WO2003034687A1 - Method and system for securing computer networks using a dhcp server with firewall technology - Google Patents

Method and system for securing computer networks using a dhcp server with firewall technology Download PDF

Info

Publication number
WO2003034687A1
WO2003034687A1 PCT/NO2002/000380 NO0200380W WO03034687A1 WO 2003034687 A1 WO2003034687 A1 WO 2003034687A1 NO 0200380 W NO0200380 W NO 0200380W WO 03034687 A1 WO03034687 A1 WO 03034687A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
mac
address
access
dhcp server
Prior art date
Application number
PCT/NO2002/000380
Other languages
French (fr)
Inventor
Torgeir Hansen
Eystein Grusd
Thomas Mehlum
Original Assignee
Secure Group As
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from NO20015093A external-priority patent/NO20015093D0/en
Application filed by Secure Group As filed Critical Secure Group As
Publication of WO2003034687A1 publication Critical patent/WO2003034687A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the present invention relates to network communications, and in particular to a system and method for securing computer networks.
  • Firewalls have become an important part of network design, as networks and servers contains valuable information which shall not be destroyed or otherwise tampered with in an unauthorized way. Also, a firewall provides secure access from a secure computer network to open networks, like the Internet.
  • FIG 1 a network system, which is a combination of a secure and insecure network, is shown.
  • the insecure part of the network is in Figure 1 constituted by an Internet or WAN (Wide Area Network) architecture and the secure part is a LAN (Local Area Network), a typical network in a corporation.
  • the computers on the LAN side is protected by firewalls, controlling client machines requesting access to the LAN, and allowing communication and access to systems on the insecure network from the secure part of the network.
  • the firewall includes an Internet Protocol (IP) layer.
  • IP Internet Protocol
  • Present firewalls often have static protection of the IP/MAC (Media Access Control) address, and are therefore especially vulnerable for IP/MAC spoofing.
  • DHCP Dynamic Host Control Protocol
  • DHCP Dynamic Host Control Protocol
  • the system administrator assigns a range of IP addresses to DHCP, and each client on the LAN has TCP/IP software configured to request an IP address from the DHCP server.
  • the request and grant process uses a lease concept with a controllable time period.
  • the opportunities for unauthorized machines connecting to the network are large.
  • a lap-top could e.g. be plugged into a network contact nearly anywhere, be assigned IP-addresses and gain access to the network.
  • Networks may also be secured by a borderwall, and this technology will then only give access to certain IP-addresses. However, for an ill-natured hacker, or an employee, it is not much effort required accessing the unprotected parts of the network.
  • virus creation kits hostile chat software, network sniffer software, logical bombs, remote access tools, all compromise the network security from inside, and are seldom detected by any computer virus software. To be able to detect many of these programs you need to be a specialist in computer security with a wide knowledge of hacker software.
  • the present invention is conceived to solve the security problem in open networks and provide better security in network solutions.
  • the invention provides a method for securing computer networks from unauthorized access, the network comprising a DHCP server with firewall technology.
  • the method includes authenticating a machine requesting access to the network on DHCP level by using a combination of the MAC address and IP address for the requesting machine. If the machine has an allowed combination of the MAC and IP address, the firewall in the DHCP server is opened for traffic in a certain time period. However, if the combination of MAC and IP address does not exist, access is denied.
  • a description database on the DHCP server comprises combinations of MAC addresses and IP addresses that will give access to the network, and authentication is performed by comparing in a server processor the combination of the MAC address and IP address for the requesting machine with the allowed MAC and IP addresses in the description database.
  • the authentication step first comprises comparing the MAC address of the requesting machine with the MAC addresses stored in the database, and if a match occurs, checking whether the machine has requested an IP, and if an IP has been requested, secondly compar- ing the IP address with the IP addresses assigned to the MAC address stored in the database.
  • the server has the ability to monitor an insecure part of the network, providing overview of all clients in said network part requesting access to the network. Access for a new client machine to the network is given when adding the MAC and IP address pairs to a description database on the DHCP server. Withdraw of access allowance for a client machine to the network is achieved by deleting the MAC and IP address from a description database on the DHCP server. Network activity is monitored and data collected analyzed in an analyzer means.
  • the server/firewall and authentication is managed via an administrating interface. This is a web interface only available from a machine in a secure part of the network. Addition and deletion of MAC and IP addresses in the description database is then effectuated by a mouse-click.
  • the invention provides a system securing computer networks from unauthorized access, the network comprising a DHCP server with firewall technology.
  • An administration interface in a client computer in a secure part of the network controls access to the network and controls both the DHCP server and firewall.
  • Authenticating means authenticates clients requesting access to the network, and the authentication is performed on DHCP level by using a combination of the MAC and IP address for the client machine requesting access to the network.
  • the administration interface also provides a log of activities on the network.
  • a program means may also be provided opening the firewall in the DHCP server for traffic in a certain time period, for the machine requesting access, for an allowed combination of MAC and IP address.
  • An alarm means may be included forwarding an alarm signal to the administration interface creating a log and/or sending an SMS whenever unauthorized access is detected.
  • the invention provides a computer program product for a data processing system comprising a computer readable medium, having thereon a computer readable program means which, when loaded into an internal memory of a data processing system, makes the data processing system perform the method as outlined above.
  • a computer program product for a data processing system comprising computer readable code means which, when loaded into an internal memory of a data processing system, makes the data processing system perform the inventive method.
  • the present invention provides a unique way of authenticating all users in a network, and also allows simple administration of users that shall have access, temporary or permanent, to the local network.
  • the present invention provides:
  • All administration of the system is done through a web interface, simplifying the administration of both the DHCP server and the firewall.
  • administration of normal DHCP servers and firewalls are separate products.
  • one single interface controls both the DHCP server and the firewall.
  • the allowed MAC addresses had to be added manually to the database, and the configuration of the firewall and the editing of the text files belonging to the DHCP server performed in separate operations.
  • the present invention secures access to the network, and the assignment of IP-addresses. Both the MAC and IP address must have a matching pair in the DHCP database for gaining access to the network. A vast amount of MAC addresses exist, and it is almost impossible to guess a new MAC address. The invention is stated in the appended claims.
  • Figure 1 shows a computer network combination of a WAN/Internet and LAN network with known firewall architecture
  • Figure 2 shows an network in which the present invention has been implemented
  • FIG. 3 is a flow chart of the authentication procedure according to an embodiment of the invention.
  • the inventive security system may be implemented in e.g. a LAN (Local Area Network) architecture, as shown in Figure 2.
  • the LAN is connected to a WAN (Wide Area Network) or Internet.
  • the network architecture may also be wireless as shown with the flash in Figure 2.
  • the client computers in the LAN are not limited to personal computers or lap-tops, as pictured in the drawings but can be constituted by terminals, microprocessors etc.
  • An administration interface is accessed from any one of the client computers in a secure part of the network, the LAN side in Figure 2.
  • the secure network in this context is defined as the network that is to be protected.
  • the secure network is generally the network containing services that one wants to protect. Such services clients want protected are e.g. servers, access to local networks, Internet access etc. Even though Internet in itself is insecure, Internet is defined as secure when it is to be protected. Clients requesting authentication is defined as being on an insecure network.
  • the LAN is defined as secure, and the Internet/WAN as insecure. Clients requesting access to the LAN network in Figure 2 will be subject to the security system implemented in the S-DHCP server.
  • the security system comprises a modified and optimized DHCP server (S-DHCP in Figure 2) and an administration interface on one of the clients in the LAN in Figure 2.
  • S-DHCP modified and optimized DHCP server
  • the firewall in Figure 1 is replaced by the S-DHCP in Figure 2.
  • Access for a client requesting access to the secure network (LAN in Figure 2), by trying to connect to the network from e.g. the Internet side or through one of the clients on the LAN side of the network, e.g. a laptop within the range of a wireless network or login procedure from a terminal in a cable network, will be subject to an authentication procedure.
  • the present invention authenticates the users on DHCP level by using the MAC (Media Access Control) addresses, and by using the combination of MAC and IP address.
  • All network cards in client computers have a unique MAC address identifying the client in which the network card is installed.
  • An example of a MAC address is: MAC: 00:50:56:01 :00:00.
  • the modified DHCP server comprises a description database controlled by the administration interface.
  • the description database contains information regarding the client machines having access to the network.
  • the description database in the DHCP server holds information regarding the MAC addresses and the combinations of MAC and IP addresses having access to the network at the time a request for access is received by the DHCP server. Machines with MAC addresses not in the description database will be denied access.
  • a specific IP address or addresses are assigned to each MAC number, and stored in the database. An example on such a combination is: MAC: 00:50:56:01:00:00, IP: 10.10.10.57. Only machines having the correct combination of MAC and IP address will gain access to the network.
  • the authentication procedure is illustrated in the flow chart in Figure 3.
  • a client on the Internet side of the network trying to access the LAN (the case in Figure 2), will send a DHCP call together with an IP address to the S-DHCP server.
  • a machine requesting access to a network will always try to be assigned the same IP address as in the last request. Accordingly, an IP address is also submitted to the S-DHCP server.
  • a S-DHCP server processor first checks whether the MAC address of the requesting client matches a MAC address in the server database. If the MAC address exists in the database, the next step in the authentication procedure is initiated. The server checks whether the client machine has requested an IP. If an IP has been requested, the server checks whether that MAC address has an assigned IP address in the server database. If the MAC and IP address pair exists in the database, the firewall is opened for that machine in a short time period. If the machine requests with a MAC/IP pair not in the database, the firewall is not ope- ned, and access denied. Access is always denied and the next step is not initiated, if a step results in the answer "no" as shown in Figure 3.
  • the DHCP server in the present invention is configured in an optimal way, but is in other respects a normal DHCP server. This configuration is achieved with a standard DHCP server, but with specially designed applications, together providing the desired security aspects.
  • a Linux based system is used.
  • a DHCP Distribution server software from ISC (Internet Software Consortium) is then used as it is the de facto DHCP server standard in Unix/Linux machines.
  • the ICS's DHCP Distribution software provides a freely redistributable reference implementation of all aspects of the DHCP protocol. (See also http://www.isc.org/products/DHCP/ which is hereby included by reference.)
  • the Linux software has also a built-in firewall functionality.
  • the inventive DHCP server with Linux firewall and inventive software functions as firewall between the two segments, i.e. a secure and insecure network as shown in Figure 2.
  • Specially designed software executes the authentication procedure outlined above. This software is stored in a memory on the S-DHCP server. The function of the applications executing the present invention as described above, will be listed in the following.
  • ipmac monitors the "raw" network traffic logged by the S-DHCP server.
  • the MAC address is embedded in the IP from a client and this logging, the MAC address can be identified. By this monitoring, all clients trying to connect to the network with unauthorized IP/MAC addresses will be detected.
  • Ipmac then provides blocking of the S-DHCP Linux firewall for these clients on the network. This blocking is provided by an application ipclose.
  • the ipmac requests information concerning authorized IP/MAC address pairs from the description database stored in a server memory.
  • ipclose enable the firewall which blocks traffic from selected machines through the server web interface.
  • ipopen opens traffic from selected machines through the server web interface.
  • newip application used when the DHCP server configuration has been changed.
  • the program runs the application makedhcpconf (will be described later), restarts the DHCP Distribution server software and instructs the ipmac application to reread all the IP addresses and MAC addresses.
  • activecheck application run regularly to check whether the authorized machines are actually on the secure network. If any of these machines are not logged on the network, the assigned IP address is blocked in the firewall on the DHCP server. When these machines are again detected on the network, they will then be subject to the authorization procedure, before given access to the network again.
  • makedhcp program building the configuration files for the DHCPD server.
  • tracedhcp a program tracking the DHCPD and detecting when a new client is requesting authentication.
  • the application provides opening of the firewall to an extent enabling the authentication procedure to be performed for the client.
  • the administration tool with web interface in the secure network has two main functions: 1) adding authenticated IP/MAC addresses to the server database, and 2) providing a logging function when unauthorized access is detected.
  • the network administrator uses the administration interface to control access to the secure network.
  • the administration interface is a web interface providing a readily intuitive overview of all machines "seen” on the "insecure” network, and certain machines may then be given access to the "secure” network by e.g. a click of a mouse. By this action the IP/ MAC address pair is automatically added to the description database in the S-DHCP server.
  • the database is then used as basis information for the application makedhcp, building a S-DHCP configuration file, containing information of authorized IP/MAC address pairs.
  • the authenticated client machine will then be given access to the secure network. Also, a client computer that no longer shall have access to the network, may be deleted accordingly by a mouse-click in the web administration interface. This causes the IP/MAC address pair for the client computer in question to be removed from the S-DHCP server database and then accordingly from the S-DHCP configuration file.
  • the authentication system in the DHCP server sends an alarm via SMS and/or sends a message signal to the administration interface which creates a log of the incident.
  • the web interface provides easy management of the machines allowed on the secure network, and machines may easily be added or deleted by the click of a mouse. A message is then immediately sent to the description database in the firewall on the DHCP server, which is then updated. This also provides the possibility for temporary users.
  • the product may be delivered to the customer on a computer readable medium, e.g. a CD-ROM or floppy disk, , together with two network cards, that can be installed by the customer, on any of the client machines in the network to be protected, i.e. a network defined as secure.
  • a network e.g. a network defined as secure.
  • Any network can be protected, including Internet, WAN, customer network or LAN.
  • the software itself may also be transferred via a network e.g. Internet.
  • the installation interface is intuitive and easy to use and only demands that the user has IP addresses available, type of network card, and if any SCSI cards should be used in the machine from which installation is performed.
  • the DHCP server in the network to be protected is modified and optimized to provide the specified security function. After installation all network administration is performed through the web interface as explained above.

Abstract

A method and system for securing computer networks from unauthorized access is described. The network comprises a DHCP server withfirewall technology, and authentication of a client requesting access to the network is performed on DHCP level by using a combination of the MAC address and IP address for the requesting client.Only clients with allowed combinations of the MAC and IP address are given access to the network through the DHCP server in a certain time period.

Description

Method and system for securing computer networks using a DHCP server with firewall technology
INTRODUCTION
The present invention relates to network communications, and in particular to a system and method for securing computer networks.
BACKGROUND
Today, computer networks are secured against hackers and other unauthorized access through various forms of firewall technology. Firewalls have become an important part of network design, as networks and servers contains valuable information which shall not be destroyed or otherwise tampered with in an unauthorized way. Also, a firewall provides secure access from a secure computer network to open networks, like the Internet.
In Figure 1 , a network system, which is a combination of a secure and insecure network, is shown. The insecure part of the network is in Figure 1 constituted by an Internet or WAN (Wide Area Network) architecture and the secure part is a LAN (Local Area Network), a typical network in a corporation. The computers on the LAN side is protected by firewalls, controlling client machines requesting access to the LAN, and allowing communication and access to systems on the insecure network from the secure part of the network. The firewall includes an Internet Protocol (IP) layer. Present firewalls often have static protection of the IP/MAC (Media Access Control) address, and are therefore especially vulnerable for IP/MAC spoofing.
Also, the number of wireless networks is increasing, and subcontractors of these networks have not taken account of the fact that such networks are open to absolutely anyone if one is within a certain range. An example of a wireless network is shown in Figure 2 (flash).
DHCP (Dynamic Host Control Protocol) is today used in most networks. DHCP is a protocol for dynamically allocating IP-addresses to computers on a local area network. The system administrator assigns a range of IP addresses to DHCP, and each client on the LAN has TCP/IP software configured to request an IP address from the DHCP server. The request and grant process uses a lease concept with a controllable time period. The opportunities for unauthorized machines connecting to the network are large. A lap-top could e.g. be plugged into a network contact nearly anywhere, be assigned IP-addresses and gain access to the network.
Networks may also be secured by a borderwall, and this technology will then only give access to certain IP-addresses. However, for an ill-natured hacker, or an employee, it is not much effort required accessing the unprotected parts of the network.
Also, virus creation kits, hostile chat software, network sniffer software, logical bombs, remote access tools, all compromise the network security from inside, and are seldom detected by any computer virus software. To be able to detect many of these programs you need to be a specialist in computer security with a wide knowledge of hacker software.
There is therefore a need for controlling and monitoring the network more carefully, than in the present methods.
SUMMARY OF THE INVENTION
The present invention is conceived to solve the security problem in open networks and provide better security in network solutions.
In accordance with a first aspect the invention provides a method for securing computer networks from unauthorized access, the network comprising a DHCP server with firewall technology. The method includes authenticating a machine requesting access to the network on DHCP level by using a combination of the MAC address and IP address for the requesting machine. If the machine has an allowed combination of the MAC and IP address, the firewall in the DHCP server is opened for traffic in a certain time period. However, if the combination of MAC and IP address does not exist, access is denied.
A description database on the DHCP server comprises combinations of MAC addresses and IP addresses that will give access to the network, and authentication is performed by comparing in a server processor the combination of the MAC address and IP address for the requesting machine with the allowed MAC and IP addresses in the description database. The authentication step first comprises comparing the MAC address of the requesting machine with the MAC addresses stored in the database, and if a match occurs, checking whether the machine has requested an IP, and if an IP has been requested, secondly compar- ing the IP address with the IP addresses assigned to the MAC address stored in the database.
The server has the ability to monitor an insecure part of the network, providing overview of all clients in said network part requesting access to the network. Access for a new client machine to the network is given when adding the MAC and IP address pairs to a description database on the DHCP server. Withdraw of access allowance for a client machine to the network is achieved by deleting the MAC and IP address from a description database on the DHCP server. Network activity is monitored and data collected analyzed in an analyzer means.
The server/firewall and authentication is managed via an administrating interface. This is a web interface only available from a machine in a secure part of the network. Addition and deletion of MAC and IP addresses in the description database is then effectuated by a mouse-click.
In a second aspect the invention provides a system securing computer networks from unauthorized access, the network comprising a DHCP server with firewall technology. An administration interface in a client computer in a secure part of the network controls access to the network and controls both the DHCP server and firewall. Authenticating means authenticates clients requesting access to the network, and the authentication is performed on DHCP level by using a combination of the MAC and IP address for the client machine requesting access to the network. The administration interface also provides a log of activities on the network.
A program means may also be provided opening the firewall in the DHCP server for traffic in a certain time period, for the machine requesting access, for an allowed combination of MAC and IP address. An alarm means may be included forwarding an alarm signal to the administration interface creating a log and/or sending an SMS whenever unauthorized access is detected.
In a third aspect the invention provides a computer program product for a data processing system comprising a computer readable medium, having thereon a computer readable program means which, when loaded into an internal memory of a data processing system, makes the data processing system perform the method as outlined above. There is also provided a computer program product for a data processing system comprising computer readable code means which, when loaded into an internal memory of a data processing system, makes the data processing system perform the inventive method.
The present invention provides a unique way of authenticating all users in a network, and also allows simple administration of users that shall have access, temporary or permanent, to the local network. In short, the present invention provides:
• a more secure wireless network.
• fully automatic installation of the product.
• ability of simple addition and deletion of users
• possibility for temporary users
• user authentication on DHCP level, both in wireless and cable networks
• cheap "burglar insurance"
All administration of the system is done through a web interface, simplifying the administration of both the DHCP server and the firewall. In known security tools, administration of normal DHCP servers and firewalls are separate products. In the present invention, one single interface controls both the DHCP server and the firewall. In prior art products the allowed MAC addresses had to be added manually to the database, and the configuration of the firewall and the editing of the text files belonging to the DHCP server performed in separate operations.
The present invention secures access to the network, and the assignment of IP-addresses. Both the MAC and IP address must have a matching pair in the DHCP database for gaining access to the network. A vast amount of MAC addresses exist, and it is almost impossible to guess a new MAC address. The invention is stated in the appended claims.
BRIEF DESCRIPTION OF DRAWINGS
Embodiments of the present invention will now be described with reference to the drawings, which, as mere examples without limitations, show some designs related to this invention.
Figure 1 shows a computer network combination of a WAN/Internet and LAN network with known firewall architecture, Figure 2 shows an network in which the present invention has been implemented, and
Figure 3 is a flow chart of the authentication procedure according to an embodiment of the invention.
DETAILED DESCRIPTION
The inventive security system may be implemented in e.g. a LAN (Local Area Network) architecture, as shown in Figure 2. In Figure 2 the LAN is connected to a WAN (Wide Area Network) or Internet. The network architecture may also be wireless as shown with the flash in Figure 2. The client computers in the LAN are not limited to personal computers or lap-tops, as pictured in the drawings but can be constituted by terminals, microprocessors etc. An administration interface is accessed from any one of the client computers in a secure part of the network, the LAN side in Figure 2.
The secure network in this context is defined as the network that is to be protected. Dependent on the configuration and/or location, the secure network is generally the network containing services that one wants to protect. Such services clients want protected are e.g. servers, access to local networks, Internet access etc. Even though Internet in itself is insecure, Internet is defined as secure when it is to be protected. Clients requesting authentication is defined as being on an insecure network. In Figure 2 the LAN is defined as secure, and the Internet/WAN as insecure. Clients requesting access to the LAN network in Figure 2 will be subject to the security system implemented in the S-DHCP server.
The security system comprises a modified and optimized DHCP server (S-DHCP in Figure 2) and an administration interface on one of the clients in the LAN in Figure 2. (The firewall in Figure 1 is replaced by the S-DHCP in Figure 2.) Access for a client requesting access to the secure network (LAN in Figure 2), by trying to connect to the network from e.g. the Internet side or through one of the clients on the LAN side of the network, e.g. a laptop within the range of a wireless network or login procedure from a terminal in a cable network, will be subject to an authentication procedure. Authentication
The present invention authenticates the users on DHCP level by using the MAC (Media Access Control) addresses, and by using the combination of MAC and IP address. All network cards in client computers have a unique MAC address identifying the client in which the network card is installed. An example of a MAC address is: MAC: 00:50:56:01 :00:00.
The modified DHCP server comprises a description database controlled by the administration interface. The description database contains information regarding the client machines having access to the network. The description database in the DHCP server holds information regarding the MAC addresses and the combinations of MAC and IP addresses having access to the network at the time a request for access is received by the DHCP server. Machines with MAC addresses not in the description database will be denied access. In the present system a specific IP address or addresses are assigned to each MAC number, and stored in the database. An example on such a combination is: MAC: 00:50:56:01:00:00, IP: 10.10.10.57. Only machines having the correct combination of MAC and IP address will gain access to the network.
The authentication procedure is illustrated in the flow chart in Figure 3. A client on the Internet side of the network trying to access the LAN (the case in Figure 2), will send a DHCP call together with an IP address to the S-DHCP server. A machine requesting access to a network will always try to be assigned the same IP address as in the last request. Accordingly, an IP address is also submitted to the S-DHCP server.
A S-DHCP server processor first checks whether the MAC address of the requesting client matches a MAC address in the server database. If the MAC address exists in the database, the next step in the authentication procedure is initiated. The server checks whether the client machine has requested an IP. If an IP has been requested, the server checks whether that MAC address has an assigned IP address in the server database. If the MAC and IP address pair exists in the database, the firewall is opened for that machine in a short time period. If the machine requests with a MAC/IP pair not in the database, the firewall is not ope- ned, and access denied. Access is always denied and the next step is not initiated, if a step results in the answer "no" as shown in Figure 3.
S-DHCP server
The DHCP server in the present invention is configured in an optimal way, but is in other respects a normal DHCP server. This configuration is achieved with a standard DHCP server, but with specially designed applications, together providing the desired security aspects. In an embodiment of the invention a Linux based system is used. A DHCP Distribution server software from ISC (Internet Software Consortium) is then used as it is the de facto DHCP server standard in Unix/Linux machines. The ICS's DHCP Distribution software provides a freely redistributable reference implementation of all aspects of the DHCP protocol. (See also http://www.isc.org/products/DHCP/ which is hereby included by reference.) The Linux software has also a built-in firewall functionality. The inventive DHCP server with Linux firewall and inventive software, functions as firewall between the two segments, i.e. a secure and insecure network as shown in Figure 2.
Specially designed software executes the authentication procedure outlined above. This software is stored in a memory on the S-DHCP server. The function of the applications executing the present invention as described above, will be listed in the following.
ipmac: monitors the "raw" network traffic logged by the S-DHCP server. The MAC address is embedded in the IP from a client and this logging, the MAC address can be identified. By this monitoring, all clients trying to connect to the network with unauthorized IP/MAC addresses will be detected. Ipmac then provides blocking of the S-DHCP Linux firewall for these clients on the network. This blocking is provided by an application ipclose. The ipmac requests information concerning authorized IP/MAC address pairs from the description database stored in a server memory.
ipclose: enable the firewall which blocks traffic from selected machines through the server web interface.
ipopen: opens traffic from selected machines through the server web interface. newip: application used when the DHCP server configuration has been changed. The program runs the application makedhcpconf (will be described later), restarts the DHCP Distribution server software and instructs the ipmac application to reread all the IP addresses and MAC addresses.
activecheck: application run regularly to check whether the authorized machines are actually on the secure network. If any of these machines are not logged on the network, the assigned IP address is blocked in the firewall on the DHCP server. When these machines are again detected on the network, they will then be subject to the authorization procedure, before given access to the network again.
makedhcp: program building the configuration files for the DHCPD server.
tracedhcp: a program tracking the DHCPD and detecting when a new client is requesting authentication. The application provides opening of the firewall to an extent enabling the authentication procedure to be performed for the client.
remipconfirm: application reading/writing to the DHCP description database containing the allowed IP and MAC addresses.
The administration tool with web interface in the secure network has two main functions: 1) adding authenticated IP/MAC addresses to the server database, and 2) providing a logging function when unauthorized access is detected. The network administrator uses the administration interface to control access to the secure network. The administration interface is a web interface providing a readily intuitive overview of all machines "seen" on the "insecure" network, and certain machines may then be given access to the "secure" network by e.g. a click of a mouse. By this action the IP/ MAC address pair is automatically added to the description database in the S-DHCP server. The database is then used as basis information for the application makedhcp, building a S-DHCP configuration file, containing information of authorized IP/MAC address pairs. The authenticated client machine will then be given access to the secure network. Also, a client computer that no longer shall have access to the network, may be deleted accordingly by a mouse-click in the web administration interface. This causes the IP/MAC address pair for the client computer in question to be removed from the S-DHCP server database and then accordingly from the S-DHCP configuration file.
When a client computer requests access to the system with an IP address or a MAC address or a combination of a MAC and IP address that is not already held in the server database, the authentication system in the DHCP server sends an alarm via SMS and/or sends a message signal to the administration interface which creates a log of the incident.
The web interface provides easy management of the machines allowed on the secure network, and machines may easily be added or deleted by the click of a mouse. A message is then immediately sent to the description database in the firewall on the DHCP server, which is then updated. This also provides the possibility for temporary users.
The product may be delivered to the customer on a computer readable medium, e.g. a CD-ROM or floppy disk, , together with two network cards, that can be installed by the customer, on any of the client machines in the network to be protected, i.e. a network defined as secure. Any network can be protected, including Internet, WAN, customer network or LAN. The software itself may also be transferred via a network e.g. Internet. The installation interface is intuitive and easy to use and only demands that the user has IP addresses available, type of network card, and if any SCSI cards should be used in the machine from which installation is performed. Upon installation the DHCP server in the network to be protected is modified and optimized to provide the specified security function. After installation all network administration is performed through the web interface as explained above.
Having described specific embodiments of the invention it will be apparent to those skilled in the art that other embodiments incorporating the concepts may be used. These and other examples of the invention illustrated above are intended by way of example only and the actual scope of the invention is to be determined from the following claims.

Claims

1. A method for securing computer networks from unauthorized access, the network comprising a DHCP server with firewall technology, the method comprising:
- authenticating a machine requesting access to the network on DHCP level by using a combination of the MAC address and IP address for the requesting machine, and
- if the machine has an allowed combination of the MAC and IP address, to open the firewall in the DHCP server for traffic in a certain time period,
- if the combination of MAC and IP address does not exist, access is denied.
2. Method according to claim 1 , wherein the DHCP server comprising a description database comprising combinations of MAC addresses and IP addresses that will give access to the network, and authenticating by comparing the combination of the MAC address and IP address for the requesting machine with the allowed MAC and IP addresses in the description database.
3. Method according to claim 2, wherein the authentication step first comprises comparing the MAC address of the requesting machine with the MAC addresses stored in the database, and if a match occurs, checking whether the machine has requested an IP, and if an IP has been requested, secondly comparing the IP address with the IP addresses assigned to the MAC address stored in the database.
4. Method according to claim 1 , comprising monitoring an insecure part of the network, providing overview of all client machines in said network part requesting access to the network.
5. Method according to claim 1 , comprising giving access for a new client machine to the network by adding the MAC and IP address to a description database on the DHCP server.
6. Method according to claim 1 , comprising removing the allowance of access for a client machine to the network by deleting the MAC and IP address from a description database on the DHCP server.
7. Method according to claim 1, comprising managing authentication via an administrating interface, the administration interface being a web interface only available on a machine in a secure part of the network.
8. Method according to claim 5 or 6, wherein the addition and deletion of MAC and IP addresses in the description database is performed by a mouse-click in the administration interface.
9. Method according to claim 1 , comprising monitoring network activity and collecting data to be analyzed in an analyzer means.
10. A system securing computer networks from unauthorized access, the network comprising a DHCP server with firewall technology, the system comprising:
- an administration interface in a client in a secure part of the network, controlling access to the network and controlling both the DHCP server and firewall,
- authenticating means for authenticating a client machine requesting access to the network, the authentication being performed on DHCP level by using a combination of the MAC and IP address for the client machine requesting access to the network.
11. System according to claim 10, wherein the DHCP server comprising a description database holding information on combinations of MAC and IP addresses having access to the network.
12. System according to claim 10, wherein the administration interface provides a log of activities on the network.
13. System according to claim 10, wherein the authenticating means first checks whether the MAC address for the requesting machine exists in the description database, and if the MAC address exists, checks whether the requested IP address exists for the MAC address.
14. System according to claim 10, wherein the administration interface controls access to the network by adding or deleting MAC and IP address pairs to/from the description database, respectively.
15. System according to claim 10, comprising a program means opening the firewall in the DHCP server for traffic in a certain time period, for the machine requesting access, for an allowed combination of MAC and IP address.
16. System according to claim 10, comprising an alarm means forwarding an alarm signal to the administration interface creating a log and/or sending an SMS whenever unauthorized access is detected.
17. System according to claim 10, wherein the administration interface is a web interface.
18. System according to claim 10, wherein the network is a cable network.
19. System according to claim 10, wherein the network is a wireless network.
20. Computer program product for a data processing system comprising a computer readable medium, having thereon a computer readable program means which, when loaded into an internal memory of a data processing system, makes the data processing system perform the method in one of claims 1-9.
21. Computer program product for a data processing system comprising computer readable code means which, when loaded into an internal memory of a data processing system, makes the data processing system perform the method in one of claims 1-9.
PCT/NO2002/000380 2001-10-19 2002-10-21 Method and system for securing computer networks using a dhcp server with firewall technology WO2003034687A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US33008901P 2001-10-19 2001-10-19
US60/330,089 2001-10-19
NO20015093 2001-10-19
NO20015093A NO20015093D0 (en) 2001-10-19 2001-10-19 Security system and method

Publications (1)

Publication Number Publication Date
WO2003034687A1 true WO2003034687A1 (en) 2003-04-24

Family

ID=26649325

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NO2002/000380 WO2003034687A1 (en) 2001-10-19 2002-10-21 Method and system for securing computer networks using a dhcp server with firewall technology

Country Status (1)

Country Link
WO (1) WO2003034687A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2405064A (en) * 2003-07-28 2005-02-16 Bridgewater Systems Corp RADIUS authentication procedure for clients already assigned dynamic IP addresses, with identification using MAC addresses
EP1720312A1 (en) * 2005-05-03 2006-11-08 Zyxel Communications Corporation Media Access Control Address based method for securing access to a local area
WO2007078332A2 (en) * 2005-12-23 2007-07-12 Sony Ericsson Mobile Communications Ab Sim authentication for access to a computer/media network
KR100758859B1 (en) 2004-09-27 2007-09-14 닛본 덴끼 가부시끼가이샤 Subscriber line accommodation apparatus and packet filtering method
EP1934790A2 (en) * 2005-09-13 2008-06-25 Paxfire, Inc. Systems and methods for monitoring and controlling communication traffic
US7502929B1 (en) * 2001-10-16 2009-03-10 Cisco Technology, Inc. Method and apparatus for assigning network addresses based on connection authentication
US7752653B1 (en) 2002-07-31 2010-07-06 Cisco Technology, Inc. Method and apparatus for registering auto-configured network addresses based on connection authentication
US7860029B2 (en) 2004-02-26 2010-12-28 Nec Corporation Subscriber line accommodation device and packet filtering method
RU2726900C1 (en) * 2019-12-09 2020-07-16 федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное орденов Жукова и Октябрьской Революции Краснознаменное училище имени генерала армии С.М. Штеменко" Министерства обороны Российской Федерации Method of protecting computer networks

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001031843A2 (en) * 1999-10-22 2001-05-03 Nomadix, Inc. Systems and methods for providing dynamic network authorization, authentication and accounting
JP2001211180A (en) * 2000-01-26 2001-08-03 Nec Commun Syst Ltd Dhcp server with client authenticating function and authenticating method thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001031843A2 (en) * 1999-10-22 2001-05-03 Nomadix, Inc. Systems and methods for providing dynamic network authorization, authentication and accounting
JP2001211180A (en) * 2000-01-26 2001-08-03 Nec Commun Syst Ltd Dhcp server with client authenticating function and authenticating method thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PATENT ABSTRACTS OF JAPAN *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7502929B1 (en) * 2001-10-16 2009-03-10 Cisco Technology, Inc. Method and apparatus for assigning network addresses based on connection authentication
US7886149B2 (en) 2001-10-16 2011-02-08 Cisco Technology, Inc. Method and apparatus for assigning network addresses based on connection authentication
US8291489B2 (en) 2002-07-31 2012-10-16 Cisco Technology, Inc. Method and apparatus for registering auto-configured network addresses based on connection authentication
US7752653B1 (en) 2002-07-31 2010-07-06 Cisco Technology, Inc. Method and apparatus for registering auto-configured network addresses based on connection authentication
GB2405064B (en) * 2003-07-28 2006-03-15 Bridgewater Systems Corp A system and method of internet access and management
GB2405064A (en) * 2003-07-28 2005-02-16 Bridgewater Systems Corp RADIUS authentication procedure for clients already assigned dynamic IP addresses, with identification using MAC addresses
US7860029B2 (en) 2004-02-26 2010-12-28 Nec Corporation Subscriber line accommodation device and packet filtering method
KR100758859B1 (en) 2004-09-27 2007-09-14 닛본 덴끼 가부시끼가이샤 Subscriber line accommodation apparatus and packet filtering method
US7680106B2 (en) 2004-09-27 2010-03-16 Nec Corporation Subscriber line accommodation apparatus and packet filtering method
EP1720312A1 (en) * 2005-05-03 2006-11-08 Zyxel Communications Corporation Media Access Control Address based method for securing access to a local area
EP1934790A4 (en) * 2005-09-13 2012-05-16 Paxfire Inc Systems and methods for monitoring and controlling communication traffic
EP1934790A2 (en) * 2005-09-13 2008-06-25 Paxfire, Inc. Systems and methods for monitoring and controlling communication traffic
WO2007078332A2 (en) * 2005-12-23 2007-07-12 Sony Ericsson Mobile Communications Ab Sim authentication for access to a computer/media network
WO2007078332A3 (en) * 2005-12-23 2008-10-09 Sony Ericsson Mobile Comm Ab Sim authentication for access to a computer/media network
RU2726900C1 (en) * 2019-12-09 2020-07-16 федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное орденов Жукова и Октябрьской Революции Краснознаменное училище имени генерала армии С.М. Штеменко" Министерства обороны Российской Федерации Method of protecting computer networks

Similar Documents

Publication Publication Date Title
US11604861B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
US6442696B1 (en) System and method for extensible positive client identification
US6892241B2 (en) Anti-virus policy enforcement system and method
JP4168052B2 (en) Management server
US20130254870A1 (en) Detecting and Thwarting Browser-Based Network Intrusion Attacks By a Virtual Machine Monitoring System, Apparatus, and Method
EP2132643B1 (en) System and method for providing data and device security between external and host devices
US7032026B1 (en) Method and apparatus to facilitate individual and global lockouts to network applications
US7134140B2 (en) Token-based authentication for network connection
KR20050026624A (en) Integration security system and method of pc using secure policy network
KR20060120496A (en) One-core, a solution to the malware problems of the internet
US20080320584A1 (en) Firewall control system
GB2355324A (en) Transmitting protected information using a temporary file
US7565690B2 (en) Intrusion detection
WO2003034687A1 (en) Method and system for securing computer networks using a dhcp server with firewall technology
US20060294249A1 (en) Communication system, communication terminal comprising virtual network switch, and portable electronic device comprising organism recognition unit
KR20040065674A (en) Host-based security system and method
KR101858207B1 (en) System for security network
US20100293596A1 (en) Method of automatically defining and monitoring internal network connections
KR20100067383A (en) Server security system and server security method
JP3808663B2 (en) Computer network system and access control method thereof
KR101400709B1 (en) System and method for the terminal service access control in a cloud computing environment
KR102202109B1 (en) Questionnaire security system and method by multi-authorization
WO2007127349A2 (en) Secure user environment software
RU2504835C1 (en) System for protecting information containing state secrets from unauthorised access
Singer Life without firewalls

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BY BZ CA CH CN CO CR CU CZ DE DM DZ EC EE ES FI GB GD GE GH HR HU ID IL IN IS JP KE KG KP KR LC LK LR LS LT LU LV MA MD MG MN MW MX MZ NO NZ OM PH PL PT RU SD SE SG SI SK SL TJ TM TN TR TZ UA UG US UZ VC VN YU ZA ZM

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ UG ZM ZW AM AZ BY KG KZ RU TJ TM AT BE BG CH CY CZ DK EE ES FI FR GB GR IE IT LU MC PT SE SK TR BF BJ CF CG CI GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP