WO2016061775A1 - Remote access gateway and remote access method - Google Patents

Remote access gateway and remote access method Download PDF

Info

Publication number
WO2016061775A1
WO2016061775A1 PCT/CN2014/089223 CN2014089223W WO2016061775A1 WO 2016061775 A1 WO2016061775 A1 WO 2016061775A1 CN 2014089223 W CN2014089223 W CN 2014089223W WO 2016061775 A1 WO2016061775 A1 WO 2016061775A1
Authority
WO
WIPO (PCT)
Prior art keywords
remote access
access gateway
user
validating
unit
Prior art date
Application number
PCT/CN2014/089223
Other languages
French (fr)
Inventor
William Robert Walker
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/CN2014/089223 priority Critical patent/WO2016061775A1/en
Publication of WO2016061775A1 publication Critical patent/WO2016061775A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the invention relates to the field of communication technologies, and in particular to a remote access gateway and a remote access method.
  • Remote access solutions are common in both wired networks, such as fixed broadband, Digital Subscriber Line, Cable-Internet, Fibre Home Access, etc. , and wireless networks, such as mobile, cellular, shared and public WiFi.
  • Remote access to VPN Virtual Private Network
  • VPN Virtual Private Network
  • a terminal device such as a user’s desktop, a laptop, a phone, or a tablet device.
  • the embodiment of the invention relates to a remote access gateway and a remote access method that can improve security of network connection.
  • a remote access gateway including: a characteristic unit configured to obtain at least one characteristic feature of a user; a validating unit configured to validate the user with the at least one characteristic feature obtained by the characteristic unit; and a negotiating unit configured to negotiate, according to a result of the validating unit validating the user, a secured connection with a server of a virtual private network for an terminal device of the user that is connected to the remote access gateway.
  • the remote access gateway further includes a validating database configured to storing validation data to be used by the validating unit in validating the user.
  • the remote access gateway further includes an updating unit configured to obtain update data via a public network connection or from the virtual private network through a dedicated management interface, and update the validation data stored in the validating database with the obtained update data, and update the validation data stored in the validating database with the obtained update data.
  • the characteristic unit includes at least one of a biometric sensor, a personal identification number keypad, a radio frequency identification reader, a near field communication reader, and a locating device.
  • the remote access gateway further includes a triggering unit configured to determine a trigger action that triggers the characteristic unit to obtain the at least one characteristic feature.
  • the trigger action includes at least one of pressing a physical button on the remote access gateway, scanning a user badge, and attempting to access from the terminal device the virtual private network through the remote access gateway.
  • a remote access method including: obtaining, by a remote access gateway, at least one characteristic feature of a user; validating, by the remote access gateway, the user with the at least one characteristic feature; and negotiating, by the remote access gateway, according to a result of validating the user, a secured connection with a server of a virtual private network for an terminal device of the user that is connected to the remote access gateway.
  • the validating, by the remote access gateway, the user with the at least one characteristic feature includes: validating, by the remote access gateway, the user with the at least one characteristic feature, using validation data stored in the remote access gateway.
  • the method further includes updating, by the remote access gateway, the validation data.
  • the obtaining, by the remote access gateway, at least one characteristic feature of a user includes: obtaining the at least one characteristic feature with at least one of a biometric sensor, a personal identification number keypad, a radio frequency identification reader, a near field communication reader, and a locating device.
  • the method further includes determining, by the remote access gateway, a trigger action that triggers to obtain the at least one characteristic feature.
  • the trigger action includes at least one of pressing a physical button on the remote access gateway, scanning a user badge, and attempting to access from the terminal device the virtual private network through the remote access gateway.
  • the remote access gateway of the embodiments of the invention validates the user before negotiating the secured network connection, which can improve security of network connection.
  • Fig. 1 shows an exemplified scenario where the invention may be applied.
  • Fig. 2 shows a block diagram of a remote access gateway of an embodiment of the invention.
  • Fig. 3 shows a flowchart of a method of an embodiment of the invention.
  • Fig. 4 shows a block diagram of a remote access gateway of another embodiment of the invention.
  • Fig. 1 shows an exemplified scenario where the invention may be applied.
  • a terminal device 101 wants to access a VPN 103 through a remote access gateway 102. That is, a network connection is to be established between the terminal device 101 and the VPN 103 via the remote access gateway 102.
  • the terminal device 101 may include any kind of user equipments, for example, a user’s desktop, a laptop, a phone, a television, a computer, or a tablet device.
  • the terminal device 101 may or may not validate the user before establishing the network connection.
  • the embodiments of the invention can separate the secured connection from the possibly-compromised terminal device.
  • the VPN 103 may include an enterprise network which needs admission to access.
  • the VPN 103 may be connected to or embodied in a public network, such as Internet, and therefore is accessible via the public network.
  • the remote access gateway 102 may be a mobile, portable or fixed access point, for example, a fixed-WiFi access point, a mobile-WiFi access point, a fixed-fixed gateway, a mobile-fixed gateway, etc..
  • Remote access gateways such as access points
  • a “local network” such as wired, WiFi, bluetooth, etc.
  • the embodiments of the invention assume that any common access method can be utilized for a terminal device to access the public network or Internet.
  • the remote access gateway 102 of the embodiments of the invention have additional capabilities and features that can provide characteristic and validation functionalities.
  • the remote access gateway 102 may obtain at least one characteristic feature of a user, validate the user with the at least one characteristic feature obtained, and negotiate, according to a result of validating the user, a secured connection with a server of a virtual private network 103 for a terminal device 101 of the user that is connected to the remote access gateway 102.
  • Isolating the configuration, policy, and critical data within the gateway devices, rather than the terminal device provides a higher level of protection for the VPN, lower risk of data exposure, and a higher level of manageability.
  • Fig. 2 shows a block diagram of a remote access gateway of an embodiment of the invention.
  • the remote access gateway 20 may include a characteristic unit 21, a validating unit 22 and a negotiating unit 23.
  • the characteristic unit 21 is configured to obtain at least one characteristic feature of a user.
  • the validating unit 22 is configured to validate the user with the at least one characteristic feature obtained by the characteristic unit 21.
  • the negotiating unit 23 configured to negotiate, according to a result of the validating unit 22 validating the user, a secured connection with a server of a virtual private network for a terminal device of the user that is connected to the remote access gateway 20.
  • the remote access gateway of the embodiments of the invention validates the user before negotiating the secured network connection, which can improve security of network connection.
  • the negotiating unit 23 initiates a negotiation of a secured connection with the server of VPN for the terminal device of the user, and otherwise the negotiating unit 23 refuses to initiate the negotiation.
  • the user himself/herself or a user device of the user may be involved in validation for the user.
  • the validated user device may be the terminal device per se that is connected to the remote access gateway 20, or the validated user device may be included in or attached to the terminal device.
  • the validated user device may be an NFC (Near Field Communication) chip for recording identification information for the user which is embedded in a mobile terminal or a wearable device of the user (i. e. the terminal device) .
  • the validated user device may be another device independent of the terminal device.
  • the terminal device may be a mobile terminal or a wearable device of the user, and the validated user device may be a user card, such as an employee identification card.
  • the characteristic unit 21 may be implemented by hardware that is attached to or embedded in the remote access gateway 20.
  • the characteristic unit 21 may include at least one of:
  • a biometric sensor for example, including a fingerprint scanner, a camera for facial recognition, a DNA (Deoxyribonucleic Acid) sampler, a microphone for voice recognition, a heartbeat pattern sensor, etc. ;
  • a PIN personal identification number
  • the PIN may be a password, a fixed (or static) PIN, a one-time PIN, a dynamic PIN, or an SMS-supplied PIN, etc. ;
  • an RFID (radio frequency identification) /NFC reader for example, including an employee badge, a mobile NFC chip, an NFC/RFID jewelry, an RFID keychain, a SmartCard, etc. ;
  • a locating device for example, including at least one of a GPS (Global Positioning System) terminal, a locator for obtaining an GPRS network location, a locator for obtaining known WiFi or network anchor points, and a locator for obtaining other “nearby” indicators; and
  • GPS Global Positioning System
  • the characteristic unit 21 may be a data receiver that receives fingerprint data obtained by a fingerprint reader on the validated user device or the terminal device.
  • the remote access gateway 20 may further include a validating database 24.
  • the validating database 24 stores validation data to be used by the validating unit 22 in validating the user.
  • the validating database 24 may be a storage or storage area in the remote access gateway 20, for example, a non-volatile memory, RAM (Random Access Memory) , ROM (Read-Only Memory) , etc.
  • the validating database 24 may include, for example, a key-store, an access list, etc. , and the validation data (or called rule data) stored by the validating database 24 may include at least one of:
  • biometric data generated on the remote access gateway 20
  • behavior deviations for example, a new location, a new network, a new country, a public access network, a new device, too many password or PIN retries, etc. ;
  • entitlement for example, including “White List” of allowed, “Black List” of denied, and/or “Grey List” of conditions of policy change for identity, authentication and trust, affecting the processing and access controls of devices, device types, terminals, locations; and
  • the validation data may be statically deployed in the device, or the validation data may be updated.
  • the remote access gateway 20 may further include an updating unit 25 configured to obtain update data and update the validation data stored in the validating database 24 with the obtained update data.
  • the updating unit 25 may include or be implemented by hardware, such as a transceiver, an interface, a port or a processor. Or the updating unit 25 may include or be implemented by a combination of hardware and software.
  • the updating unit 25 may obtain the update data which is downloaded or pushed via a public network connection, such as, a connection to a “over the air” update system where the update data may be in a form of update patch.
  • the updating unit 25 may obtain the update data from the virtual private network through a dedicated management interface, such as, a dedicated TCP (Transmission Control Protocol) port number, or a separate VPN network connection.
  • a dedicated management interface such as, a dedicated TCP (Transmission Control Protocol) port number, or a separate VPN network connection.
  • Other software and configuration distribution methods are available for obtaining the update data.
  • the functionalities of the characteristic unit 21, the validating unit 22 and the negotiating unit 23 may be triggered by a trigger mechanism.
  • the remote access gateway 20 may further include a triggering unit 26 configured to determine a trigger action that triggers the characteristic unit 21 to obtain the at least one characteristic feature.
  • the trigger action may include at least one of:
  • the triggering unit 26 determines that a trigger action occurs, and triggers the characteristic unit 21 to obtain the at least one characteristic feature.
  • the validating unit 22 may be implemented by a processor of the remote access gateway 20, or by the processor and a storage that stores instructions to make the processor to validate the user.
  • the negotiating unit 23 may include or be implemented by hardware, such as interface, port and/or processor, or the negotiating unit 23 may include or be implemented by a combination of hardware and software.
  • the remote access gateway of the invention can be remotely managed, either by the network provider, or by the network administrator of the enterprise. Keys, certificates, authentication details, policy enforcement and storage, and access control are “within the network” technology and implementation domains. Critical connection and authentication data is not visible to the terminal device. Isolating the configuration, policy, and critical data within the gateway devices, rather than the terminal device provides a higher level of protection for the VPN, lower risk of sensitive data exposure, and a higher level of manageability.
  • Fig. 3 shows a flowchart of a method of an embodiment of the invention.
  • the remote access method of Fig. 3 may be performed by the remote access gateway, such as that with reference number 102 or 20 described above.
  • the remote access method may include:
  • 301 obtaining, by a remote access gateway, at least one characteristic feature of a user
  • the remote access gateway of the embodiments of the invention validates the user before negotiating the secured network connection, which can improve security of network connection.
  • Fig. 3 may be performed by the components of the remote access gateway as described above with reference to Fig. 1 and Fig. 2, and therefore the details of the method of the embodiments of the invention will not be described redundantly herein.
  • the remote access gateway when the remote access gateway validates the user with the at least one characteristic feature, the remote access gateway may validates the user with the at least one characteristic feature, using validation data stored in the remote access gateway.
  • the method may further include: the remote access gateway may further update the validation data stored in the remote access gateway.
  • the remote access gateway may obtain the at least one characteristic feature with at least one of a biometric sensor, a personal identification number keypad, a radio frequency identification reader, a near field communication reader, locating device, and other sensors or inputs to supply identity or authentication of the user.
  • the method may further include: the remote access gateway may further determine a trigger action that triggers to obtain the at least one characteristic feature.
  • the trigger action includes at least one of pressing a physical button on the remote access gateway, scanning a user badge, and attempting to access from the terminal device the virtual private network through the remote access gateway.
  • the remote access gateway of the invention can be remotely managed, either by the network provider, or by the network administrator of the enterprise. Keys, certificates, authentication details, policy enforcement and storage, and access control are “within the network” technology and implementation domains. Critical connection and authentication data is not visible to the terminal device. Isolating the configuration, policy, and critical data within the gateway devices, rather than the terminal device provides a higher level of protection for the VPN, lower risk of exposure, and a higher level of manageability.
  • Fig. 4 shows a block diagram of a remote access gateway of another embodiment of the invention.
  • the remote access gateway 40 may include a processor 41 and a storage 42.
  • the processor 41 may connect a storage 42 through a communication bus.
  • the storage 42 is configured to store instructions or codes which can be executed by the processor 41 to obtain at least one characteristic feature of a user, validate the user with the at least one characteristic feature, and negotiate, according to a result of validating the user, a secured connection with a server of a virtual private network for a terminal device of the user that is connected to the remote access gateway 40.
  • the remote access gateway of the embodiments of the invention validates the user before negotiating the secured network connection, which can improve security of network connection.
  • any kind of hardware may be attached to or embedded in the remote access gateway 40 and may be configured to obtain the characteristic feature of the user under control of the processor 41.
  • the hardware controlled by the processor 41 may include at least one of:
  • a biometric sensor for example, including a fingerprint scanner, a camera for facial recognition, a DNA sampler, a microphone for voice recognition, a heartbeat pattern sensor, etc. ;
  • a PIN keypad for example, including a number pad, an alphabet pad, a physical keypad, or a soft keypad which may be used in combination with a mouse or a touch screen and where the PIN may be a password, a fixed (or static) PIN, a one-time PIN, a dynamic PIN, an SMS-supplied PIN, etc. ;
  • an RFID /NFC reader for example, including an employee badge, a mobile NFC chip, an NFC/RFID jewelry, an RFID keychain, a SmartCard, etc. ;
  • a locating device for example, including a GPS terminal, a locator for obtaining an GPRS network location, a locator for obtaining known WiFi or network anchor points, a locator for obtaining other “nearby” indicators; and
  • the storage 42 may further store a validating database.
  • the validating database stores validation data to be used by the processor 41 in validating the user.
  • the storage 42 may be any kind of storing device, for example, a non-volatile memory, RAM, ROM, etc.
  • the validating database may include, for example, a key-store, an access list, etc.
  • the validation data (or called rule data) stored by the validating database may include at least one of:
  • biometric data generated on the remote access gateway 20
  • behavior deviations for example a new location, a new network, a new country, a public access network, a new device, too many password or PIN retries, etc. ;
  • entitlement for example, including “White List” of allowed, “Black List” of denied, and/or “Grey List” of conditions of policy change for identity, authentication and trust, affecting the processing and access controls of devices, device types, terminals, locations; and
  • the validation data may be statically deployed in the device, or the validation data may be updated.
  • the processor 41 may be further configured to obtain update data and update the validation data stored in the storage 42 with the obtained update data.
  • the processor 41 may obtain the update data which is downloaded or pushed via a public network connection, such as, a connection to a “over the air” update system where the update data may be in a form of update patch.
  • the processor 41 may obtain the update data which is sent from the virtual private network through a dedicated management interface, such as, e. g. a dedicated TCP port number, and a separate VPN network connection.
  • a dedicated management interface such as, e. g. a dedicated TCP port number, and a separate VPN network connection.
  • Other software and configuration distribution methods are available for obtaining the update data.
  • the processor 41 may be further configured to determine a trigger action that triggers to obtain the at least one characteristic feature.
  • the trigger action may include at least one of:
  • the remote access gateway of the invention can be remotely managed, either by the network provider, or by the network administrator of the enterprise. Keys, certificates, authentication details, policy enforcement and storage, and access control are “within the network” technology and implementation domains. Critical connection and authentication data is not visible to the terminal device. Isolating the configuration, policy, and critical data within the gateway devices, rather than the terminal device provides a higher level of protection for the VPN, lower risk of sensitive data exposure, and a higher level of manageability.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a remote access gateway and a method thereof. The remote access gateway includes: a characteristic unit configured to obtain at least one characteristic feature of a user; a validating unit configured to validate the user with the at least one characteristic feature obtained by the characteristic unit; and a negotiating unit configured to negotiate, according to a result of the validating unit validating the user, a secured connection with a server of a virtual private network for an terminal device of the user that is connected to the remote access gateway. The remote access gateway of the invention validates the user before negotiating the secured network connection, which can improve security of network connection.

Description

REMOTE ACCESS GATEWAY AND REMOTE ACCESS METHOD
FIELD OF TECHNOLOGY
The invention relates to the field of communication technologies, and in particular to a remote access gateway and a remote access method.
BACKGROUND OF THE INVENTION
Remote access solutions are common in both wired networks, such as fixed broadband, Digital Subscriber Line, Cable-Internet, Fibre Home Access, etc. , and wireless networks, such as mobile, cellular, shared and public WiFi. Remote access to VPN (Virtual Private Network) , such as a enterprise network, is currently accomplished largely through public-facing proxy applications or VPN software running on a terminal device, such as a user’s desktop, a laptop, a phone, or a tablet device.
With the history of malware, viruses, and Trojan infections on terminal devices, we should assume that the terminal devices are compromised and therefore the connections established based on validation by the possibly-compromised terminal devices are not secured.
SUMMARY OF THE INVENTION
The embodiment of the invention relates to a remote access gateway and a remote access method that can improve security of network connection.
In a first aspect, there is provided a remote access gateway including: a characteristic unit configured to obtain at least one characteristic feature of a user; a validating unit configured to validate the user with the at least one characteristic feature obtained by the characteristic unit; and a negotiating unit configured to negotiate, according to a result of the validating unit validating the user, a secured connection with a server of a virtual private network for an terminal device of the user that is connected to the remote access gateway.
In a first possible implementation form of the remote access gateway  according to the first aspect as such, the remote access gateway further includes a validating database configured to storing validation data to be used by the validating unit in validating the user.
In a second possible implementation form of the remote access gateway according to the first aspect as such or according to the any of the preceding implementation forms of the first aspect, the remote access gateway further includes an updating unit configured to obtain update data via a public network connection or from the virtual private network through a dedicated management interface, and update the validation data stored in the validating database with the obtained update data, and update the validation data stored in the validating database with the obtained update data.
In a third possible implementation form of the remote access gateway according to the first aspect as such or according to the any of the preceding implementation forms of the first aspect, the characteristic unit includes at least one of a biometric sensor, a personal identification number keypad, a radio frequency identification reader, a near field communication reader, and a locating device.
In a fourth possible implementation form of the remote access gateway according to the first aspect as such or according to the any of the preceding implementation forms of the first aspect, the remote access gateway further includes a triggering unit configured to determine a trigger action that triggers the characteristic unit to obtain the at least one characteristic feature.
In a fifth possible implementation form of the remote access gateway according to the first aspect as such or according to the any of the preceding implementation forms of the first aspect, the trigger action includes at least one of pressing a physical button on the remote access gateway, scanning a user badge, and attempting to access from the terminal device the virtual private network through the remote access gateway.
In a second aspect, there is provided a remote access method including: obtaining, by a remote access gateway, at least one characteristic feature of a user;  validating, by the remote access gateway, the user with the at least one characteristic feature; and negotiating, by the remote access gateway, according to a result of validating the user, a secured connection with a server of a virtual private network for an terminal device of the user that is connected to the remote access gateway.
In a first possible implementation form of the method according to the second aspect as such, the validating, by the remote access gateway, the user with the at least one characteristic feature includes: validating, by the remote access gateway, the user with the at least one characteristic feature, using validation data stored in the remote access gateway.
In a second possible implementation form of the method according to the second aspect as such or according to the any of the preceding implementation forms of the second aspect, the method further includes updating, by the remote access gateway, the validation data.
In a third possible implementation form of the method according to the second aspect as such or according to the any of the preceding implementation forms of the second aspect, the obtaining, by the remote access gateway, at least one characteristic feature of a user, includes: obtaining the at least one characteristic feature with at least one of a biometric sensor, a personal identification number keypad, a radio frequency identification reader, a near field communication reader, and a locating device.
In a fourth possible implementation form of the method according to the second aspect as such or according to the any of the preceding implementation forms of the second aspect, the method further includes determining, by the remote access gateway, a trigger action that triggers to obtain the at least one characteristic feature.
In a fifth possible implementation form of the method according to the second aspect as such or according to the any of the preceding implementation forms of the second aspect, the trigger action includes at least one of pressing a physical button on the remote access gateway, scanning a user badge, and  attempting to access from the terminal device the virtual private network through the remote access gateway.
Therefore the remote access gateway of the embodiments of the invention validates the user before negotiating the secured network connection, which can improve security of network connection.
BRIEF DESCRIPTION OF THE DRAWINGS
In order to more clearly describe the embodiments of the invention or the technical solutions in the prior art, accompanying drawings necessary for describing the embodiments or the prior art would be briefly described below. It is obvious to ordinary ones skilled in the art that these drawings described below are only for some embodiments of the invention and other drawings can be obtained from these drawings without any creative effort.
Fig. 1 shows an exemplified scenario where the invention may be applied.
Fig. 2 shows a block diagram of a remote access gateway of an embodiment of the invention.
Fig. 3 shows a flowchart of a method of an embodiment of the invention.
Fig. 4 shows a block diagram of a remote access gateway of another embodiment of the invention.
DETAILED DESCRIPTION OF THE EMBODIMENTS
Hereinafter, the technical solutions in the embodiments of the invention would be clearly and fully described in connection with the accompanying drawings showing these embodiments. Obviously, the embodiments described are only a part of the embodiments of the invention, but not all the embodiments. Based on these embodiments, all other embodiments conceived by ordinary ones skilled in the art without any creative effort would fall within the protection scope of the invention.
Fig. 1 shows an exemplified scenario where the invention may be applied.
As shown in Fig. 1, a terminal device 101 wants to access a VPN 103  through a remote access gateway 102. That is, a network connection is to be established between the terminal device 101 and the VPN 103 via the remote access gateway 102.
The terminal device 101 may include any kind of user equipments, for example, a user’s desktop, a laptop, a phone, a television, a computer, or a tablet device. The terminal device 101 may or may not validate the user before establishing the network connection. However, the embodiments of the invention can separate the secured connection from the possibly-compromised terminal device.
The VPN 103 may include an enterprise network which needs admission to access. The VPN 103 may be connected to or embodied in a public network, such as Internet, and therefore is accessible via the public network.
The remote access gateway 102 may be a mobile, portable or fixed access point, for example, a fixed-WiFi access point, a mobile-WiFi access point, a fixed-fixed gateway, a mobile-fixed gateway, etc..
Remote access gateways, such as access points, are common in the communications industry, in both fixed and mobile technologies. They provide a “local network” , such as wired, WiFi, bluetooth, etc. , which allows a connected terminal device to access an external network, for example, the Internet. The embodiments of the invention assume that any common access method can be utilized for a terminal device to access the public network or Internet.
In addition, the remote access gateway 102 of the embodiments of the invention have additional capabilities and features that can provide characteristic and validation functionalities. In particular, the remote access gateway 102 may obtain at least one characteristic feature of a user, validate the user with the at least one characteristic feature obtained, and negotiate, according to a result of validating the user, a secured connection with a server of a virtual private network 103 for a terminal device 101 of the user that is connected to the remote access gateway 102.
Isolating the configuration, policy, and critical data within the gateway  devices, rather than the terminal device provides a higher level of protection for the VPN, lower risk of data exposure, and a higher level of manageability.
Fig. 2 shows a block diagram of a remote access gateway of an embodiment of the invention.
As shown in Fig. 2, the remote access gateway 20 may include a characteristic unit 21, a validating unit 22 and a negotiating unit 23.
The characteristic unit 21 is configured to obtain at least one characteristic feature of a user.
The validating unit 22 is configured to validate the user with the at least one characteristic feature obtained by the characteristic unit 21.
The negotiating unit 23 configured to negotiate, according to a result of the validating unit 22 validating the user, a secured connection with a server of a virtual private network for a terminal device of the user that is connected to the remote access gateway 20.
Therefore the remote access gateway of the embodiments of the invention validates the user before negotiating the secured network connection, which can improve security of network connection.
For example, if the validating unit 22 determined that the user is an authorized or trusted user which is allowed or admitted to access the VPN, the negotiating unit 23 initiates a negotiation of a secured connection with the server of VPN for the terminal device of the user, and otherwise the negotiating unit 23 refuses to initiate the negotiation.
The user himself/herself or a user device of the user may be involved in validation for the user. If a user device is involved in the validating process by the validating unit 22, the validated user device may be the terminal device per se that is connected to the remote access gateway 20, or the validated user device may be included in or attached to the terminal device. For example, the validated user device may be an NFC (Near Field Communication) chip for recording identification information for the user which is embedded in a mobile terminal or  a wearable device of the user (i. e. the terminal device) .
As another alternative embodiment, the validated user device may be another device independent of the terminal device. For example, the terminal device may be a mobile terminal or a wearable device of the user, and the validated user device may be a user card, such as an employee identification card.
The characteristic unit 21 may be implemented by hardware that is attached to or embedded in the remote access gateway 20. Optionally, the characteristic unit 21 may include at least one of:
a biometric sensor, for example, including a fingerprint scanner, a camera for facial recognition, a DNA (Deoxyribonucleic Acid) sampler, a microphone for voice recognition, a heartbeat pattern sensor, etc. ;
a PIN (personal identification number) keypad, for example, including a number pad, an alphabet pad, a physical keypad, or a soft keypad which may be used in combination with a mouse or a touch screen, where the PIN may be a password, a fixed (or static) PIN, a one-time PIN, a dynamic PIN, or an SMS-supplied PIN, etc. ;
an RFID (radio frequency identification) /NFC reader, for example, including an employee badge, a mobile NFC chip, an NFC/RFID jewelry, an RFID keychain, a SmartCard, etc. ;
a locating device, for example, including at least one of a GPS (Global Positioning System) terminal, a locator for obtaining an GPRS network location, a locator for obtaining known WiFi or network anchor points, and a locator for obtaining other “nearby” indicators; and
other sensors or inputs to supply identity or authentication of the user, in which case, for example, the characteristic unit 21 may be a data receiver that receives fingerprint data obtained by a fingerprint reader on the validated user device or the terminal device.
Optionally, as shown in Fig. 2, the remote access gateway 20 may further include a validating database 24. The validating database 24 stores validation data to be used by the validating unit 22 in validating the user.
The validating database 24 may be a storage or storage area in the remote access gateway 20, for example, a non-volatile memory, RAM (Random Access Memory) , ROM (Read-Only Memory) , etc.
The validating database 24 may include, for example, a key-store, an access list, etc. , and the validation data (or called rule data) stored by the validating database 24 may include at least one of:
internally stored key;
password (i. e. PIN) ;
certificates;
device-generated key;
biometric data generated on the remote access gateway 20;
trusted agent intervention;
location;
screen type;
behavior deviations, for example, a new location, a new network, a new country, a public access network, a new device, too many password or PIN retries, etc. ;
entitlement, for example, including “White List” of allowed, “Black List” of denied, and/or “Grey List” of conditions of policy change for identity, authentication and trust, affecting the processing and access controls of devices, device types, terminals, locations; and
other factors or data that can be used to validate the user in connection with the characteristic feature obtained by the characteristic unit 21.
The validation data may be statically deployed in the device, or the validation data may be updated. Optionally, as shown in Fig. 2, the remote access gateway 20 may further include an updating unit 25 configured to obtain update data and update the validation data stored in the validating database 24 with the obtained update data.
The updating unit 25 may include or be implemented by hardware, such as a transceiver, an interface, a port or a processor. Or the updating unit 25 may  include or be implemented by a combination of hardware and software.
In particular, as an optional embodiment, the updating unit 25 may obtain the update data which is downloaded or pushed via a public network connection, such as, a connection to a “over the air” update system where the update data may be in a form of update patch. Or the updating unit 25 may obtain the update data from the virtual private network through a dedicated management interface, such as, a dedicated TCP (Transmission Control Protocol) port number, or a separate VPN network connection. Other software and configuration distribution methods are available for obtaining the update data.
As an alternative embodiment, the functionalities of the characteristic unit 21, the validating unit 22 and the negotiating unit 23 may be triggered by a trigger mechanism. For example, as shown in Fig. 2, the remote access gateway 20 may further include a triggering unit 26 configured to determine a trigger action that triggers the characteristic unit 21 to obtain the at least one characteristic feature.
For example, the trigger action may include at least one of:
pressing a physical button on the remote access gateway 20;
scanning a user badge nearby the remote access gateway 20;
attempting to access from the terminal device to the VPN through the remote access gateway 20; and
other actions that relates to initiation of access to the VPN or process of validation.
For example, when a request sent by a terminal device for a connection to a VPN arrives at the remote access gateway 20, which means that the terminal device is attempting to access the VPN through the remote access gateway 20, the triggering unit 26 determines that a trigger action occurs, and triggers the characteristic unit 21 to obtain the at least one characteristic feature.
Therefore, the validating unit 22 may be implemented by a processor of the remote access gateway 20, or by the processor and a storage that stores instructions to make the processor to validate the user. The negotiating unit 23  may include or be implemented by hardware, such as interface, port and/or processor, or the negotiating unit 23 may include or be implemented by a combination of hardware and software.
Thus, as a network element, the remote access gateway of the invention can be remotely managed, either by the network provider, or by the network administrator of the enterprise. Keys, certificates, authentication details, policy enforcement and storage, and access control are “within the network” technology and implementation domains. Critical connection and authentication data is not visible to the terminal device. Isolating the configuration, policy, and critical data within the gateway devices, rather than the terminal device provides a higher level of protection for the VPN, lower risk of sensitive data exposure, and a higher level of manageability.
Fig. 3 shows a flowchart of a method of an embodiment of the invention. The remote access method of Fig. 3 may be performed by the remote access gateway, such as that with  reference number  102 or 20 described above. The remote access method may include:
301, obtaining, by a remote access gateway, at least one characteristic feature of a user;
302, validating, by the remote access gateway, the user with the at least one characteristic feature; and
303, negotiating, by the remote access gateway, according to a result of validating the user, a secured connection with a server of a virtual private network for an terminal device of the user that is connected to the remote access gateway.
Therefore the remote access gateway of the embodiments of the invention validates the user before negotiating the secured network connection, which can improve security of network connection.
The method shown in Fig. 3 may be performed by the components of the remote access gateway as described above with reference to Fig. 1 and Fig. 2, and therefore the details of the method of the embodiments of the invention will not  be described redundantly herein.
Optionally, as an embodiment, in 302, when the remote access gateway validates the user with the at least one characteristic feature, the remote access gateway may validates the user with the at least one characteristic feature, using validation data stored in the remote access gateway.
Optionally, as another embodiment, the method may further include: the remote access gateway may further update the validation data stored in the remote access gateway.
Optionally, as still another embodiment, the remote access gateway may obtain the at least one characteristic feature with at least one of a biometric sensor, a personal identification number keypad, a radio frequency identification reader, a near field communication reader, locating device, and other sensors or inputs to supply identity or authentication of the user.
Optionally, as yet another embodiment, the method may further include: the remote access gateway may further determine a trigger action that triggers to obtain the at least one characteristic feature.
For example, the trigger action includes at least one of pressing a physical button on the remote access gateway, scanning a user badge, and attempting to access from the terminal device the virtual private network through the remote access gateway.
Thus, as a network element, the remote access gateway of the invention can be remotely managed, either by the network provider, or by the network administrator of the enterprise. Keys, certificates, authentication details, policy enforcement and storage, and access control are “within the network” technology and implementation domains. Critical connection and authentication data is not visible to the terminal device. Isolating the configuration, policy, and critical data within the gateway devices, rather than the terminal device provides a higher level of protection for the VPN, lower risk of exposure, and a higher level of manageability.
Fig. 4 shows a block diagram of a remote access gateway of another  embodiment of the invention.
As shown in Fig. 4, the remote access gateway 40 may include a processor 41 and a storage 42. The processor 41 may connect a storage 42 through a communication bus.
The storage 42 is configured to store instructions or codes which can be executed by the processor 41 to obtain at least one characteristic feature of a user, validate the user with the at least one characteristic feature, and negotiate, according to a result of validating the user, a secured connection with a server of a virtual private network for a terminal device of the user that is connected to the remote access gateway 40.
Therefore the remote access gateway of the embodiments of the invention validates the user before negotiating the secured network connection, which can improve security of network connection.
For example, any kind of hardware may be attached to or embedded in the remote access gateway 40 and may be configured to obtain the characteristic feature of the user under control of the processor 41. Optionally, the hardware controlled by the processor 41 may include at least one of:
a biometric sensor, for example, including a fingerprint scanner, a camera for facial recognition, a DNA sampler, a microphone for voice recognition, a heartbeat pattern sensor, etc. ;
a PIN keypad, for example, including a number pad, an alphabet pad, a physical keypad, or a soft keypad which may be used in combination with a mouse or a touch screen and where the PIN may be a password, a fixed (or static) PIN, a one-time PIN, a dynamic PIN, an SMS-supplied PIN, etc. ;
an RFID /NFC reader, for example, including an employee badge, a mobile NFC chip, an NFC/RFID jewelry, an RFID keychain, a SmartCard, etc. ;
a locating device, for example, including a GPS terminal, a locator for obtaining an GPRS network location, a locator for obtaining known WiFi or network anchor points, a locator for obtaining other “nearby” indicators; and
other sensors or inputs to supply identity or authentication of the user. 
Optionally, the storage 42 may further store a validating database. The validating database stores validation data to be used by the processor 41 in validating the user.
The storage 42 may be any kind of storing device, for example, a non-volatile memory, RAM, ROM, etc.
The validating database may include, for example, a key-store, an access list, etc. , and the validation data (or called rule data) stored by the validating database may include at least one of:
internally stored key;
password (i. e. PIN) ;
certificates;
device-generated key;
biometric data generated on the remote access gateway 20;
trusted agent intervention;
location;
screen type;
behavior deviations, for example a new location, a new network, a new country, a public access network, a new device, too many password or PIN retries, etc. ;
entitlement, for example, including “White List” of allowed, “Black List” of denied, and/or “Grey List” of conditions of policy change for identity, authentication and trust, affecting the processing and access controls of devices, device types, terminals, locations; and
other factors or data that can be used to validate the user in connection with the obtained characteristic feature.
The validation data may be statically deployed in the device, or the validation data may be updated. Optionally, the processor 41 may be further configured to obtain update data and update the validation data stored in the storage 42 with the obtained update data.
In particular, as an optional embodiment, the processor 41 may obtain the  update data which is downloaded or pushed via a public network connection, such as, a connection to a “over the air” update system where the update data may be in a form of update patch. Or the processor 41 may obtain the update data which is sent from the virtual private network through a dedicated management interface, such as, e. g. a dedicated TCP port number, and a separate VPN network connection. Other software and configuration distribution methods are available for obtaining the update data.
As an optional embodiment, the processor 41 may be further configured to determine a trigger action that triggers to obtain the at least one characteristic feature.
For example, the trigger action may include at least one of:
pressing a physical button on the remote access gateway 40;
scanning a user badge nearby the remote access gateway 40;
attempting to access from the terminal device to the VPN through the remote access gateway 40; and
other actions that relates to initiation of access to the VPN or of process of validation.
Thus, as a network element, the remote access gateway of the invention can be remotely managed, either by the network provider, or by the network administrator of the enterprise. Keys, certificates, authentication details, policy enforcement and storage, and access control are “within the network” technology and implementation domains. Critical connection and authentication data is not visible to the terminal device. Isolating the configuration, policy, and critical data within the gateway devices, rather than the terminal device provides a higher level of protection for the VPN, lower risk of sensitive data exposure, and a higher level of manageability.
It is to be noted that the term such as “first, second, and so on” used in the context is only used to distinguish one entity or operation from another entity or operation, and is not intended to the actual relationship or sequence between these entities or operations. Furthermore, the term “include” , “comprise” or the  other variation is intended to a inclusion in inclusive sense, but not in exclude sense, thus the process, method, object or equipment including elements will not only include these elements, but also include other elements which are not clearly listed, or further include the elements inherent to the process, method, object or equipment. Unless defined otherwise, the elements defined by the term “comprise a …” would not exclude the presence of other identical elements in the process, method, object or equipment including the stated elements.
From the description of the embodiment of the invention, ones skilled in the art would clearly understand that the invention can be achieved by software together with the necessary general-purpose hardware, and certainly can also be achieved only by hardware, but the former would be preferred. Based on this understanding, the solution of the invention naturally or the portion by which the invention contributes to the prior art can be implemented in the form of software products, and the software products can be stored in storage media, such as ROM/RAM, hard disks, compact disks and the like, containing several instructions capable of enabling a computer device (personal computer, server or network device, etc. ) to execute the method described in the embodiments or part of the embodiments.
While the invention has been described by way of the preferred embodiments, it is to be noted that many modifications or variations can be made in the embodiments by ordinary ones skilled in the art as these modifications or variations should also fall within the protection scope of the invention.

Claims (12)

  1. A remote access gateway comprising:
    a characteristic unit, configured to obtain at least one characteristic feature of a user;
    a validating unit, configured to validate the user with the at least one characteristic feature obtained by the characteristic unit; and
    a negotiating unit, configured to negotiate, according to a result of the validating unit validating the user, a secured connection with a server of a virtual private network for an terminal device of the user that is connected to the remote access gateway.
  2. The remote access gateway according to claim 1, further comprising:
    a validating database, configured to storing validation data to be used by the validating unit in validating the user.
  3. The remote access gateway according to claim 2, further comprising:
    an updating unit, configured to obtain update data via a public network connection or from the virtual private network through a dedicated management interface, and update the validation data stored in the validating database with the obtained update data.
  4. The remote access gateway according to any one of claims 1 to 3, wherein the characteristic unit comprises at least one of a biometric sensor, a personal identification number keypad, a radio frequency identification reader, a near field communication reader, and a locating device.
  5. The remote access gateway according to any one of claims 1 to 4, further comprising:
    a triggering unit, configured to determine a trigger action that triggers the characteristic unit to obtain the at least one characteristic feature.
  6. The remote access gateway according to claim 5, wherein the trigger action comprises at least one of pressing a physical button on the remote access  gateway, scanning a user badge, and attempting to access from the terminal device to the virtual private network through the remote access gateway.
  7. A remote access method comprising
    obtaining, by a remote access gateway, at least one characteristic feature of a user;
    validating, by the remote access gateway, the user with the at least one characteristic feature; and
    negotiating, by the remote access gateway, according to a result of validating the user, a secured connection with a server of a virtual private network for an terminal device of the user that is connected to the remote access gateway.
  8. The method according to claim 7, wherein the validating, by the remote access gateway, the user with the at least one characteristic feature, comprises:
    validating, by the remote access gateway, the user with the at least one characteristic feature, using validation data stored in the remote access gateway.
  9. The method according to claim 8, further comprising:
    updating, by the remote access gateway, the validation data.
  10. The method according to any one of claims 7 to 9, wherein the obtaining, by a remote access gateway, at least one characteristic feature of a user, comprises:
    obtaining the at least one characteristic feature with at least one of a biometric sensor, a personal identification number keypad, a radio frequency identification reader, a near field communication reader, and a locating device.
  11. The method according to any one of claims 7 to 10, further comprising:
    determining, by the remote access gateway, a trigger action that triggers to obtain the at least one characteristic feature.
  12. The method according to claim 11, wherein the trigger action comprises at least one of pressing a physical button on the remote access gateway, scanning a user badge, and attempting to access from the terminal device to the virtual private network through the remote access gateway.
PCT/CN2014/089223 2014-10-23 2014-10-23 Remote access gateway and remote access method WO2016061775A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/089223 WO2016061775A1 (en) 2014-10-23 2014-10-23 Remote access gateway and remote access method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/089223 WO2016061775A1 (en) 2014-10-23 2014-10-23 Remote access gateway and remote access method

Publications (1)

Publication Number Publication Date
WO2016061775A1 true WO2016061775A1 (en) 2016-04-28

Family

ID=55760064

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/089223 WO2016061775A1 (en) 2014-10-23 2014-10-23 Remote access gateway and remote access method

Country Status (1)

Country Link
WO (1) WO2016061775A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651743A (en) * 2009-09-10 2010-02-17 华耀环宇科技(北京)有限公司 Remote desktop access system facing to mobilephone terminal user
CN101714918A (en) * 2009-10-23 2010-05-26 浙江维尔生物识别技术股份有限公司 Safety system for logging in VPN and safety method for logging in VPN

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651743A (en) * 2009-09-10 2010-02-17 华耀环宇科技(北京)有限公司 Remote desktop access system facing to mobilephone terminal user
CN101714918A (en) * 2009-10-23 2010-05-26 浙江维尔生物识别技术股份有限公司 Safety system for logging in VPN and safety method for logging in VPN

Similar Documents

Publication Publication Date Title
US11494754B2 (en) Methods for locating an antenna within an electronic device
EP3420677B1 (en) System and method for service assisted mobile pairing of password-less computer login
US20190213318A1 (en) Systems and methods for authentication via bluetooth device
US9032493B2 (en) Connecting mobile devices, internet-connected vehicles, and cloud services
US8789156B2 (en) Data management with a networked mobile device
US9473494B2 (en) Access credentials using biometrically generated public/private key pairs
US11902268B2 (en) Secure gateway onboarding via mobile devices for internet of things device management
US20150281227A1 (en) System and method for two factor user authentication using a smartphone and nfc token and for the automatic generation as well as storing and inputting of logins for websites and web applications
CN108307674A (en) A kind of method and apparatus ensureing terminal security
US9699656B2 (en) Systems and methods of authenticating and controlling access over customer data
CN106464502B (en) Method and system for authentication of a communication device
US11451933B2 (en) Identification verification and authentication system
US11405782B2 (en) Methods and systems for securing and utilizing a personal data store on a mobile device
JP6122924B2 (en) Providing device, terminal device, providing method, providing program, and authentication processing system
KR100766020B1 (en) Mobile communication terminal, control method thereof, and method for controlling a mobile communication service
US20170366536A1 (en) Credential Translation
WO2016061775A1 (en) Remote access gateway and remote access method
JP6218226B2 (en) Terminal device, authentication method, and program
CA2878269A1 (en) System and method for two factor user authentication using a smartphone and nfc token and for the automatic generation as well as storing and inputting of logins for websites and web applications
JP6911303B2 (en) Authentication system and authentication method
JPWO2017135210A1 (en) Measuring system
JP6240349B2 (en) Providing device, providing method, providing program, and authentication processing system
US20200274705A1 (en) Protected credentials for roaming biometric login profiles
JP2021140436A (en) Authentication system, communication apparatus, information apparatus and authentication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14904277

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14904277

Country of ref document: EP

Kind code of ref document: A1