`Patentamt
`European
`htent Office
`Office euro~en
`des brevet.
`
`Bescheinigung
`
`Certificate
`
`Attestation
`
`Die Obereinstim mung der
`angehefteten Druckschrift
`mit -~er gema.13 Artikel 93
`EPU veroffentlichten
`europa.ischen
`Patentanmeldu ng wird
`hiermit beglaubigt.
`
`The conformity of the
`attached publication with the
`specification of the
`European patent application
`published under Article 93
`EPC is hereby certified .
`
`La publication
`accompagnant cette
`attestation est certifiee
`conforme au fascicule de la
`demande de brevet
`europeen publie
`conformement a !'article 93
`CBE.
`
`Patentanmeldung Nr.
`
`Patent application No.
`
`Demande de brevet n°
`
`96850139.5
`
`Veroffentlichu ngsnr.
`
`Publication No.
`
`N° de publication
`
`0762707
`
`MOnchen, den
`Munich,
`Munich, le
`
`28 .09.18
`
`EPA/EPO/OEB Form 2551M
`
`07.10
`
`Der Priisident des Europiiischen Patentamts:
`im Auftrag
`
`For the President of the European Patent Offic,e
`
`Le President de l'Office europeen des Brevets
`p.a.
`(,
`
`Karin Rinder
`
`PK23125
`
`Panasonic-1007
`Page 1 of 6
`
`
`
`(19)
`
`(12)
`
`Europaisches Patentamt
`
`European Patent Office
`
`Office europeen des brevets
`
`I IIII Ill II IIII I II Ill II Ill II Ill II Ill II Ill II Ill II Ill II Ill II Ill Ill II II Ill I IIII
`EP O 762 707 A2
`
`(11)
`
`EUROPEAN PATENT APPLICATION
`
`(43) Date of publication:
`12.03.1997 Bulletin 1997/11
`
`(21) Application number: 96850139.5
`
`(22) Date of filing 15.07.1996
`
`(51) Int Cl. 6 H04L 29/06
`
`(84) Designated Contracting States:
`CH DE DK ES FR GB !T LI NL
`
`(72) Inventor: Soderhielm, Mattias
`131 48 Nacka (SE)
`
`(30) Priority: 21.08.1995 SE 9502925
`
`(71) Applicant TELIA AB
`123 86 Farsta (SE)
`
`(74) Representative: Karlsson, Berne
`Telia Research AB,
`Rudsjoterrassen 2
`136 80 Haninge (SE)
`
`(54)
`
`Arrangement for network access via the telecommunication network by remote-controlled
`filter
`
`The invention relates to an arrangement to
`(57)
`check/control access to IP-networks via the telecommu(cid:173)
`nication network. A personal computer is connected via
`the telecommunication network to an interface pool
`which constitutes interface between the telecommuni(cid:173)
`cation network and the IP-network. According to the in(cid:173)
`vention there is a remote-controlled filter which can be
`controlled to allow access to the IP-network. An access
`
`check/control server checks the authorization of the us(cid:173)
`er of the personal computer and controls the remote(cid:173)
`controlled filter depending on the authorization check.
`The remote-controlled filter initially only allows access
`to the access check/control server. The access check/
`control server further can attend to debiting of the user
`of the personal computer, and check different blocking
`functions for the access to the IP-network.
`
`IP network (for
`instance Internet)
`
`2)
`
`1)
`
`Access
`check/
`control
`server ,-L-'--_,_~
`
`Program
`module
`(for instance
`a script)
`
`Personal computer
`connected to the
`modem pool for in·
`stance with PPP or
`SLIP
`
`Figure 1
`
`Printed by Jouve, 75001 PARIS (FR)
`
`CN
`<(
`,....
`0 ,....
`CN
`,....
`(0
`0
`a.
`w
`
`Panasonic-1007
`Page 2 of 6
`
`
`
`EP O 762 707 A2
`
`2
`
`Description
`
`TECHNICAL FIELD
`
`The present invention relates to an arrangement for
`network access, especially access to TCP/IP-networks,
`for instance Internet. The access is controlled by a filter
`which can be remote-controlled by a special server
`which checks the user's authorization and controls the
`access to the IP-network. The special access check/
`control server allows that the authorization check/con(cid:173)
`trol is moved from the interface between the telecom(cid:173)
`munication network and the IP-network, which makes
`possible more efficiency and extended functionality.
`
`PRIOR ART
`
`In the systems of today a user's access authoriza(cid:173)
`tion is checked and debiting for modem pools is attend(cid:173)
`ed to by a terminal server which is arranged at or in the
`modem pool. Each modem pool consequently has a
`server of its own which checks the access. This means
`that the modem pools are unnecessarily burdened with
`technology and costs.
`According to the present invention a separate ac(cid:173)
`cess check/control server is provided which can be lo(cid:173)
`cated in just any place in the system. This means a more
`effective utilization and also makes possible extended
`functionality in the server, which will be explained in
`more details below.
`
`SUMMARY OF THE INVENTION
`
`Consequently the present invention provides an ar(cid:173)
`rangement to check/control access to IP-networks via
`the telecommunication networks. The arrangement in(cid:173)
`cludes a personal computer connected via the telecom(cid:173)
`munication network to an interface pool which consti(cid:173)
`tutes the interface between the telecommunication net(cid:173)
`work and the IP-network.
`According to the invention, the arrangement in(cid:173)
`cludes a remote-controlled filter which can be controlled
`to allow access to the IP-network, and an access check/
`control server which can check the authorization of the
`user of the personal computer, and control the remote(cid:173)
`controlled filter depending on the authorization check.
`Preferably the normal state of the filter is only to al(cid:173)
`low access to the access check/control server. The ac(cid:173)
`cess check/control server also can attend to debiting
`and different blocking functions in accordance with pre(cid:173)
`ferred embodiments of the invention.
`The invention is defined in details in enclosed pat(cid:173)
`ent claims.
`
`BRIEF DESCRIPTION OF THE DRAWING
`
`The invention will be described in details below with
`references to the drawing, where the only drawing is a
`
`combined bloch diagram and flow chart over a preferred
`embodiment of the present invention.
`
`5
`
`1) The filter only allows access to the access check/
`control server.
`2) Order to open to full Internet-access after check.
`3) The filter is open to full Internet-access for the IP(cid:173)
`number of the calling computer.
`
`10 DETAILED DESCRIPTION OF PREFERRED
`EMBODIMENTS
`
`The present invention consequently relates to an
`arrangement for access check/control by means of a
`15 server connected in just any place in a TCP/IP-network,
`for instance Internet. The arrangement makes possible
`that the debiting can be managed by the server. The in(cid:173)
`vention also makes possible advertisement financing of
`the access, i.e. that one does not get access to the net-
`20 work before one has studied an advertisement mes(cid:173)
`sage.
`In the figure is shown how a user's personal com(cid:173)
`puter via the telecommunication network and a modem
`pool and filter is connected to an IP-network. An access
`25 check/control server checks the authorization of the us(cid:173)
`er, and controls a remote-controlled filter to control the
`access. The arrows 1, 2 and 3 describe the steps to
`open the access to the IP-network.
`A user connects himself/herself via the telecommu-
`30 nication network towards a modem pool or interface
`pool. With interface pool is here meant any form of
`equipment which allows a user to connect himself/her(cid:173)
`self from the telecommunication network to the TCP/IP(cid:173)
`network. (Transmission Control Protocol/Internet Proto-
`35 col is an international standard). In the simplest case the
`interface pool consists of a number of modems connect(cid:173)
`ed to a terminal server. The functionality can be gath(cid:173)
`ered in one and the same equipment. Further, it need
`not be modems; it also can be ATM- or ISDN-adapters
`40 or - cards. The protocol which is used for the communi(cid:173)
`cation is typically Point-to-Point Protocol (PPP) or Serial
`Line Internet Protocol (SLIP). The user need either not
`log in to the modem pool, or is the logging in identity and
`password the same for all users. The user is by the mo-
`45 dem pool allocated (dynamically allocated) an
`IP(cid:173)
`number, i.e. an IP-address.
`A filter (a router connected to a computer or a fire(cid:173)
`wall) is connected between the modem pool and the IP(cid:173)
`network. This filter allows the calling user initially access
`50 only to the server where the access check takes place.
`This can for instance be a World Wide Web-server. This
`is the reason for that no special user identification is nec(cid:173)
`essary in the modem pool.
`After authorization check of the user and possibly
`55 debiting, a program module is activated in the server.
`This program module now transmits a (suitably encrypt(cid:173)
`ed) message to the filter about that it shall open for just
`this user's IP-address, so that the user gets access to a
`
`2
`
`Panasonic-1007
`Page 3 of 6
`
`
`
`3
`
`EP O 762 707 A2
`
`4
`
`number of servers (for instance all servers) on the IP(cid:173)
`network. The filter stays in open position until the user
`has disconnected. Then a message is transmitted from
`the modem pool to the filter about that the user's IP(cid:173)
`number shall be blocked, i.e that access only shall be
`allowed to the access check/control server again. Alter(cid:173)
`natively this message can be transmitted next time a us(cid:173)
`er who has connected himself/herself has been allocat(cid:173)
`ed the same IP-number.
`Instead of authorization check and debiting being
`made in the access check/control server, or as comple(cid:173)
`ment to this, the IP-network access can be advertise(cid:173)
`ment financed. This is arranged by the user having to
`study an advertisement mess;1ge. When this has been
`done, the program module which opens for the IP-net(cid:173)
`work access is activated. To ensure that the user has
`studied the advertisement message, a number of ques(cid:173)
`tions can be made in connection to it. Only after the
`questions have been satisfactorily answered, is opened
`for the network access.
`The above described system can be used to block
`certain servers in Internet or other IP-networks. This is
`made by messages being transmitted to all filters about
`which addresses that shall be blocked The filters after
`that block for all these addresses even after they have
`openend for full access to one user.
`The above described system also can be used to
`give certain users restricted access to the IP-network.
`By arranging special profiles (lists) over which IP-net(cid:173)
`work addresses that are allowed respective not allowed,
`the filter can be set selectively for a certain user when
`he/she opens for IP-network access in the access
`check/control server. The profiles can be in the access
`check/control server and be transmitted to the filter via
`the opening. Alternatively, profiles can be predefined in
`the filter and the only thing transmitted from the access
`check/control server is the message about which profile
`that shall be used.
`This functionality can for instance be utilized to pre(cid:173)
`vent that certain users get access to certain pornogra(cid:173)
`phy-related servers.
`Consequently the arrangement according to the
`present invention implies that the access check/control
`is moved out from the interface pool to just any place in
`the system. This means that the number of access
`check/control servers which are required can be re(cid:173)
`duced, and each access check/control server can by
`that be made more effective and offer extended func(cid:173)
`tionality. The hardware and the software which is re(cid:173)
`quired to realize the invention is easily realized by an
`expert in the field. The invention is only restricted by the
`following patent claims.
`
`5
`
`10
`
`15
`
`20
`
`25
`
`so
`
`35
`
`40
`
`45
`
`50
`
`one personal computer connected via the telecom(cid:173)
`munication network to an interface pool which con(cid:173)
`stitutes interface between the telecommunication
`network and the IP-network, characterized in at
`least one remote-controlled filter which can be con(cid:173)
`trolled to allow access to the IP-network, and an ac(cid:173)
`cess check/control server which can check the au(cid:173)
`thorization of the user of the personal computer and
`control the remote-controlled filter depending on the
`authorization check.
`
`2. Arrangement according to patent claim 1 ,
`characterized in that the remote-controlled filter
`before the authorization check only allows access
`to the access check/control server.
`
`3. Arrangement according to patent claim 2,
`characterized in that the normal state of the re(cid:173)
`mote-controlled filter after finished access for the
`user of the personal computer only is to allow ac(cid:173)
`cess to the access check/control server.
`
`4. Arrangement according to any of the previous
`claims,
`characterized in that the access check/control
`server attends to debiting of the user of the personal
`computer.
`
`5. Arrangement according to any of the previous
`claims,
`characterized in that the interface pool is a modem
`pool.
`
`6. Arrangement according to any of the previous pat-
`ent claims,
`characterized in that the access check/control
`server as complement or alternative to the authori(cid:173)
`zation check and the debiting, is arranged to attend
`to transmission of a preferably interactive advertise-
`ment message to the user of the personal computer.
`
`7. Arrangement according to any of the previous pat(cid:173)
`ent claims,
`characterized in that the access check/control
`server blocks access to certain IP-network address(cid:173)
`es.
`
`8. Arrangement according to any of the previous pat(cid:173)
`ent claims,
`characterized in that the access check/control
`server, depending on for the user of the personal
`computer individual authorization profiles, blocks
`access to certain IP-network addresses.
`
`Claims
`
`1. Arrangement to check/control access to IP-network
`via telecommunication network, including at least
`
`55 9. Arrangement according to patent claim 8,
`characterized in that individual authorization pro(cid:173)
`files are stored in the access check/control server.
`
`3
`
`Panasonic-1007
`Page 4 of 6
`
`
`
`5
`
`EP O 762 707 A2
`
`6
`
`10. Arrangement according to patent claim 8,
`characterized in that predefined authorization pro(cid:173)
`files are stored in the remote-controlled filter, at
`which the authorization check can imply that an au(cid:173)
`thorization profile is tied to the user of the personal
`computer.
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`4
`
`Panasonic-1007
`Page 5 of 6
`
`
`
`EP O 762 707 A2
`
`Modem
`pool
`
`Filter
`
`Modem
`ool
`
`Modem
`pool
`
`Filter
`
`Filter
`
`Figure 1
`
`5
`
`Personal computer
`connected to the
`modem pool for in(cid:173)
`stance with PPP or
`SLIP
`
`IP network (for
`instance Internet)
`
`2)
`
`1)
`
`Access
`check/
`control
`server.-------,
`
`Program
`module
`(for instance
`a script)
`
`Panasonic-1007
`Page 6 of 6
`
`