1
SYSTEM AND METHOD FOR CONTROLLED
ACCESS TO SHARED-MEDIUM PUBLIC
AND SEMI-PUBLIC INTERNET PROTOCOL
(IP) NETWORKS
5
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to information networks and methods of operation. More particularly, the invention relates to 10 a system and method for controlled access to sharedmedium public and semi-public IP networks.
2. Description of the Prior Art
With the vast increase of private, semi-public and public shared-medium IP networks, a growing problem for network :5 and service administrators is how to control and restrict access to the networks only to authorized and registered devices and users. One example of the problem relates to corporate IP network administrators who deal with an increasingly mobile work force that have deployed IP net- 20 work access ports (typically IEEE 802.X or similar medium) throughout their corporate facilities for shared use by their corporate employees. Such shared network access ports work in conjunction with Dynamic Host Control Protocol (DHCP) servers to dynamically assign the appropriate IP 25 address and other parameters to a mobile employee's device. A strong concern in the use of such networks is preventing visitors or unauthorized persons from taking advantage of the exposed network access ports to gain IP connectivity to the internal corporate network (intranet). 30
Another example relates to Internet Service Providers (ISPs) offering public services over shared-medium, such as the increasingly popular cable-modem technology, which in many cases simulates IEEE 802.X medium access over cable TV plants. The distribution medium (cable TV plant) 35 is shared among thousands of homes (users), of which only a subset is paying for internet access using cable modems. The DHCP protocol is also typically used as a means to assign an IP address and other parameters to the cablemodem user attempting to gain network services. In such 40 case, the ISP has a strong interest to prevent unauthorized (non-paying) users from using the IP/internet services by obtaining a usable address for a particular cable plant segment, which is easily accomplished.
Variations of the previous examples also exist using a variety of wire line and wireless access technology and access devices (personal computers, smart internet phones) for internet and intranet services to users sharing a common network medium. 5Q
Prior art related to such examples includes:
U.S. Pat. No. 5,732,137 entitled "Method and Apparatus for Secure Remote Authentication in a Pubic Network", issued Mar. 24, 1998, discloses a method and apparatus for user authentication in a network environment between a 55 client computer (workstation) and a remote destination server coupled to a network. A user operating the client workstation provides a log-in address as anonymous file transfer protocol and a password as the user's e-mail address. The destination server compares the user's e-mail 60 address provided as a password to a list of authorized user addresses. If the user e-mail address provided is not on the destination service list of authorized users' addresses, then the user logon request is automatically denied. If the user's e-mail address is located on the list of authorized user's 65 addresses maintained by the destination server, the destination server generates a random number (X) and encrypts the
2
random number in an ASCII representation using encryption techniques provided by the Internet Privacy-Enhanced Mail (PEM). The encrypted random number is stored in the file as the user's anonymous directory. The server further establishes the encrypted random number as a one-time password for the user. The client workstation initiates a file transfer request to obtain the encrypted PEM random number as a file transfer from the destination server. The destination server then sends the PEM encrypted password's random number as the file transfer file over the internet to the client workstation. The client workstation decrypts the PEM encrypted file utilizing the user's private RSAkey in accordance with established PEM decryption techniques. The client workstation then provides the destination server with the decrypted random number password which is sent in the clear over the internet to log-in to the destination server. Upon receipt of the decrypted random number password, the destination server permits the user to log-in to the anonymous directory thereby completing the user's authentication procedure and accomplishing log-in.
U.S. Pat. No. 5,757,924 entitled "Network Security Device Which Performs MAC Address Translation Without Affecting the IP Address," issued Mar. 26, 1998 discloses a network security device connected between a protected client and a network. The network security device negotiates a session key with any other protected client. The security device is self-configuring and locks itself to the IP address of the client. Thus, the client cannot change its IP address once set and, therefore, cannot emulate the IP address of another client. When a packet is transferred in from the protected host, the security device translates the MAC address of the client to its own MAC address before transmitting the packet into the network. Packets addressed to the host contain the MAC address of the security device. The security device translates its MAC address to the client's MAC address before transmitting the packet to the client.
U.S. Pat. No. 5,774,652 entitled "Restricted Access Computer System," issued Jun. 30, 1998 discloses a general purpose computing platform in a controlled system including a control hardware device and a control software program. The control hardware device is connected to the computing platform into an access-status device such as a coin hopper or the like. The control software program runs on the computing platform and, in a secure mode, replaces the graphical user interface portion of the operating system of the general purpose computing platform. The control hardware device control software program interoperates to allow access to application software programs on the computing program platform only when certain conditions are satisfied. The control hardware device resets the computing platform if the control software program fails to communicate therewith. The control hardware device also restricts operation of the user keyboard therewith. The control hardware device also restricts operation of the user keyboard and display monitor to reduce the possibility of unauthorized use to the computer system.
The prior art for controlled access to networks is implemented in a combination of dedicated hardware control servers and specialized software. Moreover, the prior art requires extensive modifications to end systems or requires specialized and dedicated hardware to be inserted in front of every network client device. Such systems rely on encryption and sophisticated key management system which makes such techniques expensive, inflexible, and not suitable for shared-medium public and semi-public IP networks.
What is needed is a system and method that is applicable to existing and future network access infrastructures which
3
works in conjunction with popular and established IP protocols and communication layer network equipment without requiring any modifications to currently used internet protocols.
5
SUMMARY OF INVENTION
An object of the invention is a system and method which makes it impossible or very difficult for unauthorized devices and users to obtain IP network services on sharedmedium public and semi-public networks.
Another object is a system and method for controlling access to shared-medium public and semi-public networks using standard network protocols and communication layers without modification. 15
Another object is a system and method for preventing unauthorized devices and users from obtaining network services in a dynamic user address environment.
These and other objects, features and advantages are achieved in a system comprising communication layers (OSI 20 2 and 3) and work equipment (routers and/or switches) which work in conjunction with Dynamic Host Control Protocols (DHCP) and Address Resolution Protocols (ARP). Routers and/or switches are configured to disable ARP and IP addresses to MAC addresses on outbound interfaces to 25 network access points. The IP routers and/or switches are configured to accept and forward DHCP requests from user devices to one or more DHCP servers that have access to user and device registration data. In operation at configuration time, authorized users and their authorized devices 30 register for service by providing the DHCP server with user identification for log-in, passwords, MAC addresses, etc. The information is validated and entered into a server database for future authentication queries. When users connect to the network access point, a DHCP exchange is 35 initiated to obtain a valid IP address and other associated parameters. The DHCP client initiates a MAC broadcast for IP addresses which contain in the request, the end user's device MAC address. The associated router/switch picks up and forwards to a DHCP server, the end user's device 40 request. The DHCP server will process the end user's request and extract the end user's device MAC address. With the end user's MAC address, the DHCP server accesses its device, and/or user information in the data base. If the MAC address is not registered, the DHCP server refuses to handle 45 the request, logs the attempt, potentially alerting network operators of a security breach. If the MAC address is registered, the DHCP server selects an appropriate IP address and associated parameters to be returned to the requesting end user and connects via programming or com- 50 mands interface to the router switch that is forwarding the DHCP request on behalf of the end user device. The server adds the ARP IP to the MAC address table entry with the selected IP address and end user's MAC address. The end user device authentication and IP lease are optionally 55 marked as provisional and a timer is started for a suggested duration. Optionally, the DHCP server dynamically sets up filter rules in the router switch limiting access to a subset of IP addresses such as the address of a log-in server. DHCP processing is completed and an IP address is assigned to the 60 requesting end user's device by DHCP. For enhanced security, end users are optionally instructed to access and authenticate themselves through a log-in server within 60 seconds, after obtaining IP connectivity with DHCP. When the end user successfully authenticates the log-in server, the 65 end user can be moved and the DHCP server changes from provisional to full access. When the timer expires, if the
4
DHCP server finds the authenticating user's state is provisional, the server will revoke the IP lease, invalidate the corresponding ARP to MAC table entry in the associated router/switch, and reset any IP permissive filtering for that device. If the DHCP server finds the user in the full authenticated state, the server will simply remove the restrictive filters so the user can enjoy the full range of authorized IP services.
DESCRIPTION OF DRAWINGS
The invention will be further understood from the following detailed description of a preferred embodiment taken in conjunction with the appended drawings, in which:
FIG. 1 is a block diagram of a shared network incorporating the principles of the present invention.
FIG. 2 is a flow diagram for device/user registration for service in the network of FIG. 1.
FIG. 3 is a flow diagram depicting edge router/switch configuration in the network of FIG. 1.
FIG. 4 is a flow diagram for device authentication in the network of FIG. 1.
FIG. 5 is a flow diagram for successful device authentication in FIG. 4.
FIG. 6 is a flow diagram DHCP lease expiration in the operation of the network in FIG. 1.
FIG. 7 is a flow diagram depicting the operation of a provisional timer in FIG. 4 upon expiration of the timer.
DESCRIPTION OF PREFERRED EMBODIMENT
In FIG. 1, a plurality of mobile/dynamic end user devices 101, . . . 10"; 121, . . . 12", etc., for example PC's, internets, smart phones, etc., are connected to a shared-medium network 14 which prevents unauthorized devices and users from obtaining network services. The devices 10, 12 are connected to the network 14 through a layered communication system, e.g., TCP/IP Open System Interconnection (OSI) using layers 2 and 3. The devices 10,12 are connected to the network at access ports 201, . . . 20", typically IEEE 802.X or similar medium in which the data link layer 2 includes a Medium Access Control (MAC) sublayer for gaining access to the network. In one form, the sharedmedium network is a distributed information s stem using Internet protocols. However, the present invention is adaptable to other non-IP and/or non-DHCP protocol and network technologies that use MAC principles. Alternatively, the end user devices may be part of a cable TV plant which uses Cable Modem (CM) technology which, in many cases, simulates IEEE 802.X medium access over the cable TV plant. In some cases, the cable plant is connected to the network 14 at a Cable Modem (CM) Network Interface Card (NIC) (not shown).
Each access port 201, . . . 20" is coupled to an edge router/switch 221, . . . 22" which choose the best path for a message to the selected destination by dynamic routing. Such routers function at the network layer 3 of the OSI mode. The routers 221, . . . 22" are connected through network links 241,. . . 24" to one or more core router switch 26 which serves as the network backbone. The system includes a program that controls the operation of the network and communicates with the access ports or Network Interface Cards (NIC). The router 26 is coupled through a network link 28 to a Dynamic Host Control Protocol (DHCP) server 30 which automatically assigns TCP/IP configuration information to end user devices, such as Windows and UNIX clients. When a client needs to start up
5
TCP/IP operation, the client broadcasts a request for address information. The DHCP server assigns a new address and sends it to the client together with the address of a router on the same network as the DHCP server and the subnet match for that network. This information is acknowledged by the 5 client and is used to set up its configuration. Examples of DHCP servers are Viacomsoft DHCP Server, Mountain View, Calif, and the IBM DHCP Server for AIX. The server 30 is coupled to a database or sets up configuration data files 32 which include the authorized user identification for log-in; user password; allowable shared network segments to users allowed to connect to the device, and device medium access control address such as the 6 hex digit IEEE 802.X MAC address of a personal computer (PC) or Cable Modem (CM) network interface card. Optionally, the server 30 may be connected through network link 34 to an authen- 15 tication server 36 which interacts with a user log-in database 38. After validation of the user information in the database 32, the user information is entered into the database 38 for future authentication queries. The authentication server is a suite of custom built or commercial software and hardware 20 that manages access to the network. Example of an authentication server are Safe Word Authentication Server, manufactured and sold by Secure Corporation, San Jose, Calif, and the Radius Server of the IBM Subscriber Management System. 25
Network Service Provider Administrators configure all the edge routers 221, . . . 22" to disable automatic resolution of IP addresses to MAC addresses on outbound interfaces to shared-medium network accesses ports. As such, an Address Resolution Protocol (ARP) is used disabled for these inter- 30 faces. The ARP is a TCP/IP protocol that dynamically binds a network layer IP address to a data link layer physical hardware address. The ARP maps an internet protocol address to a physical machine address that is recognized in the local network. The physical machine address is also 35 known as the MAC address. A table, usually called the cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides protocol rules for making this correlation and providing address conversion in both directions. When an incoming 40 packet destined for a home machine or a particular Local Area Network (LAN) arrives at a gateway or router, the router asks the ARP program to define a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides 45 it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all machines on the network to see if one machine knows that it has the IP address associated with it. 50 The machine that recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for future reference, then sends the packet to the MAC address that replied.
The network service administrator provides remote com- 55 mands to specific interfaces of routers and switches. The commands recommend the router/switch or interface startup time, the entire ARP table for the interface being initialized with invalid entries such as Hex-FFFFF on most IEEE 802.X interfaces. In addition, the network service adminis- 60 trator configures the edge IP routing switch gear to accept and forward DHCP requests from user devices to one or more DHCP servers that have access to the user and device registration data described in connection with the database 38. When users connect or power on their devices on the 65 shared-medium network access ports 201, . . . 20" the following operation takes place as described in FIGS. 2-7.
6
In FIG. 2, an operation 202 is performed in which the authorized users and their authorized access devices register for service by providing such information 200, as user identification for log-in, user password, and allowable shared network segments the user is allowed to connect that device, and MAC address, such as the 6-hex digit IEEE 802.X MAC address of a Personal Computer (PC), or Cable Modem (CM) Network Interface Card (NIC). The information is validated in an operation 202 and entered in a database 38 (see FIG. 1) for future authentication.
In FIG. 3, the network service administrators perform an edge router/switch configuration operation 230 in which the service or network is initialized in an operation 302. A test 304 is performed to enable an optional high speed network re-start. A "no" condition initiates an operation 306 which disables the ARP and invalidates unused ARP entries on edge router outbound interfaces. A "yes" condition initiates an operation 308, which accepts DHCP requests for all devices with ARP enabled for a start-up time period. An operation 310 scans the DHCP table for unregistered entries; invalidates ARP entries and provides a log/alert if any are found and transfers to the operation 306 after disabling of the ARP the configuration operation terminates.
In FIG. 4, a device authentication process 400 is initiated in an operation 402 when the end user device connects to the network access port and powers on. In an operation 404, the end user device such as a PC or CM will initiate a DHCP exchange in an attempt to obtain a valid IP address and other associated parameters. The first part of the exchange, is a MAC broadcast DHCP request for IP address, which contains in the request the end user's device MAC address.
In an operation 406, the associated edge router/switch will pick up and forward to the DHCP server 30 (see FIG. 1) the end user's devices DHCP request. At this point, no IP traffic is yet taking place between the edge router/switch and the end user device; therefore, ARP to MAC conversion is not needed. In an operation 408, the DHCP server will process the end user's device DHCP request and extract the end user's device MAC address from the database 32 (see FIG.
!)•
A test 410 is performed to determine whether the MAC address is registered. A "no" condition initiates an operation 412 in which the end user's device MAC address, the DHCP server access devices and/or user information is checked in the service database 32. If the MAC address is invalid, that is, not previously registered, the DHCP server refuses to handle the request, and logs the attempt, potentially alerting network operators of a possible security breach and the process ends. If the MAC address is valid, that is belongs to a registered user, a "yes" condition for the test 410 activates the DHCP server in an operation 414, selects an appropriate IP address and associated parameters to be returned to the requesting end user device.
In an operation 416, the DHCP server connects via a programming or command interface to the end router/switch that is forwarding the DHCP request on behalf of the end user device. The DHCP server adds an ARP IP to the MAC address table entry with the selected IP address and the end user's device MAC address.
A test 418 is performed to authenticate the end user. A "no" condition transfers the program to entry point "A" shown in FIG. 5 in which the user successfully authenticates in an operation 501 and the DHCP sets the user authenticated state to "full", after which the process transfer to entry point C in FIG. 4.
Returning to FIG. 4, a "yes" condition for the test 418 initiates an operation 420 in which the DHCP server sets an
|
