FI108184B - Service access control - Google Patents

Description

1 108184

SERVICE ACCESS CONTROL FIELD OF THE INVENTION

The invention relates to telecommunication systems. More particularly, the invention relates to a method and system for controlling a network service in a communication system comprising a telecommunication network, a first server hosted by the service and connected to a telecommunication network, a directory of a user connected to the telecommunication network, information about user rights in the telecommunication network; and a monitoring component provided on the first server. The method establishes a connection between the terminal and the server and authenticates the user's identity with a certificate when the terminal establishes a connection to the first server.

BACKGROUND OF THE INVENTION

Virtual Virtual Network (VPN) is gaining ground in network solutions that require an advantageously implemented third-party protected network. Hereby, for example, the Internet can be used to communicate and enable

Remote access to a secured intranet * · "or" extranet "used by 25 organizations. Extranet refers to the Internet as a means of communication between organizations that can connect • intranets of participating organizations.

30 Access control is a particular problem in Extranet networks. Network access often has to be "· strictly limited to a predetermined set. Paying online services should ensure that payment transactions are secure and that there is no abuse or ambiguity in the final charge. In a network of confidential information, 108184 2 all network users must trust its security mechanisms to prevent information from being misappropriated.

A solution is known in the art where two hosts can be securely connected using a virtual dedicated network and Internet Protocol Security (IPSec) standard (IPSec) security. The IPSec standard defines a security procedure for Internet Protocol (IP) communications. IPSec enables access control, data integrity, authentication and reliability. All services are available at the IP level, providing protection for IP and / or higher-level protocols.

To ensure security, the management of virtual private networks according to IPSec standard 15 (hereinafter IPSec networks) has usually been centralized. In this case, decentralized management between the operator and, for example, the extranet network provider has been difficult. In addition, it has been difficult to inform the user of the services available and their features. The user must first have connected to the service and only after access control must be used; service menus may have been presented to the customer. Also based on the time or volume of extranet services'; 25 use of the prior art has not been successful. . solutions.

It is an object of the present invention to * · * * eliminate or at least significantly reduce the above problems. It is a further object of the invention to provide a novel method and system for reliably implementing network access control. In addition, the invention enables decentralized access control.

SUMMARY OF THE INVENTION

'': The invention uses a new type of network access control, which can be used to connect, for example, the use of an IPSec network and a directory.

The invention relates to a method in a communication system as described above, wherein the telecommunication network is preferably an IP based network. The method establishes a connection between the terminal and the server. The user identity is authenticated by a certificate, i.e. a digital identity, when the terminal establishes a connection to the first server 10. According to the invention, the certificate used for authentication is passed to the monitoring component. In response to said certificate, a directory inquiry is made about the user rights to the service and the terminal is connected to the service if the user rights 15 are correct. The directory is preferably in accordance with LDAP (Lightweight Directory Access Protocol), for example RFC2251.

In one embodiment, the access control is decentralized by connecting the terminal 20 to a second server first connected to the communication network, from which the user selects the service to be used on the first server. Another server is preferably a WWW server (WWW, World Wide Web). The connection between the terminal and the first or second server may be established as a VPN connection, whereby the user. , is authenticated according to the IPSec standard.

* · * · In one application, information about the monitoring component • · · * is stored in a log file. Also, information about the renegotiation of the connection held by the ·. · * Monitoring component can be stored in a log file.

In one embodiment, the log file is generated at a predetermined time, for example, each time a monitoring component is started.

The invention further relates to a system '' 35 for access control of a network service in a communication system as described above. The system comprises means for assigning a certificate used for authentication to a monitoring component and means for generating a directory inquiry about user rights to the service in response to said certificate. The system further comprises means for connecting the terminal 5 to the service if the user rights are sufficient.

The advantages of the invention over the prior art are that the access control of the machine in the network and the service it provides can be separated. Because a directory is used to access the service, it is also decentralized. In addition, the user may be provided, through said directory, with the information necessary to connect to other services available. Furthermore, the invention enables the monitoring of the use of the services and more advanced billing procedures.

LIST OF FIGURES

The invention will now be described, by way of example, with reference to the accompanying drawing, in which Figure 1 schematically illustrates an inventor. system; Figure 2 schematically illustrates an embodiment; 25 of the invention.

Figure 3 schematically shows an example of a directory system; ♦ ♦ · ··. Figures 4a-4f illustrate, by way of example, the functions of a system in which the user 30 wants to see a list of allowed services; and I · r * · '' in Figures 5a-5d illustrate, by way of example, * * *: system functions in a situation where the user. * · *. selects service.

DETAILED DESCRIPTION OF THE INVENTION

Figure 1 shows a system according to the invention. The terminal TE is connected to the first 108184 5 servers with 1 VPN connection using IPSec authentication. The IPSec module is provided at both ends of a two-point VPN connection. Both the terminal TE and the first server 1 are connected to a telecommunication network 5 which implements IP based communication. The telecommunication network further comprises a second server 2, which is a web server. The second server 2 includes a graphical user interface 4 for providing the user of the terminal TE with visual feedback of events 10 and operations. Feedback is transmitted to the terminal, for example, in HTML format for reading in a special browser. Further, the telecommunication network comprises a directory 3, which in the example case is an LDAP directory. A log server 7 is also connected to the first server 1, and the log file 6 can be used to store information on user-induced actions, for example for billing or tracking purposes. Because the telecommunications network implements, for example, IP based communication, the components 20 may be physically independent of each other.

The first server 1 is provided with, for example, an extranet system for the organization. Correspondingly, the first server 1 may have a commercial service 25 or a confidential function, the access of which is to be protected from unauthorized users.

»» »* ♦ * Figure 2 shows a flow diagram of an embodiment of the method according to the invention. In step 2 0 • * · V · a connection is established from the terminal TE to the first 30 servers 1. When establishing the connection, the user is authenticated according to IPSec, step 21. If authentication is successful, proceed to step 22 where the certificate used for authentication is forwarded to the monitoring for the subscriber 5.

'' 35 In another embodiment, the terminal TE

first establishes a connection to the second server 2, for example based on an HTTP address. In this case, the list of allowed services is again displayed. The strong IPSec authentication described above can also be used in this case. The user is authenticated and the certificate is passed to the control component 5, respectively.

Step 23 checks whether the user is entitled to the service, which in the example case is S2. The certificate held by the control component 5 provides the user with a unique name. The name is used to create a directory query from the monitoring component 5 to the LDAP directory 3, where a profile of user rights is stored. The monitoring component 5 returns the information to the VPN software on the server, which either allows or denies access to the requested service S2. If the user does not have the right to the service in question, a notification may be returned to the terminal TE. If the service S2 is allowed to the user, the terminal TE is connected to the service S2, step 24.

In one embodiment of the invention, access control is combined with access tracking, for example, for billing or statistics purposes. In step 25, it is checked whether information about the event is recorded in the log file 6. In step 26, the monitoring element 5 transfers the data from the event to the log file 6. The log file 6 may be part of the first server 1 or be part of the log server *.

Figure 3 schematically illustrates an example of a directory structure used in connection with the present invention. The boxes contain: * · *, by way of example, detailed definitions corresponding to the units CN = Org2, CN = S2 and CN = 0rg3 in the directory.

Figs. 4a-4f illustrate the functionalities used by the system 35 according to the invention in a state where the user wants to see a list of allowed services. The user selects a TE address, which is a unique identifier of a file or directory on the Internet and the protocol needed to access them, such as http://www.sonera.fi/create. The user is authenticated and the certificate information 5 is passed to the monitoring component 5 which checks whether the user is allowed access to the service. If the terminal TE is allowed to use the web server 2, the web server 2 performs an LDAP search as shown in Figure 4a. In this case, WS1 is the unique name of the terminal TE. In the example system, the search returns "Response: C = FI, 0 = 0rgl, CN = WS1".

Using the domain name found, the LDAP lookup operations of Figure 4b can be used to find the allowed services. If there are multiple parallel layers in the network-15 address, an LDAP lookup can be performed for each layer to find common services for the entire sub-directory of the network address. The attributes of the userServicesList attribute can be traced from search feedback. Any 20 duplicate userServicesList values can then be removed.

Based on the contents of the userServicesList, three LDAP lookups are executed to provide detailed descriptions of the services allowed to WS1. Said searches are shown in Figures 4c-4e. It should be noted that a wider range may also be selected. *: list of service attributes. Extracted from search feedback • · · V: values for selected attributes. Figure 4f shows; Feedback generated by the web server 2 to the user interface 4 of the graphical user interface 4, comprising the network address and service attributes.

Figures 5a-5f illustrate exemplary functions used by the system of the invention when the user wants to use the service 35 S2. The user selects the service from WWW server 2 at http: //www,org2.fi/S2. The user is authenticated and the certificate is transmitted from the user terminal 108 1084 to the control component 5, which in turn retrieves the unique name of the terminal from the WS1 certificate. Thereafter, the monitoring component 5 performs binding operations with simple trunk-5 supports to the directory 3. The monitoring component 5 also performs LDAP lookup operations such as those shown in Figures 5a to 5b to find the services allowed for the terminal WS1.

The search feedback returns 10 userServicesList. The value C = FI, 0 = 0rg3, CN = S3 will not be created for userServicesList as it will not be allowed by access control. Using the contents of the userServicesList, LDAP comparison operations are initiated to check whether the service accessed through the particular monitoring component 5 is allowed for said terminal device WS1. The first LDAP comparison operation is shown in Figure 5c. If the search returns com-pareTrue, no new LDAP operation is required. In this case, the monitoring component returns a positive response, after which the terminal TE is connected to the desired service http: //www.org2,en/S2. If the search returns a compareFalse value, the LDAP comparison operation of Figure 5d is performed, whereupon the sufficiency of the service to S2 is checked.

25 A loop like the one described above is repeated until feedbackTrue or all * · *: sAllowedService values are checked. The control compo- * * »» Φ · *. * * Item 5 returns a negative response if no value can be obtained by comparing • • t V * with compareTrue and all values of sAllowedSer- vices are checked.

· * · *; Control component 5 gets its own ID: ·: * ♦ SEId at start-up from the Management Information Base (MIB). If any of the services connected to the monitoring component 5 is allowed to the terminal TE, other services connected to the monitoring component 5 are also allowed.

108184 9

The invention is not limited solely to the above exemplary embodiments, but many modifications are possible within the scope of the inventive idea defined by the claims. 5

I I I

ft ft 4 • tl • · * «t • $ $ m · · • • i« i> i 1 II 1

t {if • {I

«·

Claims (18)

1β 108184 A method for access control of a network service (S2) in a communication system, comprising: a communication network; A first server (1) provided with the service (S2) and connected to the telecommunication network; a terminal (TE) for connecting the user to the communication network; A directory (3) connected to a telecommunication network comprising information about the user's rights in the telecommunication network; and a monitoring component (5) provided on the first server (1); the method of: establishing a connection between the terminal (TE) and the first server (1); and verifying the identity of the user with a certificate when the terminal (TE) establishes a connection to the first server (1); Characterized in that the method comprises the steps of: passing a certificate used for authentication to a monitoring component (5); '; 1; generating, in response to said certificate, a directory inquiry about the user's rights to the service (S2); and • · connect the terminal (TE) to the service (S2) if: user rights are sufficient. A method according to claim 1, characterized in that the access control is decentralized by first establishing a connection with the terminal (TE) to the second server connected to the communication network. a user (2), from which the user selects the service (S2) to be used on the first server (1). Method according to claim 1 or 2, characterized in that a connection is established (between the terminal (TE) and the server (1, 2) as VPN-H 108184, whereby the user is authenticated according to the IPSec standard). Method according to claim 1, 2 or 3, characterized in that information about the events of the monitoring component (5) is stored in a log file (6) connected to the communication network. Method according to claim 1, 2, 3 or 4, characterized by storing the information of the monitoring component (5) on the renegotiation of the connection to the log file (6). Method according to claim 1, 2, 3, 4 or 5, characterized in that a log file (6) is created at a predetermined time. Method according to claim 1, 2, 3, 4, 5 or 6 15, characterized in that the second server (2) is a web server. Method according to claim 1, 2, 3, 4, 5, 6 or 7, characterized in that the communication network is an IP-based network. 2 0 Method according to claim 1, 2, 3, 4, 5, 6, 7 or 8, characterized in that the directory (3) is in accordance with the LDAP protocol. A system for controlling access to a network service in a communication system comprising: 25 a communications network; the first server (1) to be hosted. : service (S2) and connected to a telecommunication network k * *; A terminal device (TE) to which the user is connected * 30 • to a telecommunications network; a directory (3) connected to a communication network comprising information about user rights in the communication network; and a monitoring component (5) provided on the en-35 first server (1); where:. a connection can be established between the terminal (TE) and the first server (1) / ·; and 108184 12, the identity of the user is verifiable by a certificate when the terminal (TE) establishes a connection to the first server (1); characterized in that the system comprises: 5 means for forwarding a certificate used for authentication to a monitoring component (5); means for generating a directory query of the user's rights to the service in response to said certificate; and 10 means for connecting the terminal to the service if the user rights are sufficient. System according to claim 10, characterized in that a second server (2) is connected to the telecommunication network, to which the connection is first established 15 and from which the service (S2) of the first server (1) can be selected. System according to claim 10 or 11, characterized in that the terminal (TE) and the server (1, 2) are connected via a VPN connection, whereby the user can be verified according to the IPSec standard. System according to claim 10, 11 or 12, characterized in that the system comprises means for storing the activity data of the monitoring component (5) in a log file (6) connected to the communication network. A system according to claim 10, 11, 12 or 13, characterized in that the system comprises means for renegotiating the communication link of the monitoring component (5) to a log file (5). 6). • # I System according to claim 10, 11, 12, 13 or 14 ··· V *, characterized in that the system comprises means for storing a log file (6) at a predetermined time. 108184 13 System according to Claim 10, 11, 12, 13, 14 or 15, characterized in that the second server (2) is a WWW server. System according to claim 10, 11, 12, 13, 14, 5 15 or 16, characterized in that the communication network is an IP-based network. System according to claim 10, 11, 12, 13, 14, 15, 16 or 17, characterized in that the directory (3) is in accordance with the LDAP protocol. 10 108184 14