provider Interface (SSPI) . SSPI is an interface that communicates to both Kerberos and NTLM services and allows developers to Write security aware applications without knowing Kerberos or NTLM specifics.
4. SSPI passes the username and password to Kerberos SSP (Security Service Package) . Kerberos SSP checks to see if the target Computer name is the local Computer or the domain name. Kerberos passes an error message to SSPI if it is the local Computer name. The Computer generates an in- ternal error not visible to the user. The following error message is passed back if the network was checked and no KDC could be found:
No logon server available.
5. The internal error message triggers SSPI to start the process over again with GINA. GINA passes the information to LSA again, and then LSA passes the information to SSPI again.
6. This time, SSPI passes the username and password to the NTLM driver MSV1-0 SSP. The NTLM driver uses the NetLogon service to validate the user against the local SAM data- base.
7. The user receives the following error message only if both Kerberos and NTLM fail to authenticate the user's account :
Logon Message :
The system could not log you on. Make sure your Username and domain are correct, then type your password again.
Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on.
(This error message is the same whether the password is typed incorrectly or the username is not in the local SAM database. This is done to increase security.)
The above mentioned process happens once for the user to be able to log on to the Network. However if he now needs to log on to all the different network elements in the network (which could be large in number) he would have to enter the same user name and password at the login prompt at the browser. The reason being each resource is required to inde- pendently authenticate the user's identifier and password before entry is granted.
According to the present invention, there is provided a method of accessing a plurality of network elements with at least one network element management program, said method including the steps of capturing a username and a password within said network element management program, and submitting said captured username and password to each of said plu- rality of network elements so as to effect administrative address privileges for each of said plurality of network elements without re-capturing and/or re-encrypting said username and said password.
In one aspect of the invention this so called "Auto Login" feature in the network element management system is a transparent function to the user. The purpose of the feature is to capture the username and password of the user in order to log the user into individual network elements without having to reenter his username and password. With the Auto Login feature the username and password is automatically sent to the network element by the network element management system whenever the user requests access to an network element. If the username/password combination is valid the user is given access; otherwise the user sees a standard "access denied" screen.
The invention will be further described by way of example, with reference to the accompanying drawings, in which:
FIGURE 1 is an exemplary block diagram of a conventional implementation of a network element management system,
FIGURE 2 is a simplified Windows Login Overview Diagram, FIGURE 3 is a flow chart representation showing the capturing and storing of username and password from the Windows 2000 login,
FIGURE 4 is a flow chart representation showing the retrieval of the stored username and password by the "Auto Login" routine.
The GINA described above as part of the Windows authentica- tion process (located on a element manager) can be replaced in order to develop additional security measures. The main component of the Auto Login feature is in the form of a DLL file (so called Auto Login replacement DLL) that replaces the standard Windows GINA. The Code skeleton for the DLL is part of the MSDN library.
According to FIGUR 3 as an example, once properly configured, Windows uses the Auto Login replacement DLL located on the element manager to perform all user authentication from the Windows login screen. As part of the replacement DLL Code, the username and password entered by the user are captured and stored in a database DB, e.g. in the registry of the Windows operating system located in the element manager as encoded values .
The network element management system retrieves, decrypts, and passes these values from the element manager to the network element as needed via a standard HTTP header (FIGURE 4) . The management system also deletes the encoded username and password from the registry. These information could be overwritten when the next- user logs into the system.
The new GINA according to the invention shows the same logon screens and provides all the functionality of the original GINA. The user sees no differences. This makes this solution totally transparent to the user. In this example the current version of Auto Login assumes the client is running an a Windows based computer. It also assumes the DLL file can be placed onto the client machine in the proper directory (which is c:\winnt\system in most cases) and that the registry and the client machine can be edited by the network element management system.
The following is a list of the functions needed to implement the Auto Login according to the invention in an advanced way:
Initiate Auto Login:
From the users standpoint Auto Login is initiated automatically any time the user selects the "Get Network Element Parameters" menu option from within the network ele- ment management system. Mouse-Right clicking on a given network element on the monitor accesses this menu.
Internally subsystems interface with Auto Login by sending a request message to the Auto Login subroutine. The Auto Login subroutine will return the decrypted username and password.
Encrypt / unencrypted username and password:
Auto Login encrypts the username and password entered by the user. The network element management system also unen- crypts the username and password before passing them to the web server on the network element .
Store username and Password to registry: The username and Password captured by Auto Login are stored on the hard drive for later use by the element manager for the management system. This is done by encrypting the username and password and placing them in the registry.
User authorization: The element manager sends the captured username and Password to any network element the user request to view. It is the responsibility of the network element to authenticate the user and allow of deny access.

Claims

Claims
1. A method of accessing a plurality of network elements (NE) with at least one network element management program (NEMP) comprising,
- capturing a username and a password within said network element management program (NEMP) ,
- submitting said captured username and password to each of said plurality of network elements (NE) so as to effect ad- ministrative address privileges for each of said plurality of network elements (NE) without re-capturing said username and said password.
2. A method as claimed in claim 1, further comprising the step of encrypting said username and password within said network element management program (NEMP) .
3. A method as claimed in claim 2, further comprising the step of storing the encrypted username and password and de- crypting the stored username and password before submitting them to each of said plurality of network elements.
4. A method as claimed in any one of the preceding claims, wherein the plurality of network elements (NE) , the at least one network element management program (NEMP) and the network (NET) are arranged according to the Internet Protocol .
5. A method as claimed in claim 4, further comprising the step of sending the captured username and password transparently to at least one of the plurality of network elements (NE) via a web browser.
6. A method as claimed in any one of the preceding claims, wherein the plurality of network elements (NE) and the at least one network element management program (NEMP) are running on Win- dows Operating System.
7. A method as claimed in claim 6, characterized in that said method is placed in the Graphical Identification and Authentication (GINA) component of the Windows Operating Sys- tern.
8. A method as claimed in claim 6 or 7, wherein said encrypted username and password are placed and stored in the registry of said Windows Operating System.
9. A system of accessing a plurality of network elements comprising: at least one element manager (EM) connected to the network elements NE) via a network for capturing a username and a > password and for submitting said captured username and password to each of said plurality of network elements (NE) so as to effect administrative address privileges for each of said plurality of network elements without re-capturing said user- name and said password.
10. A system as claimed in claim 9, characterized in that said at least one element manager (EM) comprises an encoder (NEMP) for encrypting said captured username and password.
11. A system as claimed in claim 10, further comprising a database (DB) coupled to the network element management program (NEMP) for storing the encrypted username and password.
12. A system as claimed in claim 11, further comprising a decoder (NEMP) for decrypting the stored username and password before submitting them to each of said plurality of network elements (NE) .
PCT/EP2003/012460 2003-03-26 2003-11-07 Method ans system of accessing a plurality of network elements WO2004086716A2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
EP03006944 2003-03-26
EP03006944.7 2003-03-26
US42450403P 2003-11-07 2003-11-07
US60/424,504 2003-11-07

Publications (2)

Publication Number Publication Date
WO2004086716A2 true WO2004086716A2 (en) 2004-10-07
WO2004086716A3 WO2004086716A3 (en) 2007-12-21

Family

ID=33099698

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2003/012460 WO2004086716A2 (en) 2003-03-26 2003-11-07 Method ans system of accessing a plurality of network elements

Country Status (1)

Country Link
WO (1) WO2004086716A2 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6067623A (en) * 1997-11-21 2000-05-23 International Business Machines Corp. System and method for secure web server gateway access using credential transform
WO2000051031A1 (en) * 1999-02-26 2000-08-31 America Online, Inc. Proxy server augmenting a client request with user profile data

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6067623A (en) * 1997-11-21 2000-05-23 International Business Machines Corp. System and method for secure web server gateway access using credential transform
WO2000051031A1 (en) * 1999-02-26 2000-08-31 America Online, Inc. Proxy server augmenting a client request with user profile data

Also Published As

Publication number Publication date
WO2004086716A3 (en) 2007-12-21

Similar Documents

Publication Publication Date Title
US20040139355A1 (en) Method and system of accessing a plurality of network elements
US9998497B2 (en) Managing relationships in a computer system
EP0960500B1 (en) Method for providing secure remote command execution
US7366900B2 (en) Platform-neutral system and method for providing secure remote operations over an insecure computer network
US7062781B2 (en) Method for providing simultaneous parallel secure command execution on multiple remote hosts
EP0998091B1 (en) System and method for web server user authentication
US8695076B2 (en) Remote registration for enterprise applications
JPH11338799A (en) Method and system for controlling network connection
CA2508937A1 (en) Identity management system for automatic user authentication
Ylonen SSH key management challenges and requirements
US8051470B2 (en) Consolidation of user directories
Cisco SSL Introduction
Cisco SSL Introduction
Cisco Configuring Network Access Security
Cisco Controlling Access to the Switch Using Authentication, Authorization, and Accounting
Cisco Certification Authority Interoperability Commands
Cisco SSL Introduction
Cisco Configuring Kerberos
Cisco Configuring Kerberos
WO2004086716A2 (en) Method ans system of accessing a plurality of network elements
Cisco Controlling Access to the Switch Using Authentication, Authorization, and Accounting
Migeon The MIT Kerberos administrators how-to guide
Smith The Windows Server 2003 Security Log Revealed
US20230252137A1 (en) Method and apparatus to detect and manage aberrant use of a software signing, encryption and obfuscation system
Antonelli et al. Access Control in a Workstation-Based Distributed Computing Environment

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): CN US

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase