WO2008140367A1 - Improved resource sharing for a private network - Google Patents
Improved resource sharing for a private network Download PDFInfo
- Publication number
- WO2008140367A1 WO2008140367A1 PCT/SE2007/050319 SE2007050319W WO2008140367A1 WO 2008140367 A1 WO2008140367 A1 WO 2008140367A1 SE 2007050319 W SE2007050319 W SE 2007050319W WO 2008140367 A1 WO2008140367 A1 WO 2008140367A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- resources
- access
- users
- access control
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention discloses a computer network (110) comprising a number of resources (130, 140) such as file servers, media servers, file libraries etc, which are accessible to users within the network (110). The network also comprises a access control gateway function (150) for allowing users (160) who are external to the network (110) to access at least some of said resources (130, 140) within the network. The access control gateway function (150) discriminates external users (160) on the basis of Access Control Lists, ACL lists, which contain information regarding which external users that may access said resources in the network, and data regarding which of said resources that may be accessed by said external users, and to which extent.
Description
TITLE
Improved resource sharing for a private network.
TECHNICAL FIELD The present invention discloses a method and a device for improved resource sharing between a private computer network and users external to the network.
BACKGROUND A private computer network, i.e. a network which belongs to, for example, an organization, an individual or a home may have the need to make some of its resources, such as, for example, web-servers, file-servers, media-servers, file libraries etc. available to users that are external to the network. However, it is still necessary for the owner or operator of the network to retain at least some degree of control over the access that external users have to the resources within the network.
One example of a known solution to this is to create a so called Demilitarized Zone, a DMZ, which can be accessed from outside the private network as well as from inside the private network. It is however not possible to access resources in the private network directly from outside the private network. Instead, the resources which it is desired to share with external users need to be exported to the DMZ in question. One DMZ can be created for each external user, or a plurality of external users can access one and the same DMZ.
Most existing solutions do not have the possibility to export a set of chosen resources from one private network into another private network.
SUMMARY
It is an object of the present invention to obviate at least some of the above mentioned disadvantages, and to provide an improved computer network for the applications mentioned above.
This need is addressed by the present invention in that it discloses a computer network which comprises a number of resources such as file servers, media servers, file libraries etc, which are accessible to users within the network.
In addition, the network of the invention also comprises a access control gateway function for allowing users who are external to the network to access at least some of the resources within the network. According to the invention, the access control gateway function discriminates external users on the basis of Access Control Lists, ACL lists, which contain information regarding which external users that may access said resources in the network, and also contain data regarding which of said resources that may be accessed by said external users.
Suitably but not necessarily, external users may access resources within the network of the invention by means of encrypted so called data tunnels.
An area in which the invention may be of particular interest is so called Virtual Private Networks, VPNs.
The invention also discloses a method for use in a computer network, and an access control gateway function for use in a computer network.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will be described in more detail in the following, with the aid of the appended drawings, in which
Fig 1 shows a system in which the invention may be applied, and Fig 2 shows a flow chart of a method according to the invention.
DETAILED DESCRIPTION
Fig 1 shows a system 100 in which the present invention may be applied. The invention will be described in the following with reference to a so called Virtual Private Network, a VPN, but it should be pointed out that this is merely an example, the invention can be applied to a wide range of different kinds of networks, as will be apparent to the man skilled in the field.
Fig 1 shows a system 100 which comprises a first VPN 110, which in turn comprises a first Local Area Network, a LAN, 120. The VPN 110 comprises a number of different resources, exemplified by a server 130 and a computer
140. However, the number of resources within the VPN 110, and the nature of those resources can be varied more or less arbitrarily, the amount of resources shown in fig 1 and the nature of those resources are merely examples intended to facilitate the reader's understanding of the invention.
As is also shown in fig 1 , in the system 100 there is at least one other user in the system, shown in fig 1 as a network 160. The network 160 is a network which is external to the first network 110, and may be a LAN or a VPN, or merely an individual user such as a computer or a server in the system 100.
In some situations it may be desirable for the owner or operator of the VPN 110 to allow the other user 160 access to some or all of the resources within the VPN 110.
In order to allow such controlled access by external users to some or all of the resources in the VPN 110, the VPN 110 is equipped with an "access control gateway" function 150. The access control gateway function 150 serves to discriminate or control access by external users to the resources of the VPN 110 in the following fashion: the owner or operator of the VPN 110, or some other person who has the proper authorization, establishes a list or definition of which external users that may access the VPN, as well as which
of the VPN's resources that those users may access, and the extent of the access allowed to those external users for the resources in question.
The list or lists which are established for controlling the access of users external to the VPN may be seen as so called Access Control Lists, ACL lists.
As can be seen, the access control gateway function 150 is suitably a software function which is integrated in the VPN 110, although the access control gateway function 150 may also conceivably be designed as a special hardware "box" which may be attached to the VPN 110. Naturally, the access control gateway function may also be designed as a combination of software and hardware.
Fig 2 shows a possible flow chart 200 of some steps in a method of the invention. Steps which are alternatives or options are shown with dashed lines. It should be pointed out that the steps in the flow chart 200 do not need to be carried out in the order shown in the flow chart, as will be realized by the man skilled in the art.
In step 210, the resources of the network 110 which it is desired for one or more external user to be able to access are defined. In addition, the extent to which those resources should be possible to access for the users in question is also defined. If, for example, the resource in question is a file server, it would be possible to define that the external users should only be allowed access to some of the files on the server, and conceivably also how the files may be accessed by the external users, i.e. should the external users be allowed to one or more of the group of privileges which can be defined as "r, w, d, x", i.e. read, write, delete, execute for objects such as files and other resources within the VPN. Naturally, other access rights are also conceivable, the rights shown here are merely examples intended to facilitate the reader's understanding of the invention.
When the resources have been defined in step 210, an ACL list as such for the resources which were defined in step 210 may be defined in step 220.
As shown in step 230, an ACL list is suitably defined by means of one or more of the following:
• A password, PW,
• A user ID, Ul
• A VPN ID or a network ID, i.e. an identity which is unique for another VPN or network in the system 100.
The person who has established the ACL list may then inform the external users of the password and/or user ID which they have been assigned and should use when attempting to access the VPN 110. As an alternative, if, for example, a network ID such as the VPN ID is used, the external user may be granted access solely on the basis of this, i.e. the access control gateway function 150 recognizes the user ID of the entity that is trying to access the VPN 110, and automatically grants it the correct level of access.
As shown in fig 1 , there is a connection to the access control gateway function 150 of the VPN 110 from the system 100, which may be accessed by external users such as the other user 160. If it is desired to increase the level of security in the external access, the connection 170 may be by means of encrypted so called data tunnels, which as such are well known to those skilled in the art, and which thus will not be describe in more detail here.
Suitably, the network 110 of the invention is reached by external users within the system 100 by means of a specific public URL for the network 110.
Claims
1. A computer network (110) comprising a number of resources (130, 140) such as file servers, media servers, file libraries etc, which are accessible to users within the network (110), the network comprising an access control gateway function (150) for allowing users (160) who are external to the network (110) to access at least some of said resources (130, 140) within the network, the network being characterized in that said access control gateway function (150) discriminates external users (160) on the basis of Access Control Lists, ACL lists, which contain information regarding which external users that may access said resources in the network and data regarding which of said resources that may be accessed by said external users, and to which extent.
2. The network (110) of claim 1 , in which the external users (160) may access resources within the network (110) by means of encrypted data tunnels (170).
3. The network (110) of claim 1 or 2, in which said external users (160) that may access the network can be individual users or other networks, such as
Virtual Private Networks.
4. The network (110) of any of the previous claims, which may be reached by said external users (160) by means of a specific URL.
5. The network (110) of any of the previous claims, in which said external users (160) may access the resources (130, 140) allowed to them by means of a password and a user name, which are checked by said access control gateway function (150).
6. The network (110) of any of the previous claims, being a so called Virtual Private Network, a VPN.
7. A method (200) for use in a computer network (110) which comprises a number of resources (130, 140) such as file servers, media servers, file libraries etc, which are accessible to users within the network (110), the method comprising the step of equipping the network with a access control gateway function (150) for allowing users (160) who are external to the network (110) to access at least some of said resources (130, 140) within the network, the method (200) being characterized in that said access control gateway function (150) is made to discriminate external users (160) on the basis of Access Control Lists, ACL lists (220), the method also comprising the step (210) of defining which of said resources (130, 140) in the network (110) that may be accessed by said external users (160), and to what extent.
8. The method (200) of claim 7, according to which said external users (160) are allowed to access resources within the network (110) by means of encrypted data tunnels (170).
9. The method (200) of claim 7 or 8, according to which said external users (160) that may access the network can be individual users or other networks, such as Virtual Private Networks.
10. The method (200) of any of claims 7-9, according to which the network (110) may be reached by said external users (160) by means of a specific URL.
11. The method (200) of any of claims 7-10, according to which said external users (160) may access the resources (130, 140) allowed to them by means of a password and a user name, which are checked by said access control gateway function (150).
12. The method (200) of any of claims 7-11 , applied to a so called Virtual Private Network, a VPN.
13. An access control gateway function (150) for use in a computer network (110) which comprises a number of resources (130, 140) such as file servers, media servers, file libraries etc, which are accessible to users within the network (110), which access control gateway function (150) allows users (160) who are external to the network (110) to access at least some of said resources (130, 140) within the network, the access control gateway function (150) being characterized in that it discriminates external users (160) on the basis of Access Control Lists, ACL lists, which contain information regarding which external users that may access said resources in the network and data regarding which of said resources that may be accessed by said external users, and to which extent.
14. The access control gateway function (150) of claim 13, which comprises a function for checking said external users (160) who attempt to access the resources (130, 140) by means of a password and a user name.
15. The access control gateway function (150) of claim 13 or 14, being deployed in a so called Virtual Private Network, a VPN.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/SE2007/050319 WO2008140367A1 (en) | 2007-05-09 | 2007-05-09 | Improved resource sharing for a private network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/SE2007/050319 WO2008140367A1 (en) | 2007-05-09 | 2007-05-09 | Improved resource sharing for a private network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2008140367A1 true WO2008140367A1 (en) | 2008-11-20 |
Family
ID=38517324
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SE2007/050319 WO2008140367A1 (en) | 2007-05-09 | 2007-05-09 | Improved resource sharing for a private network |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2008140367A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012159338A1 (en) * | 2011-07-21 | 2012-11-29 | 华为技术有限公司 | Flow distribution method, flow distribution device and flow distribution system for virtual private network |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6189103B1 (en) * | 1998-07-21 | 2001-02-13 | Novell, Inc. | Authority delegation with secure operating system queues |
US20020112186A1 (en) * | 2001-02-15 | 2002-08-15 | Tobias Ford | Authentication and authorization for access to remote production devices |
US20030005123A1 (en) * | 2000-11-10 | 2003-01-02 | Hatem Trabelsi | Method and device for securing a portal in a computer system |
EP1418730A2 (en) * | 2002-11-06 | 2004-05-12 | AT&T Corp. | Virtual private network crossovers based on certificates |
-
2007
- 2007-05-09 WO PCT/SE2007/050319 patent/WO2008140367A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6189103B1 (en) * | 1998-07-21 | 2001-02-13 | Novell, Inc. | Authority delegation with secure operating system queues |
US20030005123A1 (en) * | 2000-11-10 | 2003-01-02 | Hatem Trabelsi | Method and device for securing a portal in a computer system |
US20020112186A1 (en) * | 2001-02-15 | 2002-08-15 | Tobias Ford | Authentication and authorization for access to remote production devices |
EP1418730A2 (en) * | 2002-11-06 | 2004-05-12 | AT&T Corp. | Virtual private network crossovers based on certificates |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012159338A1 (en) * | 2011-07-21 | 2012-11-29 | 华为技术有限公司 | Flow distribution method, flow distribution device and flow distribution system for virtual private network |
CN103004145A (en) * | 2011-07-21 | 2013-03-27 | 华为技术有限公司 | Flow distribution method, flow distribution device and flow distribution system for virtual private network |
CN103004145B (en) * | 2011-07-21 | 2015-04-08 | 华为技术有限公司 | Flow distribution method, flow distribution device and flow distribution system for virtual private network |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7448078B2 (en) | Method, a portal system, a portal server, a personalized access policy server, a firewall and computer software products for dynamically granting and denying network resources | |
US8146137B2 (en) | Dynamic internet address assignment based on user identity and policy compliance | |
US8726347B2 (en) | Authentication based on previous authentications | |
US20050188211A1 (en) | IP for switch based ACL's | |
US20100191960A1 (en) | Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method | |
ES2768049T3 (en) | Procedures and systems to secure and protect repositories and directories | |
JP2006085697A (en) | Method and system for controlling access privilege for trusted network node | |
US10148637B2 (en) | Secure authentication to provide mobile access to shared network resources | |
EP1933264A1 (en) | Policy enforcement via attestations | |
CN101253487A (en) | Resource based dynamic security authorization | |
CN1719834A (en) | Firewall system , appliance participating in the system and method of updating the firewall rules within the system | |
US9584523B2 (en) | Virtual private network access control | |
CN116011005A (en) | Method and system for preventing phishing or luxury software attacks | |
CN104935572A (en) | Multilevel privilege management method and device | |
CN1534938B (en) | Network tape | |
US10637864B2 (en) | Creation of fictitious identities to obfuscate hacking of internal networks | |
CN107005411B (en) | Data management method, computer program therefor, recording medium thereof, user client for executing data management method, and security policy server | |
US8739245B2 (en) | Flexible supplicant access control | |
CN102972005B (en) | Pay authentication method | |
EP3794476B1 (en) | System and method for the management of multi-domain access credentials of a user able to access a plurality of domains | |
WO2008140367A1 (en) | Improved resource sharing for a private network | |
Lee et al. | Authentication for single/Multi domain in ubiquitous computing using attribute certification | |
KR102214162B1 (en) | A user-based object access control system using server's hooking | |
Herzog et al. | Security issues in e-home network and software infrastructures | |
Cho et al. | Home gateway operating model using reference monitor for enhanced user comfort and privacy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07748480 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07748480 Country of ref document: EP Kind code of ref document: A1 |