WO2008140367A1 - Improved resource sharing for a private network - Google Patents

Improved resource sharing for a private network Download PDF

Info

Publication number
WO2008140367A1
WO2008140367A1 PCT/SE2007/050319 SE2007050319W WO2008140367A1 WO 2008140367 A1 WO2008140367 A1 WO 2008140367A1 SE 2007050319 W SE2007050319 W SE 2007050319W WO 2008140367 A1 WO2008140367 A1 WO 2008140367A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
resources
access
users
access control
Prior art date
Application number
PCT/SE2007/050319
Other languages
French (fr)
Inventor
Sten Rune Pettersson
Hans-Åke LUND
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/SE2007/050319 priority Critical patent/WO2008140367A1/en
Publication of WO2008140367A1 publication Critical patent/WO2008140367A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Abstract

The invention discloses a computer network (110) comprising a number of resources (130, 140) such as file servers, media servers, file libraries etc, which are accessible to users within the network (110). The network also comprises a access control gateway function (150) for allowing users (160) who are external to the network (110) to access at least some of said resources (130, 140) within the network. The access control gateway function (150) discriminates external users (160) on the basis of Access Control Lists, ACL lists, which contain information regarding which external users that may access said resources in the network, and data regarding which of said resources that may be accessed by said external users, and to which extent.

Description

TITLE
Improved resource sharing for a private network.
TECHNICAL FIELD The present invention discloses a method and a device for improved resource sharing between a private computer network and users external to the network.
BACKGROUND A private computer network, i.e. a network which belongs to, for example, an organization, an individual or a home may have the need to make some of its resources, such as, for example, web-servers, file-servers, media-servers, file libraries etc. available to users that are external to the network. However, it is still necessary for the owner or operator of the network to retain at least some degree of control over the access that external users have to the resources within the network.
One example of a known solution to this is to create a so called Demilitarized Zone, a DMZ, which can be accessed from outside the private network as well as from inside the private network. It is however not possible to access resources in the private network directly from outside the private network. Instead, the resources which it is desired to share with external users need to be exported to the DMZ in question. One DMZ can be created for each external user, or a plurality of external users can access one and the same DMZ.
Most existing solutions do not have the possibility to export a set of chosen resources from one private network into another private network.
SUMMARY It is an object of the present invention to obviate at least some of the above mentioned disadvantages, and to provide an improved computer network for the applications mentioned above.
This need is addressed by the present invention in that it discloses a computer network which comprises a number of resources such as file servers, media servers, file libraries etc, which are accessible to users within the network.
In addition, the network of the invention also comprises a access control gateway function for allowing users who are external to the network to access at least some of the resources within the network. According to the invention, the access control gateway function discriminates external users on the basis of Access Control Lists, ACL lists, which contain information regarding which external users that may access said resources in the network, and also contain data regarding which of said resources that may be accessed by said external users.
Suitably but not necessarily, external users may access resources within the network of the invention by means of encrypted so called data tunnels.
An area in which the invention may be of particular interest is so called Virtual Private Networks, VPNs.
The invention also discloses a method for use in a computer network, and an access control gateway function for use in a computer network.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will be described in more detail in the following, with the aid of the appended drawings, in which
Fig 1 shows a system in which the invention may be applied, and Fig 2 shows a flow chart of a method according to the invention. DETAILED DESCRIPTION
Fig 1 shows a system 100 in which the present invention may be applied. The invention will be described in the following with reference to a so called Virtual Private Network, a VPN, but it should be pointed out that this is merely an example, the invention can be applied to a wide range of different kinds of networks, as will be apparent to the man skilled in the field.
Fig 1 shows a system 100 which comprises a first VPN 110, which in turn comprises a first Local Area Network, a LAN, 120. The VPN 110 comprises a number of different resources, exemplified by a server 130 and a computer
140. However, the number of resources within the VPN 110, and the nature of those resources can be varied more or less arbitrarily, the amount of resources shown in fig 1 and the nature of those resources are merely examples intended to facilitate the reader's understanding of the invention.
As is also shown in fig 1 , in the system 100 there is at least one other user in the system, shown in fig 1 as a network 160. The network 160 is a network which is external to the first network 110, and may be a LAN or a VPN, or merely an individual user such as a computer or a server in the system 100.
In some situations it may be desirable for the owner or operator of the VPN 110 to allow the other user 160 access to some or all of the resources within the VPN 110.
In order to allow such controlled access by external users to some or all of the resources in the VPN 110, the VPN 110 is equipped with an "access control gateway" function 150. The access control gateway function 150 serves to discriminate or control access by external users to the resources of the VPN 110 in the following fashion: the owner or operator of the VPN 110, or some other person who has the proper authorization, establishes a list or definition of which external users that may access the VPN, as well as which of the VPN's resources that those users may access, and the extent of the access allowed to those external users for the resources in question.
The list or lists which are established for controlling the access of users external to the VPN may be seen as so called Access Control Lists, ACL lists.
As can be seen, the access control gateway function 150 is suitably a software function which is integrated in the VPN 110, although the access control gateway function 150 may also conceivably be designed as a special hardware "box" which may be attached to the VPN 110. Naturally, the access control gateway function may also be designed as a combination of software and hardware.
Fig 2 shows a possible flow chart 200 of some steps in a method of the invention. Steps which are alternatives or options are shown with dashed lines. It should be pointed out that the steps in the flow chart 200 do not need to be carried out in the order shown in the flow chart, as will be realized by the man skilled in the art.
In step 210, the resources of the network 110 which it is desired for one or more external user to be able to access are defined. In addition, the extent to which those resources should be possible to access for the users in question is also defined. If, for example, the resource in question is a file server, it would be possible to define that the external users should only be allowed access to some of the files on the server, and conceivably also how the files may be accessed by the external users, i.e. should the external users be allowed to one or more of the group of privileges which can be defined as "r, w, d, x", i.e. read, write, delete, execute for objects such as files and other resources within the VPN. Naturally, other access rights are also conceivable, the rights shown here are merely examples intended to facilitate the reader's understanding of the invention. When the resources have been defined in step 210, an ACL list as such for the resources which were defined in step 210 may be defined in step 220.
As shown in step 230, an ACL list is suitably defined by means of one or more of the following:
• A password, PW,
• A user ID, Ul
• A VPN ID or a network ID, i.e. an identity which is unique for another VPN or network in the system 100.
The person who has established the ACL list may then inform the external users of the password and/or user ID which they have been assigned and should use when attempting to access the VPN 110. As an alternative, if, for example, a network ID such as the VPN ID is used, the external user may be granted access solely on the basis of this, i.e. the access control gateway function 150 recognizes the user ID of the entity that is trying to access the VPN 110, and automatically grants it the correct level of access.
As shown in fig 1 , there is a connection to the access control gateway function 150 of the VPN 110 from the system 100, which may be accessed by external users such as the other user 160. If it is desired to increase the level of security in the external access, the connection 170 may be by means of encrypted so called data tunnels, which as such are well known to those skilled in the art, and which thus will not be describe in more detail here.
Suitably, the network 110 of the invention is reached by external users within the system 100 by means of a specific public URL for the network 110.

Claims

1. A computer network (110) comprising a number of resources (130, 140) such as file servers, media servers, file libraries etc, which are accessible to users within the network (110), the network comprising an access control gateway function (150) for allowing users (160) who are external to the network (110) to access at least some of said resources (130, 140) within the network, the network being characterized in that said access control gateway function (150) discriminates external users (160) on the basis of Access Control Lists, ACL lists, which contain information regarding which external users that may access said resources in the network and data regarding which of said resources that may be accessed by said external users, and to which extent.
2. The network (110) of claim 1 , in which the external users (160) may access resources within the network (110) by means of encrypted data tunnels (170).
3. The network (110) of claim 1 or 2, in which said external users (160) that may access the network can be individual users or other networks, such as
Virtual Private Networks.
4. The network (110) of any of the previous claims, which may be reached by said external users (160) by means of a specific URL.
5. The network (110) of any of the previous claims, in which said external users (160) may access the resources (130, 140) allowed to them by means of a password and a user name, which are checked by said access control gateway function (150).
6. The network (110) of any of the previous claims, being a so called Virtual Private Network, a VPN.
7. A method (200) for use in a computer network (110) which comprises a number of resources (130, 140) such as file servers, media servers, file libraries etc, which are accessible to users within the network (110), the method comprising the step of equipping the network with a access control gateway function (150) for allowing users (160) who are external to the network (110) to access at least some of said resources (130, 140) within the network, the method (200) being characterized in that said access control gateway function (150) is made to discriminate external users (160) on the basis of Access Control Lists, ACL lists (220), the method also comprising the step (210) of defining which of said resources (130, 140) in the network (110) that may be accessed by said external users (160), and to what extent.
8. The method (200) of claim 7, according to which said external users (160) are allowed to access resources within the network (110) by means of encrypted data tunnels (170).
9. The method (200) of claim 7 or 8, according to which said external users (160) that may access the network can be individual users or other networks, such as Virtual Private Networks.
10. The method (200) of any of claims 7-9, according to which the network (110) may be reached by said external users (160) by means of a specific URL.
11. The method (200) of any of claims 7-10, according to which said external users (160) may access the resources (130, 140) allowed to them by means of a password and a user name, which are checked by said access control gateway function (150).
12. The method (200) of any of claims 7-11 , applied to a so called Virtual Private Network, a VPN.
13. An access control gateway function (150) for use in a computer network (110) which comprises a number of resources (130, 140) such as file servers, media servers, file libraries etc, which are accessible to users within the network (110), which access control gateway function (150) allows users (160) who are external to the network (110) to access at least some of said resources (130, 140) within the network, the access control gateway function (150) being characterized in that it discriminates external users (160) on the basis of Access Control Lists, ACL lists, which contain information regarding which external users that may access said resources in the network and data regarding which of said resources that may be accessed by said external users, and to which extent.
14. The access control gateway function (150) of claim 13, which comprises a function for checking said external users (160) who attempt to access the resources (130, 140) by means of a password and a user name.
15. The access control gateway function (150) of claim 13 or 14, being deployed in a so called Virtual Private Network, a VPN.
PCT/SE2007/050319 2007-05-09 2007-05-09 Improved resource sharing for a private network WO2008140367A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SE2007/050319 WO2008140367A1 (en) 2007-05-09 2007-05-09 Improved resource sharing for a private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2007/050319 WO2008140367A1 (en) 2007-05-09 2007-05-09 Improved resource sharing for a private network

Publications (1)

Publication Number Publication Date
WO2008140367A1 true WO2008140367A1 (en) 2008-11-20

Family

ID=38517324

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2007/050319 WO2008140367A1 (en) 2007-05-09 2007-05-09 Improved resource sharing for a private network

Country Status (1)

Country Link
WO (1) WO2008140367A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012159338A1 (en) * 2011-07-21 2012-11-29 华为技术有限公司 Flow distribution method, flow distribution device and flow distribution system for virtual private network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6189103B1 (en) * 1998-07-21 2001-02-13 Novell, Inc. Authority delegation with secure operating system queues
US20020112186A1 (en) * 2001-02-15 2002-08-15 Tobias Ford Authentication and authorization for access to remote production devices
US20030005123A1 (en) * 2000-11-10 2003-01-02 Hatem Trabelsi Method and device for securing a portal in a computer system
EP1418730A2 (en) * 2002-11-06 2004-05-12 AT&T Corp. Virtual private network crossovers based on certificates

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6189103B1 (en) * 1998-07-21 2001-02-13 Novell, Inc. Authority delegation with secure operating system queues
US20030005123A1 (en) * 2000-11-10 2003-01-02 Hatem Trabelsi Method and device for securing a portal in a computer system
US20020112186A1 (en) * 2001-02-15 2002-08-15 Tobias Ford Authentication and authorization for access to remote production devices
EP1418730A2 (en) * 2002-11-06 2004-05-12 AT&T Corp. Virtual private network crossovers based on certificates

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012159338A1 (en) * 2011-07-21 2012-11-29 华为技术有限公司 Flow distribution method, flow distribution device and flow distribution system for virtual private network
CN103004145A (en) * 2011-07-21 2013-03-27 华为技术有限公司 Flow distribution method, flow distribution device and flow distribution system for virtual private network
CN103004145B (en) * 2011-07-21 2015-04-08 华为技术有限公司 Flow distribution method, flow distribution device and flow distribution system for virtual private network

Similar Documents

Publication Publication Date Title
US7448078B2 (en) Method, a portal system, a portal server, a personalized access policy server, a firewall and computer software products for dynamically granting and denying network resources
US8146137B2 (en) Dynamic internet address assignment based on user identity and policy compliance
US8726347B2 (en) Authentication based on previous authentications
US20050188211A1 (en) IP for switch based ACL's
US20100191960A1 (en) Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method
ES2768049T3 (en) Procedures and systems to secure and protect repositories and directories
JP2006085697A (en) Method and system for controlling access privilege for trusted network node
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
EP1933264A1 (en) Policy enforcement via attestations
CN101253487A (en) Resource based dynamic security authorization
CN1719834A (en) Firewall system , appliance participating in the system and method of updating the firewall rules within the system
US9584523B2 (en) Virtual private network access control
CN116011005A (en) Method and system for preventing phishing or luxury software attacks
CN104935572A (en) Multilevel privilege management method and device
CN1534938B (en) Network tape
US10637864B2 (en) Creation of fictitious identities to obfuscate hacking of internal networks
CN107005411B (en) Data management method, computer program therefor, recording medium thereof, user client for executing data management method, and security policy server
US8739245B2 (en) Flexible supplicant access control
CN102972005B (en) Pay authentication method
EP3794476B1 (en) System and method for the management of multi-domain access credentials of a user able to access a plurality of domains
WO2008140367A1 (en) Improved resource sharing for a private network
Lee et al. Authentication for single/Multi domain in ubiquitous computing using attribute certification
KR102214162B1 (en) A user-based object access control system using server's hooking
Herzog et al. Security issues in e-home network and software infrastructures
Cho et al. Home gateway operating model using reference monitor for enhanced user comfort and privacy

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07748480

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07748480

Country of ref document: EP

Kind code of ref document: A1