WO2006027774A2 - Method and system for controlling access to a service provided through a network - Google Patents

Method and system for controlling access to a service provided through a network Download PDF

Info

Publication number
WO2006027774A2
WO2006027774A2 PCT/IL2005/000930 IL2005000930W WO2006027774A2 WO 2006027774 A2 WO2006027774 A2 WO 2006027774A2 IL 2005000930 W IL2005000930 W IL 2005000930W WO 2006027774 A2 WO2006027774 A2 WO 2006027774A2
Authority
WO
WIPO (PCT)
Prior art keywords
user
service
access
network
access permission
Prior art date
Application number
PCT/IL2005/000930
Other languages
French (fr)
Other versions
WO2006027774A3 (en
Inventor
Shimon Gruper
Yanki Margalit
Dany Margalit
Tony Khatskevich
Original Assignee
Aladdin Knowledge Systems Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/062,820 external-priority patent/US20060190990A1/en
Application filed by Aladdin Knowledge Systems Ltd. filed Critical Aladdin Knowledge Systems Ltd.
Publication of WO2006027774A2 publication Critical patent/WO2006027774A2/en
Publication of WO2006027774A3 publication Critical patent/WO2006027774A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • the present invention relates to the field of data networks. More particularly, the present invention relates to a method and system for controlling access of a user to a service provided through a network, e.g. accessing a URL, email, etc.
  • a local area network comprises a gateway server, a file server and network nodes (e.g. individual user computers).
  • a proxy server is also connected to a local area network, hi order to allow an organization to employ security tests, administrative control, etc.
  • IP address When getting connected to a network, a user gets a unique IP address upon which he is identified while being connected to the network. Typically the IP address is selected from a pool or a range of IP addresses.
  • a gateway server can address a user only by its IP address, however since usually an IP addresses remains the same only for one session, associating an IP address with a user has a temporary nature. As a result, providing different access level to different users of a network is an obstacle.
  • the present invention is directed to a method for controlling access of a user to a service provided through a network, the method comprising the steps of: upon initiating a connection of the user to the network, authenticating the user; upon positively authenticating the user, creating or updating a cookie within the workstation of the user, the cookie comprising information related to access permission of the user to the service; upon requesting to access the service by the user, retrieving the information from the cookie by a gateway to the network, and enforcing the access permission on the user.
  • the present invention is directed to a method for controlling access of a user to a service provided through a network, the method comprising the steps of: upon initiating a connection of the user to the network, authenticating the user; upon positively authenticating the user, creating or updating a cookie within the computer of the user, the cookie comprising information related to access permission of the user to the service; on a gateway to the network, upon requesting to access the service during a connection session by the user, retrieving by the gateway information stored within the cookie, and adding the information and the current IP address of the user to a logged-in list; on the gateway, upon requesting by a user to re-access the service, identifying the user by his IP address, retrieving the record of the user from the list, and enforcing the access permission on the user.
  • the present invention is directed to a system for controlling access of a user to a service provided through a network, the system comprising: a cookie on a workstation of the user, for storing information related to an access permission of the user or workstation to the service; a local server, for authenticating the user and launching a login script for creating the cookie on the workstation, the cookie comprising information related to access permission of the user to the service; a program executed on a gateway of the network, for checking the permission of the user to access the service according to information stored within the cookie, and enforcing the access permission of the user to the service according to the result of the checking.
  • the present invention is directed to a method for controlling access of a user to a service provided through a network, the method comprising the steps of: upon initiating a connection of the user to the network, obtaining the identity of the user from the workstation of the user, and associating the workstation and/or user with the current IP address of the workstation; at a gateway of the network: upon requesting to access the service by the user, identifying the user by the IP address; retrieving from a database information about access permission of the user to the service; and enforcing the access permission on the request.
  • the present invention is directed to a system for controlling access of a user to a service provided through a network, the system comprising: a local server, for authenticating the user and launching a login script, the login script comprises a first program for retrieving the user identity from the Active Directory thereof; and a second program executed on a gateway of the network, for enforcing an access permission of the user to the service.
  • the information may be about specified access permission of the user to the service, the identity of the user that can be associated with an access permission of the user to the service, and so forth.
  • the access permission may be related to accessing a certain Web site, accessing Web sites of a certain type, accessing Web sites of a certain category, accessing a certain domain, an access level associated with certain access permissions, and so forth.
  • the service may be accessing a URL, antivirus service, downloading a file, downloading a certain type file, downloading active content, downloading certain type of active content, accessing encrypted content, using a user's credentials from a cookie to decrypt the content, and so forth.
  • the service is available through a network such as Internet, WAN, LAN, etc.
  • Fig. 1 is a block diagram of a computing environment in which the present invention may be used.
  • Fig. 2 is a flowchart of a login process to a network, according to a preferred embodiment of the present invention.
  • Fig. 3 is a flowchart of a process of retrieving a Web page from a remote server, according to a preferred embodiment of the present invention.
  • Fig. 4 is a flowchart of a process of retrieving a Web page from a remote server, according to another preferred embodiment of the present invention.
  • Gateway refers in the art as to a bridge between two networks. It is often associated with both a router, which knows where to direct a packet of data that arrives to the gateway, and a switch, which furnishes the actual path in and out of the gateway for a packet.
  • Proxy Server refers in the art to a server that intermediates between a user's workstation and the Internet (or other network). By the means of a proxy server an organization can employ a security policy to the network, conduct administrative control, authenticate its users, etc.
  • Fig. 1 is a block diagram of a computing environment in which the present invention may be used.
  • Workstations 10 are connected by a line bus 80. Additional equipment may also be connected to the network, such as I/O devices, which in this case are illustrated by tape drive 13, and printer 14.
  • the network also includes one or more servers 20, which may be used for several services. Server 20 is referred herein as to Access server, and its role is explained hereinafter.
  • Web servers 50 which are in charged of operating Web sites, are accessible to gateway 30 through the Internet 40.
  • Every device logged into a network gets a unique IP address upon which the device can be addressed by other devices connected to the local network.
  • the IP address of the objects connected to the network are not permanent.
  • the device gets an IP address which is determined dynamically by a dedicated server.
  • the dedicated server assigns an IP address from a pool of IP addresses or from a range of IP addresses. This is carried out by DHCP (Dynamic Host Configuration
  • the communication packets exchanged between the a workstation 10 and the Web server 50 have to pass through the gateway 30, however the only information the gateway has on the identity of the user is his current IP address, which is not permanent, as explained hereinabove. Therefore a gateway cannot implement an access policy for a certain user.
  • Fig. 2 is a flowchart of a login process to a network, according to a preferred embodiment of the present invention.
  • a workstation e.g. user's machine 10 of Fig. 1 sends to the access server (e.g. access server 20 on Fig. 1) a request for a service, e.g. to login into the Internet.
  • the access server e.g. access server 20 on Fig. 1
  • the access server authenticates the workstation / user.
  • the access server launches a login script, i.e. sends to the workstation instruction(s) to be performed by the workstation in order to create or update a cookie on the workstation.
  • the cookie comprises at least information related to the access permission of the user / workstation to the requested service, i.e. Internet.
  • the information may specify allowed / forbidden Web sites (e.g. exclude porno Web sites, allow only certain Web sites, etc.), etc.
  • the cookie comprises at least information about the identity of its user / workstation, which can be associated with access permission of the user / workstation to service(s) by a predefined list.
  • the data stored within the cookie may contain other information, if needed. The association of the identity of the user with access permissions
  • the workstation executes the login script, i.e. creates or updates a cookie on the workstation of the user, which as mentioned above comprises at least information about the access permission of the user to the service, which in this case is the Internet.
  • Cookie refers in the art to data stored at a user's workstation and accessible by a Web server.
  • cookies are used by Web sites as means for keeping track of a user's preferences.
  • a cookie actually is a solution for two contradicting necessities.
  • the access to user's workstation should be prevented when the user is connected to a network (e.g. Internet) in order to prevent from unauthorized objects to access the user's workstation.
  • a remote server e.g. an Internet server
  • the cookie technology bridges between these contradicting necessities. Browsers, which actually execute a set of instructions provided from a remote server (e.g. an HTML file) are programmed to allow access to cookies on the user's workstation, although the access to other resources of the user's workstation may be restricted.
  • the access server 20 since the access server 20 is a part of a local area network 80, the access server 20 has less limitations on accessing resources of a workstation 10 (e.g. its hard drive), as workstation 10 is connected to the same local area network.
  • the gateway 30, as being an external object to the local area network 80 has restrictions on accessing the resources of a workstation 10. Nevertheless, since the gateway server can access cookies within, a workstation 10, it can access the cookie created by the access server 20 at the login stage of the workstation 10 to the network, thereby overcoming the obstacle.
  • cookies used by the present invention can be hidden or encrypted, in order to prevent from unauthorized objects to access the information stored within a cookie.
  • Fig. 3 is a flowchart of a process of retrieving a Web page from a remote server, according to a preferred embodiment of the present invention.
  • a workstation sends a request to the gateway for a Web page.
  • a Web page the example is valid also to a Web site or any other service provided through a network.
  • the gateway retrieves the cookie from the workstation 10.
  • the data stored within the cookie specifies at least the user/workstation's access permission to the requested service.
  • the gateway checks the permission of the workstation / user to access the requested service, which in this case is a Web page.
  • Fig. 4 is a flowchart of a process of retrieving a Web page from a remote server, according to another preferred embodiment of the present invention.
  • a workstation sends a request to the gateway for a service, e.g. to get a certain Web page.
  • the flow continues with block 303, where the gateway retrieves the cookie from the user's workstation, and then the flow continues with block 305 where the gateway adds the details retrieved from the cookie to a list of logged-in users, including the current IP address.
  • the logged-in list maintains information about the permission to access service(s), etc. When a user logs out of the network (or gets disconnected, etc.) then his record is removed from the list.
  • step 304 the gateway retrieves the user's permission(s) from the logged- in list, in contrast to the embodiment of Fig. 3, where the gateway retrieves the information from the cookie.
  • the gateway can associate the user with his IP address, and by this information to retrieve his details from the logged-in list.
  • proxy server some functionalities of a proxy server are carried out by the gateway, and accordingly an operator of a local area network may discard the proxy server from his system.
  • the login script comprises a software module which is executed on the user's computer at the execution of the login script.
  • the software associates the "current IP address" (i.e. the IP address that was assigned by system to the user's workstation upon his connection to the network) with the user and/or his workstation.
  • Fig. 5 is a flowchart of a login process to a network, according to another preferred embodiment of the present invention.
  • a workstation e.g. user's machine 10 of Fig. 1 sends to the access server (e.g. access server 20 on Fig. 1) a request for a service, e.g. to login to the organization network.
  • the access server e.g. access server 20 on Fig. 1
  • the access server authenticates the workstation / user.
  • the access server launches a login script, i.e. sends to the workstation instruction(s) to be performed by the workstation.
  • the workstation executes the login script.
  • the login script comprises instructions to retrieve the user identity from the Active Directory (see explanation below).
  • the identity of the user / workstation is known, and so the current IP address of the user / workstation.
  • each network packet is related to two IP addresses - the IP address of the sender and the IP address of the recipient. Therefore it is possible to relate network activity to a user / workstation by the IP addresses.
  • Active Directory is a part of the Windows network architecture in charge of providing a directory service designed for distributed networking environments. Active Directory lets organizations efficiently share and manage information about network resources and users. Active Directory acts as the central authority for network security, letting the operating system verify a user's identity and control his access to network resources.
  • Active Directory provides a single point of management for Windows-based user accounts, clients, servers, and applications. It also helps organizations integrate systems not using Windows with Windows-based applications, and Windows- compatible devices, thus consolidating directories and easing management of the entire network operating system. Companies use Active Directory to extend system's securely to the Internet.
  • the identity is sent to the gateway server. If required, also the current IP address is sent to the gateway server.
  • the user's identification with his current IP address is maintained at the gateway server (or a place accessible by the gateway server, e.g. on a side server), e.g. in a database.
  • the database may comprise a list of the identification users which are authorized to access the network, and additional details such as their access permission.
  • Fig. 6 is a flowchart of a process of retrieving a Web page from a remote server, according to a preferred embodiment of the present invention.
  • a workstation sends a request to the gateway for a Web page. It should be noted that although the examples herein refer to a Web page, the example is valid also to a Web site or any other service provided through a network.
  • the gateway retrieves user's details from the database according to the workstation's IP initiated the request at block 601. The details may include user's permission to access services provided through the network along with other information. According to this embodiment of the invention the user is identified by his current IP address, which is associated with the user identity and/or the user's workstation identity.
  • the gateway checks the permission of the workstation / user to access the requested service, which in this case is a Web page.
  • access permissions are defined to the system (access server or gateway) by an authorized person such as a supervisor or administrator.
  • an anonymous user i.e. a user which has not been authorized to access the local area network
  • the user gets a "guest level" by which the user does not have permission to access certain services, e.g. the Internet in general, or certain Web sites.

Abstract

The present invention is directed to a method (Fig. 3)for controlling access of a user to a service provided through a network, and a system thereof. The method comprising the steps of: upon initiating a connection of the user to the network, authenticating the user; upon positively authenticating the user, creating or updating a cookie within the workstation of the user, the cookie comprising information related to access permission of the user to the service; upon requesting to access the service by the user, (201) retrieving the information from the cookie by a gateway (202) to the network, and enforcing the access permission on the user (204,205,206).

Description

METHOD AND SYSTEM FOR CONTROLLING ACCESS TO A SERVICE PROVIDED THROUGH A NETWORK
Field of the Invention
The present invention relates to the field of data networks. More particularly, the present invention relates to a method and system for controlling access of a user to a service provided through a network, e.g. accessing a URL, email, etc.
Background of the Invention
Nowadays it is common to limit the access of users to the Web. The limitation may be enforced to certain users, type of users (e.g. guests and members), to specific Web sites, to specific types of Web sites (e.g. sex sites), to certain Web services (e.g. email), and so forth. Organizations find special interest in limiting the Internet access of their users, since by conducting unlimited access permission to Web sites, the users of the organization gets exposed to viruses and other forms of malicious objects.
Typically, a local area network comprises a gateway server, a file server and network nodes (e.g. individual user computers). Sometimes, a proxy server is also connected to a local area network, hi order to allow an organization to employ security tests, administrative control, etc.
Usually, upon getting connected to a network, a user gets a unique IP address upon which he is identified while being connected to the network. Typically the IP address is selected from a pool or a range of IP addresses. A gateway server can address a user only by its IP address, however since usually an IP addresses remains the same only for one session, associating an IP address with a user has a temporary nature. As a result, providing different access level to different users of a network is an obstacle.
It is an object of the present invention to provide a method and system for associating a user / workstation with its session IP address.
It is a further object of the present invention to provide a method and system for associating a user / workstation with an IP address, which enables conducting an access level on individual basis.
It is a still further object of the present invention to provide a method and system for associating a user with an IP address, which restricts the access of a user / workstation to a service provided through a network according to its access level.
It is a still further object of the present invention to provide a method and system for controlling access of a user / workstation to a service provided through a network.
Other objects and advantages of the invention will become apparent as the description proceeds.
Summary of the Invention
In one aspect, the present invention is directed to a method for controlling access of a user to a service provided through a network, the method comprising the steps of: upon initiating a connection of the user to the network, authenticating the user; upon positively authenticating the user, creating or updating a cookie within the workstation of the user, the cookie comprising information related to access permission of the user to the service; upon requesting to access the service by the user, retrieving the information from the cookie by a gateway to the network, and enforcing the access permission on the user.
In another aspect, the present invention is directed to a method for controlling access of a user to a service provided through a network, the method comprising the steps of: upon initiating a connection of the user to the network, authenticating the user; upon positively authenticating the user, creating or updating a cookie within the computer of the user, the cookie comprising information related to access permission of the user to the service; on a gateway to the network, upon requesting to access the service during a connection session by the user, retrieving by the gateway information stored within the cookie, and adding the information and the current IP address of the user to a logged-in list; on the gateway, upon requesting by a user to re-access the service, identifying the user by his IP address, retrieving the record of the user from the list, and enforcing the access permission on the user.
In yet another aspect, the present invention is directed to a system for controlling access of a user to a service provided through a network, the system comprising: a cookie on a workstation of the user, for storing information related to an access permission of the user or workstation to the service; a local server, for authenticating the user and launching a login script for creating the cookie on the workstation, the cookie comprising information related to access permission of the user to the service; a program executed on a gateway of the network, for checking the permission of the user to access the service according to information stored within the cookie, and enforcing the access permission of the user to the service according to the result of the checking.
In yet another aspect the present invention is directed to a method for controlling access of a user to a service provided through a network, the method comprising the steps of: upon initiating a connection of the user to the network, obtaining the identity of the user from the workstation of the user, and associating the workstation and/or user with the current IP address of the workstation; at a gateway of the network: upon requesting to access the service by the user, identifying the user by the IP address; retrieving from a database information about access permission of the user to the service; and enforcing the access permission on the request.
In yet another aspect, the present invention is directed to a system for controlling access of a user to a service provided through a network, the system comprising: a local server, for authenticating the user and launching a login script, the login script comprises a first program for retrieving the user identity from the Active Directory thereof; and a second program executed on a gateway of the network, for enforcing an access permission of the user to the service.
The information may be about specified access permission of the user to the service, the identity of the user that can be associated with an access permission of the user to the service, and so forth.
The access permission may be related to accessing a certain Web site, accessing Web sites of a certain type, accessing Web sites of a certain category, accessing a certain domain, an access level associated with certain access permissions, and so forth.
The service may be accessing a URL, antivirus service, downloading a file, downloading a certain type file, downloading active content, downloading certain type of active content, accessing encrypted content, using a user's credentials from a cookie to decrypt the content, and so forth.
According to one embodiment of the invention, the service is available through a network such as Internet, WAN, LAN, etc.
Brief Description of the Drawings
The present invention may be better understood in conjunction with the following figures:
Fig. 1 is a block diagram of a computing environment in which the present invention may be used.
Fig. 2 is a flowchart of a login process to a network, according to a preferred embodiment of the present invention.
Fig. 3 is a flowchart of a process of retrieving a Web page from a remote server, according to a preferred embodiment of the present invention.
Fig. 4 is a flowchart of a process of retrieving a Web page from a remote server, according to another preferred embodiment of the present invention.
Detailed Description of Preferred Embodiments
The present invention now will be described more folly and clearly hereinafter with reference to the following figures, in which preferred embodiments of the invention are shown. The invention may, however, be embodied in many different forms and should not be limited to what is illustrated in the drawings; rather, these embodiments are provided so that the disclosure of the invention will be thorough, and its scope will be better understood to those skilled in the art.
In order to facilitate the description to come, the following terms are defined:
The term Gateway refers in the art as to a bridge between two networks. It is often associated with both a router, which knows where to direct a packet of data that arrives to the gateway, and a switch, which furnishes the actual path in and out of the gateway for a packet.
The term Proxy Server refers in the art to a server that intermediates between a user's workstation and the Internet (or other network). By the means of a proxy server an organization can employ a security policy to the network, conduct administrative control, authenticate its users, etc.
Fig. 1 is a block diagram of a computing environment in which the present invention may be used. Workstations 10 are connected by a line bus 80. Additional equipment may also be connected to the network, such as I/O devices, which in this case are illustrated by tape drive 13, and printer 14. The network also includes one or more servers 20, which may be used for several services. Server 20 is referred herein as to Access server, and its role is explained hereinafter. Web servers 50, which are in charged of operating Web sites, are accessible to gateway 30 through the Internet 40.
Typically, every device logged into a network gets a unique IP address upon which the device can be addressed by other devices connected to the local network. The IP address of the objects connected to the network are not permanent. When a device logs into a network, the device gets an IP address which is determined dynamically by a dedicated server. The dedicated server assigns an IP address from a pool of IP addresses or from a range of IP addresses. This is carried out by DHCP (Dynamic Host Configuration
Protocol).
When the user of a workstation 10 browses a Web site operated by one of the Web servers 50, the communication packets exchanged between the a workstation 10 and the Web server 50 have to pass through the gateway 30, however the only information the gateway has on the identity of the user is his current IP address, which is not permanent, as explained hereinabove. Therefore a gateway cannot implement an access policy for a certain user.
Fig. 2 is a flowchart of a login process to a network, according to a preferred embodiment of the present invention.
At block 101, a workstation (e.g. user's machine 10 of Fig. 1) sends to the access server (e.g. access server 20 on Fig. 1) a request for a service, e.g. to login into the Internet.
At block 102, the access server authenticates the workstation / user.
From block 103, if the workstation / user is not authenticated, then at block 106 the login is denied, otherwise flow continues at block 104. At block 104 the access server launches a login script, i.e. sends to the workstation instruction(s) to be performed by the workstation in order to create or update a cookie on the workstation.
According to one embodiment of the invention, the cookie comprises at least information related to the access permission of the user / workstation to the requested service, i.e. Internet. For example, the information may specify allowed / forbidden Web sites (e.g. exclude porno Web sites, allow only certain Web sites, etc.), etc. According to another embodiment of the invention, the cookie comprises at least information about the identity of its user / workstation, which can be associated with access permission of the user / workstation to service(s) by a predefined list. Of course the data stored within the cookie may contain other information, if needed. The association of the identity of the user with access permissions
At block 105 the workstation executes the login script, i.e. creates or updates a cookie on the workstation of the user, which as mentioned above comprises at least information about the access permission of the user to the service, which in this case is the Internet.
The term Cookie refers in the art to data stored at a user's workstation and accessible by a Web server. Typically cookies are used by Web sites as means for keeping track of a user's preferences. A cookie actually is a solution for two contradicting necessities. On the one hand the access to user's workstation should be prevented when the user is connected to a network (e.g. Internet) in order to prevent from unauthorized objects to access the user's workstation. On the other hand, a remote server, e.g. an Internet server, may need to access to the user's workstation, for example for storing his preferences when browsing a Web site. The cookie technology bridges between these contradicting necessities. Browsers, which actually execute a set of instructions provided from a remote server (e.g. an HTML file) are programmed to allow access to cookies on the user's workstation, although the access to other resources of the user's workstation may be restricted.
It should be noted that since the access server 20 is a part of a local area network 80, the access server 20 has less limitations on accessing resources of a workstation 10 (e.g. its hard drive), as workstation 10 is connected to the same local area network. However, the gateway 30, as being an external object to the local area network 80, has restrictions on accessing the resources of a workstation 10. Nevertheless, since the gateway server can access cookies within, a workstation 10, it can access the cookie created by the access server 20 at the login stage of the workstation 10 to the network, thereby overcoming the obstacle.
It should be also noted that cookies used by the present invention can be hidden or encrypted, in order to prevent from unauthorized objects to access the information stored within a cookie.
Fig. 3 is a flowchart of a process of retrieving a Web page from a remote server, according to a preferred embodiment of the present invention.
At block 201, a workstation sends a request to the gateway for a Web page. It should be noted that although the examples herein refer to a Web page, the example is valid also to a Web site or any other service provided through a network.
At block 202, the gateway retrieves the cookie from the workstation 10. The data stored within the cookie specifies at least the user/workstation's access permission to the requested service. At block 203, the gateway checks the permission of the workstation / user to access the requested service, which in this case is a Web page.
From block 204, if the access to the Web page is permitted to the workstation / user, then the flow continues to block 205, where the Web page is retrieved and displayed on the workstation's display; otherwise, the flow continues to block 206, where the gateway denies the request for the Web page.
Fig. 4 is a flowchart of a process of retrieving a Web page from a remote server, according to another preferred embodiment of the present invention.
At block 301, a workstation sends a request to the gateway for a service, e.g. to get a certain Web page.
From block 302, if it is the first request of this session where the workstation asks to access a Web page, then the flow continues with block 303, where the gateway retrieves the cookie from the user's workstation, and then the flow continues with block 305 where the gateway adds the details retrieved from the cookie to a list of logged-in users, including the current IP address. The logged-in list maintains information about the permission to access service(s), etc. When a user logs out of the network (or gets disconnected, etc.) then his record is removed from the list. If it is not the first request in the current session of a user to access to a Web page, then the flow continues with step 304, where the gateway retrieves the user's permission(s) from the logged- in list, in contrast to the embodiment of Fig. 3, where the gateway retrieves the information from the cookie. This way the access to the Web page is faster, since the operation of getting information from a remote location (i.e. the cookie) takes more time than retrieving information from a local location (i.e. the logged-in list).
As mentioned above, at the gateway the identity of the user is unknown, since a user addresses the gateway only by its IP address. However, since the user is associated with the same IP address during the entire connection session, and since the record of the user on the logged-in list comprises the IP address which has assigned to the user for the current connection session, the gateway can associate the user with his IP address, and by this information to retrieve his details from the logged-in list.
At block 306, the permission of the user / workstation to access the requested Web page is checked.
From block 307, if the access to the Web page is permitted to the workstation / user, then the flow continues to block 308, where the Web page is retrieved and displayed on the workstation's display; otherwise, the flow continues to block 309, where the gateway denies the request for the Web page.
It should be noted that according to the present invention, some functionalities of a proxy server are carried out by the gateway, and accordingly an operator of a local area network may discard the proxy server from his system.
Employing a cookie may result with security lack since a cookie is actually data stored on the user's machine, and as such is accessible to the user. Thus, with an appropriate effort a user may bypass his access permissions to a service, to the network, etc. According to another preferred embodiment of the invention, the login script comprises a software module which is executed on the user's computer at the execution of the login script. The software associates the "current IP address" (i.e. the IP address that was assigned by system to the user's workstation upon his connection to the network) with the user and/or his workstation.
Fig. 5 is a flowchart of a login process to a network, according to another preferred embodiment of the present invention.
At block 501, a workstation (e.g. user's machine 10 of Fig. 1) sends to the access server (e.g. access server 20 on Fig. 1) a request for a service, e.g. to login to the organization network.
At block 502, the access server authenticates the workstation / user.
From block 503, if the workstation / user is not authenticated, then at block 505 the login is denied, otherwise flow continues at block 504.
At block 504 the access server launches a login script, i.e. sends to the workstation instruction(s) to be performed by the workstation.
At block 506 the workstation executes the login script.
According to this embodiment of the invention, the login script comprises instructions to retrieve the user identity from the Active Directory (see explanation below). Thus, at this point the identity of the user / workstation is known, and so the current IP address of the user / workstation. In addition, each network packet is related to two IP addresses - the IP address of the sender and the IP address of the recipient. Therefore it is possible to relate network activity to a user / workstation by the IP addresses. Active Directory is a part of the Windows network architecture in charge of providing a directory service designed for distributed networking environments. Active Directory lets organizations efficiently share and manage information about network resources and users. Active Directory acts as the central authority for network security, letting the operating system verify a user's identity and control his access to network resources. Active Directory provides a single point of management for Windows-based user accounts, clients, servers, and applications. It also helps organizations integrate systems not using Windows with Windows-based applications, and Windows- compatible devices, thus consolidating directories and easing management of the entire network operating system. Companies use Active Directory to extend system's securely to the Internet.
Once the user's identification has been obtained during the execution of the login script, the identity is sent to the gateway server. If required, also the current IP address is sent to the gateway server. The user's identification with his current IP address is maintained at the gateway server (or a place accessible by the gateway server, e.g. on a side server), e.g. in a database. The database may comprise a list of the identification users which are authorized to access the network, and additional details such as their access permission.
Fig. 6 is a flowchart of a process of retrieving a Web page from a remote server, according to a preferred embodiment of the present invention.
At block 601, a workstation sends a request to the gateway for a Web page. It should be noted that although the examples herein refer to a Web page, the example is valid also to a Web site or any other service provided through a network. At block 602, the gateway retrieves user's details from the database according to the workstation's IP initiated the request at block 601. The details may include user's permission to access services provided through the network along with other information. According to this embodiment of the invention the user is identified by his current IP address, which is associated with the user identity and/or the user's workstation identity.
At block 603, the gateway checks the permission of the workstation / user to access the requested service, which in this case is a Web page.
From block 604, if the access to the Web page is permitted to the workstation / user, then the flow continues to block 605, where the Web page is retrieved and displayed on the workstation's display; otherwise, the flow continues to block 606, where the gateway denies the request for the Web page.
Typically access permissions are defined to the system (access server or gateway) by an authorized person such as a supervisor or administrator.
According to one embodiment of the invention, when an anonymous user (i.e. a user which has not been authorized to access the local area network) attempts to login to the local area network, the user gets a "guest level" by which the user does not have permission to access certain services, e.g. the Internet in general, or certain Web sites.
Those skilled in the art will appreciate that the invention can be embodied by other forms and ways, without losing the scope of the invention. The embodiments described herein should be considered as illustrative and not restrictive. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

CLAIMSWhat is claimed is:
1. A method for controlling access of a user to a service provided through a network, the method comprising the steps of:
- upon initiating a connection of said user to said network, authenticating said user and creating or updating a cookie within the workstation of said user, said cookie comprising information related to access permission of said user to said service, said access permission corresponds to the result of said authenticating;
- upon requesting to access said service by said user, retrieving said information from said cookie by a gateway to said network, and enforcing said access permission on said user.
2. A method according to claim 1, wherein said cookie is stored in an encrypted form.
3. A method according to claim 1, wherein said information is selected from a group comprising: specified access permission of said user to said service; identity of said user, for associating with an access permission of said user to said service.
4. A method according to claim 1, wherein said access permission is selected from the group comprising: accessing a certain Web site, accessing Web sites of a certain type, accessing Web sites of a certain category, accessing a certain domain, and an access level associated with at least one certain access permission.
5. A method according to claim 1, wherein said service is available through a network selected from the group comprising: Internet, WAN, LAN.
6. A method according to claim 1, wherein said service is selected from the group comprising: accessing a URL, antivirus service, downloading a file, downloading a certain type file, downloading active content, downloading certain type of active content, accessing encrypted content, using a user's credentials from a cookie to decrypt the content.
7. A method for controlling access of a user to a service provided through a network, the method comprising the steps of: - upon initiating a connection of said user to said network, authenticating said user and creating or updating a cookie within the workstation of said user, said cookie comprising information related to access permission of said user to said service, said access permission corresponds to the result of said authenticating; - at a gateway to said network, upon requesting to access said service during a connection session by said user, retrieving by said gateway information stored within said cookie, and adding said information and a current IP address of said user to a logged-in list;
- at said gateway, upon requesting by a user to re-access said service, identifying said user by said current IP address, retrieving said information of said user from said list according to said current IP address, and enforcing said access permission on said user.
8. A method according to claim 7, wherein said access permission is selected from the group comprising: an access level, an allowed or forbidden Web site, an allowed or forbidden type of Web sites, an allowed or forbidden category of Web sites, and an allowed or forbidden domain.
9. A method according to claim 7, wherein said service is available through a network selected from the group comprising: Internet, WAN, LAN.
10. A method according to claim 7, wherein said service is selected from the group comprising: accessing a URL, antivirus service, downloading a file, downloading a certain type file, downloading active content, downloading certain type of active content, accessing encrypted content, using a user's credentials from a cookie to decrypt the content.
11. A system for controlling access of a user to a service provided through a network, the system comprising: - a local server, for authenticating said user and launching a login script for creating a cookie on said workstation, said cookie comprising information related to access permission of said user to said service;
- a program executed on a gateway of said network, for checking the permission of said user to access said service according to information stored within said cookie, and enforcing said access permission of said user to said service according to the result of said checking.
12. A system according to claim 11, wherein said information is selected from a group comprising: specified access permission of said user to said service, identity of said user that can be associated with an access permission of said user to said service.
13. A system according to claim 11, further comprising a list of logged-in users, each entry of said list comprising an identifier of a logged-in user, and at least one permission of said user to access said service.
14. A system according to claim 13, wherein said identifier is selected from a group comprising: an IP address of said user for the current connection session, a user name.
15. A system according to claim 11, wherein said access permission is selected from the group comprising: an access level, an allowed or forbidden Web site, an allowed or forbidden type of Web sites, an allowed or forbidden category of Web sites, and an allowed or forbidden domain.
16. A system according to claim 11, wherein said service is available through a network selected from the group comprising: Internet, WAN, LAN.
17. A system according to claim 11, wherein said service is selected from the group comprising: accessing a URL, antivirus service, downloading a file, downloading a certain type file, downloading active content, downloading certain type of active content, accessing encrypted content, using a user's credentials from a cookie to decrypt the content.
18. A method for controlling access of a user to a service provided through a network, the method comprising the steps of:
- upon initiating a connection of said user to said network, obtaining the identity of said user from the workstation of said user, and associating said workstation and/or user with the current IP address of said workstation; - at a gateway of said network: upon requesting to access said service by said user, identifying said user by said IP address; retrieving from a database information about access permission of said user to said service; and enforcing said access permission on said request.
19. A method according to claim 18, wherein said database resides at said gateway.
20. A method according to claim 18, wherein said information is selected from a group comprising: specified access permission of said user to said service; identity of said user, to be associated with an access permission of said user to said service.
21. A method according to claim 18, wherein said access permission is selected from the group comprising: accessing a certain Web site, accessing Web sites of a certain type, accessing Web sites of a certain category, accessing a certain domain, and an access level associated with at least one certain access permission.
22. A method according to claim 18, wherein said service is available through a network selected from the group comprising: Internet, WAN, LAN.
23. A method according to claim 18, wherein said service is selected from the group comprising: accessing a URL, antivirus service, downloading a file, downloading a certain file type, downloading active content, downloading certain type of active content, accessing encrypted content.
24. A system for controlling access of a user to a service provided through a network, the system comprising: - a local server, for authenticating said user and launching a login script, said login script comprises a first program for retrieving the user identity from the Active Directory thereof; and - a second program executed on a gateway of said network, for enforcing an access permission of said user to said service.
25. A system according to claim 24, wherein said information is selected from a group comprising: specified access permission of said user to said service, identity of said user.
26. A system according to claim 24, further comprising a list of logged-in users, each entry of said list comprising an identifier of a logged-in user, and at least one access permission of said user to said service.
27. A system according to claim 26, wherein said identifier is selected from a group comprising: an IP address of said user for the current connection session, a user name, a workstation name.
28. A system according to claim 24, wherein said access permission is selected from the group comprising: an access level, an allowed Web site, a forbidden web site, an allowed type of Web sites, a forbidden type of web site, an allowed category of Web sites, a forbidden category of Web sites, and an allowed domain, and a forbidden domain.
29. A system according to claim 24, wherein said service is available through a network selected from the group comprising: Internet, WAN, LAN.
30. A system according to claim 24, wherein said service is selected from the group comprising: accessing a URL, antivirus service, downloading a file, downloading a certain type file, downloading active content, downloading certain type of active content, accessing encrypted content.
PCT/IL2005/000930 2004-09-08 2005-09-01 Method and system for controlling access to a service provided through a network WO2006027774A2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US60771104P 2004-09-08 2004-09-08
US60/607,711 2004-09-08
US11/062,820 US20060190990A1 (en) 2005-02-23 2005-02-23 Method and system for controlling access to a service provided through a network
US11/062,820 2005-02-23

Publications (2)

Publication Number Publication Date
WO2006027774A2 true WO2006027774A2 (en) 2006-03-16
WO2006027774A3 WO2006027774A3 (en) 2006-10-12

Family

ID=36036731

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2005/000930 WO2006027774A2 (en) 2004-09-08 2005-09-01 Method and system for controlling access to a service provided through a network

Country Status (1)

Country Link
WO (1) WO2006027774A2 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020019828A1 (en) * 2000-06-09 2002-02-14 Mortl William M. Computer-implemented method and apparatus for obtaining permission based data
US6453353B1 (en) * 1998-07-10 2002-09-17 Entrust, Inc. Role-based navigation of information resources
US20030005308A1 (en) * 2001-05-30 2003-01-02 Rathbun Paul L. Method and system for globally restricting client access to a secured web site
US6539424B1 (en) * 1999-11-12 2003-03-25 International Business Machines Corporation Restricting deep hyperlinking on the World Wide Web
US20040003287A1 (en) * 2002-06-28 2004-01-01 Zissimopoulos Vasileios Bill Method for authenticating kerberos users from common web browsers
US6715080B1 (en) * 1998-10-01 2004-03-30 Unisys Corporation Making CGI variables and cookie information available to an OLTP system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6453353B1 (en) * 1998-07-10 2002-09-17 Entrust, Inc. Role-based navigation of information resources
US6715080B1 (en) * 1998-10-01 2004-03-30 Unisys Corporation Making CGI variables and cookie information available to an OLTP system
US6539424B1 (en) * 1999-11-12 2003-03-25 International Business Machines Corporation Restricting deep hyperlinking on the World Wide Web
US20020019828A1 (en) * 2000-06-09 2002-02-14 Mortl William M. Computer-implemented method and apparatus for obtaining permission based data
US20030005308A1 (en) * 2001-05-30 2003-01-02 Rathbun Paul L. Method and system for globally restricting client access to a secured web site
US20040003287A1 (en) * 2002-06-28 2004-01-01 Zissimopoulos Vasileios Bill Method for authenticating kerberos users from common web browsers

Also Published As

Publication number Publication date
WO2006027774A3 (en) 2006-10-12

Similar Documents

Publication Publication Date Title
US9231973B1 (en) Automatic intervention
US8001610B1 (en) Network defense system utilizing endpoint health indicators and user identity
JP6263537B2 (en) LDAP-based multi-tenant in-cloud identity management system
EP2856702B1 (en) Policy service authorization and authentication
US7249187B2 (en) Enforcement of compliance with network security policies
US7694343B2 (en) Client compliancy in a NAT environment
US8146137B2 (en) Dynamic internet address assignment based on user identity and policy compliance
US20060190990A1 (en) Method and system for controlling access to a service provided through a network
US20100100949A1 (en) Identity and policy-based network security and management system and method
GB2317539A (en) Firewall for interent access
US20220345491A1 (en) Systems and methods for scalable zero trust security processing
RU2387089C2 (en) Method of allocating resources with limited access
CN113347072A (en) VPN resource access method, device, electronic equipment and medium
WO2013150543A2 (en) Precomputed high-performance rule engine for very fast processing from complex access rules
Cisco CDAT Expert Interface
Cisco Managing Network Access and Use
Cisco Controlling Network Access and Use
Cisco Controlling Network Access and Use
Cisco CDAT Expert Interface
Cisco Configuring Authentication Proxy
Cisco Configuring Sensor Nodes
Cisco Configuring the Device-Specific Settings of Network Objects
Cisco Configuring the Device-Specific Settings of Network Objects
Cisco Configuring the Device-Specific Settings of Network Objects
WO2006027774A2 (en) Method and system for controlling access to a service provided through a network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase