SYSTEM AND METHOD FOR PROVIDING SECURE REMOTE ACCESS TO A COMPUTER NETWORK
BACKGROUND OF THE INVENTION
The present invention relates to a method and apparatus for providing remote secure access to computer networks. More particularly, the present invention relates to a method and apparatus for securing communications between remotely located workers and the appropriate destination computer through a single, off-site security server.
Many organizations, both in government and in private industry, rely on access to centralized computer facilities. Ease of access is generally desirable in order to facilitate use of computer resources and productivity. Remotely located individuals who are, for example, traveling on business, often need to access their organization's computer. A concern for each organization is that access only be granted to the appropriate personnel. One approach to addressing this security issue is for each organization to have a security system or infrastructure that is specific to the organization. Each company would, for example, receive modem calls from its remotely located employees and process the call through some type of password routine or other verification process. Maintaining adequate and current security measures can be a burden both in the amount of dedicated hardware and in the amount of software that must be managed. Proper security may be beyond the means of smaller organizations and may take up considerable resources for larger organizations.
BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram of a remote access system according to a preferred embodiment of the invention.
FIG. 2 is a block diagram of a preferred communication server for use in the system of FIG. 1.
FIG. 3 is a block diagram of a preferred network access server for use in the system of FIG. 1.
FIG 4 is a flow diagram illustrating a preferred method of establishing secure computer access between a remote user and the appropriate computer system.
DETAILED DESCRIPTION OF PRESENTLY PREFERRED EMBODIMENTS
According to one aspect of the present invention an improved method and apparatus for securing computer access between users and the proprietary computer network of each user's respective organization is provided. The preferred system and method are advantageous in that they reduce the infrastructure and overhead burden on individual organizations by removing the task of authenticating users, and associated administrative tasks, to an off-site security system managed by a third party service provider.
FIG. 1 illustrates a preferred system 10 for securing access between remotely located computer users and the computers of the different organizations that they are permitted to access. The system 10 includes at least one remotely located user computer 12. Preferably, there are multiple remotely located user computers 12. A security token, for example a secure identification card 14, is associated with each user. Each user preferably communicates through her user computer 12 over standard telephone lines, also known as plain old telephone service (POTS) lines 17, via modem 16 through the public switched telephone network (PSTN) 18. At least one communication server 20, which may be a router such as a Cisco 5200, is in communication with a security service bureau 22 over a frame relay network 24. The security service bureau 22 may be a local area network (LAN) 26 that includes at least one administrative workstation 28 for monitoring operation of the security service bureau 22. A suitable administrative workstation 28 may be any of a number of commonly available personal computers. A network access server (NAS) 30 is also connected to the LAN 26. The LAN 26 of the service bureau 22 connects to the frame relay network 24 through a fire wall 32. The fire wall may be a personal computer, such as those available from Sun Microsystems, running software available
from Solaris to provide protection to the service bureau LAN 26 from outside corruption. The NAS 30 may be any of a number of servers such as those available from Hewlett Packard, including the HP 712, the HP 755, or the HP 720. Similar devices from other manufacturers may also be used as the NAS. The NAS 30 of the service bureau 22 is in communication with multiple host computer networks 34 or stand-alone computers over the frame relay network 24. In the example of FIG. 1 , each of the host computer networks or stand-alone computers utilize the service bureau to authenticate remote users at various computers 12. As used below, the term host computer network refers to the computer, computer system, or group of computer systems operated by an organization such as a business or corporation. Preferably, each of the plurality of host computer networks 34 is operated by a separate, unrelated organization.
The system 10 also includes an integrated service center (ISC) 35 and an enterprise service system (ESS) 37. The ISC 35 preferably includes a computer configured to accept all service requests from host computer networks desiring to add or remove computer use monitoring services or change the list of authorized users for the network. Additionally, the ISC 35 receives telephone calls from end users 12 seeking help relating to remote access services. The ISC 35 assigns help requests to the appropriate party in the system 10. In one embodiment, the ISC 35 is a vertically integrated service center and help desk for video, audio, and data communications. The ESS 37 is a master database containing lists of periodic user charges, also known as "per seat" charges, for the various host computer systems serviced by the system 10. The ESS 37 also contains a list of field service fees associated with a respective host computer network 34 and records any extra services used by a host computer network 34 and its authorized users. The fees for each particular host computer network are negotiated prior to beginning services to a particular host computer network and associated authorized users. The negotiated fees may be stored as tables in the ESS. The ESS 37 may be a server running UNIX software such as a SPARC Server available from SUN Microsystems. The ESS receives
updates on authorized users and subscribing host computer networks from the ISC.
A network management center (NMC) 39 is in communication with the ISC 35 and a private corporate intranet 19 via the ESS 37. The NMC 39 receives help requests from the ISC and provides a help desk for network infrastructure problems, performance issues and chronic desktop problems. The NMC 39 uses a pre-entered user definition and information to create a trouble record for resolving issues associated with remote access services provided to the host computer networks 34. Each trouble call is stored at the NMC 39. The NMC serves to provide proactive surveillance of all physical lines and routers in the system as well as handling trouble calls passed on from the ISC.
A customer service center (CSC) 40 is also linked to the system 10 via the ESS and the private corporate intranet 19. The CSC 40 manages the ordering of POTS services and repairs of business lines (e.g. DS1 , ISDN, etc.). A billing application communicates over the corporate intranet 19, via the ESS 37, with the NAS 30 and other system 10 components to obtain necessary billing information concerning host computer networks 34 and their respective users. In one embodiment, the billing application is a software application running within the ESS containing logic necessary to organize cost data by per user and per entity within a particular client's (host computers) organization. Alternatively, the billing application may be a discrete billing computer 42 executing the necessary logic to obtain and manipulate billing information. A more detailed discussion of a method and system for monitoring computer usage and associated costs is discussed in a commonly assigned application identified as Attorney Docket No. 8285/142. That application is filed on the same date as the present application and is hereby incorporated by reference in its entirety.
As shown in FIG. 2, the communication server 20 preferably includes an internet protocol (IP) address memory 36 containing a list of source dial-in numbers and the appropriate IP address to direct calls received on specific dial-in numbers. In one embodiment, there are a plurality of communication
servers 20 that each service one specific host computer network 34 and hold the IP address for that specific host computer network in memory 36. In an alternative embodiment, one or more servers 20 each can direct authorized users to the appropriate one of several different host computer networks 34. The IP memory 36 also preferably includes the IP address of the service bureau 22. The communication server forwards calls received from the predetermined dial-in numbers to the IP address of the appropriate host computer network after the user is authorized by the NAS. Calls forwarded from remote computers 12 are converted from the POTS format to frame relay network messages in a frame relay translator 36 that converts the signals received from the frame relay network 24 or PSTN 18 to the appropriate format.
The NAS 30 communicates with the communication server 20 over the frame relay network 24 and authenticates each remote user's identification through a process of several steps. Referring to FIG. 3, a user name memory
38 in the NAS 30 contains user names for all authorized users of the various proprietary host computer networks 34 that utilize the services of the service bureau 22. A host computer IP address memory 42 contains a cross- referenced list of usemames and IP addresses of the computer or computers each usemame may have access to. The NAS also requires a pass code to authenticate a user. The pass code preferably consists of a fixed personal identification number (PIN) and a time variable security token password.
A secure identification generator 41 in the NAS 30 contains an algorithm for generating a unique security token password for each remote computer user. Each remote computer user has access to a personalized security token at her end of the remote call. The security token may be a soft token, such as a software application on each authorized user's computer, or a hard token, such as a secure identification card 14 available from Security Dynamics, Inc. of Cambridge, Massachusetts. Each authorized user's security token generates a unique security token password that may be a sequence of numbers, letters, or other type of symbol. Using the secure ID card 14, the security token password is obtained by the user from a display
showing a new security token password at predetermined time increments. The algorithm at the secure identification generator 41 is substantially synchronized with the encryption algorithm generating and displaying a security token password on the secure identification card 14 each user possesses. Thus, the NAS 30 and remote computer user share a unique, time variable security token password. The secure identification generator 41 may be a microprocessor implementing a time based security algorithm available from Security Dynamics, Inc. of Cambridge, Massachusetts, such as a 56 bit data encryption standard (DES). Referring now to FIG. 4, a preferred embodiment of a method for securing communications between a remote user and a host computer network is illustrated. A user dials a telephone number with a computer modem 16, or other communications device, controlled by the user's computer. Preferably, the telephone number is a toll-free number so that the user may dial one number from any location to access her organization's host computer network via the communications server 20 and NAS 30. Each subscribing host computer network 34 has its own number or numbers, through a long distance service provider of its choice, that authorized users for that host computer network may use. The dialed number is received at the communication server to form a connection between remote user computer
12 and communication server 20 (at step 50). The connection is accomplished by routing the call from the modem 16 to the communication server over POTS lines 17, via the PSTN 18. Upon receipt of the call, the communication server establishes a connection with the NAS through the security service bureau 22 over the frame relay network.
When the communication server receives the call over the dial-in number, the user is queried for her user name. The user name may be any form of predetermined identification by which the host computer network recognizes the identity of a user registered on its system. In one embodiment, the communication server automatically prompts the remote user for her user name upon receipt of the remote user's call. The communication server then communicates this information to the NAS through
the frame relay network and service bureau. In another preferred embodiment, the communication server informs the NAS that a call has been received, and the NAS instructs the communication server to generate a user name prompt. The frame relay POTS translator 36 acts to properly format information flowing between the service bureau and user computer.
Preferably, the communication server 20 and NAS 30 communicate using TCP/IP queries and transactions.
After receiving the remote user's response to the user name prompt, the communication server transmits the user name to the NAS. The NAS subsequently instructs the communication server to prompt the remote user for a pass code. The remote user enters the PIN and security token password that makes up her pass code and the communication server forwards the pass code, along with the IP address of the communication server 20, to the NAS (at steps 52, 54). Once the necessary information is entered, the NAS attempts to authenticate the user (at step 56). The NAS will only authenticate a user if certain conditions are met.
In one embodiment, each host computer network subscribing to the service bureau services has one corresponding communication server. The NAS first compares the entered user name to a list of usemames for the host computer network that corresponds with the received IP address of the communication server and retrieves the PIN number associated with the user name. The NAS will then generate a pass code that should match the particular remote user's time variant security token password and compare it with the one entered by the remote user. If the usemame and pass code entered by the user correspond exactly to those stored and generated at the
NAS, the NAS transmits authorization for the communication server to link the remote user to the appropriate host computer network. In another embodiment, each communication server may be used with multiple host computer networks. When the NAS transmits its authorization, the communication server determines the IP address of the proper host computer network by matching the remote user to the IP address associated with that user in the IP address
memory 34. Alternatively, the NAS may store the appropriate host computer network IP address in an IP address memory 42 and send the proper IP address with its authorization. The communication server then uses this address to establish a link to the proper host computer network over the frame relay network (at step 58). When the connection is made to the host computer network, the communication links for the session run from the remote user's computer 12 to the communication server 20 over the POTS lines, and from the communication server to the host computer network over the frame relay network. The communication server records a starting time stamp and an ending time stamp for communication between the remote user and the host computer network. The starting and ending time stamps for each call, as well as other diagnostic information are periodically transmitted from the communication server to the service bureau The service bureau monitors the quality, frequency and duration of individual connections to each host computer network. The types of security measures taken by each host computer network, beyond the off-site authentication described above, are determined by each individual network according to the needs of the organization managing that network. As has been described above, a system and method for providing remote computer users secure access to various unrelated, proprietary host computer networks is provided. The system and method reduce the need for duplication of efforts and dedication of extra resources by each host computer network by providing a security service bureau operated by a third party service provider that may operate the system to efficiently and securely manage authentication of users for each of the subscribing host computer networks. The service bureau NAS, in cooperation with one or more communication servers, handles authenticating a plurality of users to an appropriate one of a plurality of host computer networks and arranging for frame relay network connections to the user's respective host computer network. The method includes the steps of connecting remote users with a communication server and verifying a user's authenticity at a NAS with a user
name and pass code. As will be recognized by those skilled in the art, the type of computers and communications devices disclosed may be substituted for by any one of a number of commonly available computers and communications devices.
It is intended that the foregoing detailed description be regarded as illustrative rather than limiting, and that it be understood that the following claims, including all equivalents, are intended to define the scope of the invention.