(12) United States Patent
`Fuh et al.
`
`USOO6463474B1
`(10) Patent No.:
`US 6,463,474 B1
`(45) Date of Patent:
`Oct. 8, 2002
`
`(54) LOCAL AUTHENTICATION OF ACLIENT
`ATA NETWORK DEVICE
`(75) Inventors: Tzong-Fen Fuh, Fremont; Serene H.
`Fan, Palo Alto, Diheng Qu, Santa
`Clara, all of CA (US)
`(73) ASSignee: sis Technology, Inc., San Jose, CA
`
`6,292,904 B1 * 9/2001 Broomhall et al. ............ 714/1
`* cited by examiner
`Primary Examiner-Glenton B. Burgess
`Assistant Examiner Kimberly D Flynn
`(74) Attorney, Agent, or Firm-Hickman Palermo Truong
`& Becker LLP
`(57)
`ABSTRACT
`
`(*) Notice:
`
`0
`-
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21) Appl. No.: 09/347,433
`(22) Filed:
`Jul. 2, 1999
`(51) Int. Cl." .............................................. G06F 15/173
`(52) U.S. Cl. ....................... 709/225; 709/229; 709/232;
`713/201
`(58) Field of Search ................................. 700229, 225,
`709/223, 232; 713/200, 201
`s
`s
`s
`References Cited
`
`(56)
`
`U.S. PATENT DOCUMENTS
`5.991,807 A * 11/1999 Schmidt et al. ............. 709/225
`6,182,142 B1 * 1/2001 Win et al.............
`... 709/229
`6.219.706 B1 * 4/2001 Fan et al. .....
`... 709/225
`6,233,576 B1
`5/2001 Lewis ........................... 707/9
`6,233,618 B1 * 5/2001 Shannon ...........
`... 709/229
`6,292.798 B1 * 9/2001 Dockter et al. ................ 707/9
`
`:
`
`A method and apparatus that provide network acceSS control
`are disclosed. In one embodiment, a network device is
`configured to intercept network traffic initiated from a client
`and directed toward a network resource, and to locally
`authenticate the client. Authentication is carried out by
`comparing information identifying the client to authentica
`tion information Stored in the network device. In one
`embodiment, an authentication cache in the network device
`stores the authentication information. If the client identify
`ing information is authenticated Successfully against the
`Stored authentication information, the network device is
`dynamically re-configured to allow network trafficinitiated
`by the client to reach the network resource. If local authen
`tication fails, new Stored authentication is created for the
`client, and the network device attempts to authenticate the
`client using a remote authentication Server. If remote authen
`tication is Successful, the local authentication information is
`updated So that Subsequent requests can authenticate locally.
`AS a result, a client may be authenticated locally at a router
`or Similar device, reducing network traffic to the authenti
`cation Server.
`
`21 Claims, 9 Drawing Sheets
`
`BrOWSer
`304
`
`
`
`LAN 206
`
`GUEST TEK EXHIBIT 1006
`Guest Tek v. Nomadix, IPR2019-01191
`
`

`

`U.S. Patent
`
`Oct. 8, 2002
`
`Sheet 1 of 9
`
`US 6,463,474 B1
`
`TWOOT
`
`XHONALEN
`
`ZZI
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NIWW
`
`ÅRHOWE'W
`
`

`

`U.S. Patent
`U.S. Patent
`
`Oct. 8, 2002
`Oct. 8, 2002
`
`Sheet 2 of 9
`Sheet 2 of 9
`
`US 6,463,474 B1
`US 6,463,474 B1
`
`CN
`
`Na
`
`——_
`
`LL.
`
`oO
`O
`oS
`O
`a
`cN
`
`<t
`r
`oS
`O
`“
`CN
`
`&
`202
`
`
`
`d
`g
`c
`S.
`©
`ae
`&
`SA
`a
`?
`
`
`
`
`
`-
`
`=
`s
`oO
`=
`v 22 en
`s
`ic
`L-
`
`
`
`

`

`U.S. Patent
`
`Oct. 8, 2002
`
`Sheet 3 of 9
`
`US 6,463,474 B1
`
`€Old
`
`IeMell4
`
`Jaynoy
`
`012
`
`cD
`
`eseqejeq
`
`ad
`
`80€
`
`OLE
`
`
`
`ae:
`
`Jasmolg
`
`I)
`
`90€
`
`Jesn
`
`COE
`
`902NVI
`
`
`
`

`

`U.S. Patent
`U.S. Patent
`
`Oct. 8, 2002
`
`Sheet 4 of 9
`
`US 6,463,474 B1
`
`1esn
`
`S9[lJOld
`
`bSld
`
`(cee)nsw
`
`
`
`
`
`
`
`
`
`Pe~TeaeAe“Oly
`
`
`
`90e}/8}U|208LJ8]U]5POE
`
`JEUJO}U|Janoy(eUa\Xyulbo|=€0VJasmolg
`TOV0TOV0peojes480v
`
`907PyOv1880)
`llemoulcay0b
`
`
`
`
`
`8eV
`
`TOVUl
`
`ceVvAg
`
`
`
`ayoe)uo}eonueyny
`
`cer
`
`
`
`auoe)uoeonueuny
`
`
`
`ayoes)uojeoquaujny
`
`ver
`
`9tP
`
`
`
`~~“60P
`
`
`
`902NVA
`
`ZO5
`20€
`
`O€
`
`
`
`
`
`

`

`U.S. Patent
`
`Oct. 8, 2002
`
`Sheet 5 of 9
`
`US 6,463,474 B1
`
`
`
`9 OG
`
`00G
`
`Mopu M Á 10,091|Q
`
`

`

`Oct. 8, 2002
`
`Sheet 6 of 9
`
`US 6,463,474 B1
`
`U.S. Patent
`
`06S
`
`CCS GSOld
`
`
`pulquiduadgpaaisvay||IPFawoy||puomioyl}yong
`Hie||aRy||7Qie|s
`mopuimAuoyoauiq§=—suonjdg=syoWy¥00g.«0sMIAsCYIPQIL
`
`
`
`
`OJUlPJOMSSDg29aUOWES():edo9s}eN[NI]
`
`
`
`
`
`/V'e'89t'261//:hyuf:uo0907
`
`

`

`U.S. Patent
`
`Oct. 8, 2002
`
`Sheet 7 of 9
`
`US 6,463,474 B1
`
`FIG. 6
`
`
`
`Authentication Cache 436
`
`AUTHENTICATE
`
`604
`HTTP FINWAIT
`
`CONNECT
`
`606
`HTTP ESTAB
`
`

`

`U.S. Patent
`
`Oct. 8, 2002
`
`Sheet 8 of 9
`
`US 6,463,474 B1
`
`
`
`OldsAVELSSVd
`
`eb
`
`
`
`SSAYCOVdiSOYNOS
`
`ONALTsNIGNNOS
`
`éWSINVHOSN
`
`902
`
`
`
`OldsVeLMOO1E
`
`ZO0Z
`
`
`
`NOLLVOLLNSHLNYHOwWaSs
`
`
`
`diJOUNOSHOS(S)SHOVO
`
`ssayaav
`
`802
`
`V2‘Sis
`
`
`
`LsandaySAIZ034
`
`202
`
`
`
`S1LaxOVdANINIVXS
`
`VOL
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Oct. 8, 2002
`
`Sheet 9 of 9
`
`US 6,463,474 B1
`
`FIG. 7B
`
`732
`UPDATE
`AUTHENTICATIONCACHE
`
`
`
`
`
`734
`RE-CONFIGURE
`FIREWALL
`
`736
`NOTIFYCLIENT
`
`
`
`
`
`
`
`
`
`SEND PAGE RELOAD
`INSTRUCTION
`
`
`
`
`
`
`
`720
`CREATE NEW
`AUTHENTICATIONCACHE
`FORCURRENTUSER
`
`722
`SET NEW
`AUTHENTICATIONCACHE
`TOINT STATE
`
`724
`REQUEST LOGIN
`INFORMATION FROM
`CLIENT
`
`726
`RECEIVE LOGIN
`INFORMATION FROM
`CLIENT
`
`
`
`728
`AUTHENTICATE USER
`WITH LOGIN INFORMATION
`AND AA SERVER
`
`
`
`
`
`
`
`730
`SUCCESSFUL
`AUTHENTICATION?
`
`NO
`
`736
`NOTIFYCLIENT
`
`
`
`738
`BLOCKTRAFFIC
`
`

`

`1
`LOCAL AUTHENTICATION OF ACLIENT
`ATA NETWORK DEVICE
`
`US 6,463,474 B1
`
`FIELD OF THE INVENTION
`The present invention generally relates to management of
`computer networks, and relates more specifically to authen
`tication and authorization mechanisms for network devices
`Such as routers and firewalls.
`
`BACKGROUND OF THE INVENTION
`Computer users often access information, computer files,
`or other resources of computer networks from locations that
`are geographically or logically Separate from the networkS.
`This is referred to as remote access. For example, a user of
`a host or client that is part of a local area network (“LAN”)
`may want to retrieve information that resides on a computer
`that is part of a remote network. Before a user can gain
`access to that computer, the user must first obtain permission
`to do so. In the interest of data integrity, and data
`confidentiality, many computer networks have implemented
`integrity and access control mechanisms to guard against
`unwanted network traffic or access by unauthorized users.
`On the other hand, a corporation may institute policies that
`restrict its employees from accessing certain web sites on the
`internet while using the corporation's computer resources.
`For example, Corporation C may disallow access to porno
`graphic web sites. Corporation C's access control mecha
`nism would prevent the employees from accessing Such
`Sites.
`An example of an acceSS control mechanism is a Server
`that implements authentication, authorization, and account
`ing (“AAA”) functions. Authentication is the process of
`Verifying that the user who is attempting to gain access is
`authorized to access the network and is who he says he is.
`Generally, after authentication of a user, an authorization
`phase is carried out. Authorization is the process of defining
`what resources of the network an authenticated user can
`CCCSS.
`Several authentication and authorization mechanisms are
`Suitable for use with operating Systems that are used by
`network devices, Such as the Internetworking Operating
`System ("IOS") commercially available from Cisco
`Systems, Inc. However, most prior authentication and autho
`rization mechanisms are associated with dial-up interfaces,
`which can create network Security problems. In a dial-up
`configuration, a remote client uses a telephone line and
`modem to dial up a compatible modem that is coupled to a
`Server of the network that the remote client wishes to access.
`In another dial-up configuration, a remote client first estab
`lishes a dial-up connection to a Server associated with an
`Internet Service Provider, and that server then connects to
`the network Server through the global, public, packet
`Switched internetwork known as the Internet. In this
`configuration, the network Server is coupled directly or
`indirectly to the Internet.
`Unfortunately, information requests and other traffic
`directed at a network server from the Internet is normally
`considered risky, untrusted traffic. An organization that owns
`or operates a network Server can protect itself from unau
`thorized users or from unwanted traffic from the Internet by
`using a firewall. A firewall may comprise a router that
`executes a "packet filter computer program. The packet
`filter can Selectively prevent information packets from pass
`ing through the router, on a path from one network to
`another. The packet filter can be configured to specify which
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`packets are permitted to pass through the router and which
`should be blocked. By placing a firewall on each external
`network connection, an organization can prevent unautho
`rized users from interfering with the organization's network
`of computers. Similarly, the firewall can be configured to
`prevent the users of the organization's network of computers
`from accessing certain undesirable web sites on the Internet.
`One common method of remote acceSS using the Internet
`is telnet, a protocol used to Support remote login Sessions
`that defines how local and remote computers talk to each
`other to Support a remote login Session. "Telnet' is also the
`name of a remote login program commonly used in net
`works based on Transmission Control Protocol/Internet Pro
`tocol (“TCP/IP”), a set of protocols that define how com
`munications occur over the Internet. Past authentication and
`authorization mechanisms were produced to work with
`firewalls in the context of telnet. An example of an authen
`tication and authorization mechanism that works with telnet
`is “Lock and Key” for IOS, commercially available from
`Cisco Systems, Inc.
`However, a major drawback of telnet is that the client
`must know, before making any connection request, the
`Internet Protocol address (“IP address”) of the firewall that
`is protecting the target network which the client is attempt
`ing to access. An IP address is a unique 32-bit binary number
`assigned to each firewall, router, host computer or other
`network element that communicates using IP. Obtaining the
`IP address of a firewall can be inconvenient or impractical
`because there are So many IP addresses currently assigned to
`network devices. Further, IP addresses normally are guarded
`closely by the network owner, because knowledge of an IP
`address enables unauthorized traffic to reach the device
`identified by the IP address.
`Moreover, once a user Successfully uses the authentica
`tion and authorization mechanism to Secure a logical path
`through the firewall, the user may be restricted to one type
`of network traffic for the connection. For example, a firewall
`can be configured to provide a path through the firewall for
`a Specific type of network traffic as Specified by a user profile
`that is associated with each authenticated user. The user
`profile contains information on what the user is authorized
`to do on the network. The user profile may specify, for
`example, that the user may use only File Transfer Protocol
`(“FTP”) traffic. Thus, the user may use the path through the
`firewall only for FTP traffic, for the duration of that con
`nection. Furthermore, the user profile associated with the
`user contains a Specific IP address that specifies the host or
`client from which the user can attempt to Secure a logical
`path through the firewall. Thus, a user is not free to use any
`one of Several computers that may be available to access the
`target network. Also, the user may not be free to use a client
`in a network that employs Dynamic Host Configuration
`Protocol (DHCP). DHCP assigns dynamic IP addresses to
`the devices on a network. Thus, a client in a DHCP envi
`ronment can have a different IP address every time it
`connects to the network.
`Based on the foregoing, there is a clear need for a
`mechanism allowing users to use remote access via the
`Internet without requiring advance knowledge of the IP
`address of the firewall router, and without restricting a user
`to a particular host or client.
`In particular, there is a need for an authentication and
`authorization mechanism in the context of remote access via
`the Internet that does not rely on telnet and that allows the
`passage of different types of traffic for a given connection.
`SUMMARY OF THE INVENTION
`The foregoing needs, and other needs and objects that will
`become apparent for the following description, are achieved
`
`

`

`US 6,463,474 B1
`
`15
`
`35
`
`40
`
`25
`
`3
`in the present invention, which comprises, in one aspect, a
`method of controlling access of a client to a network
`resource using a network device that is logically interposed
`between the client and the network resource, the method
`comprising creating and Storing client authorization infor
`mation at the network device, wherein the client authoriza
`tion information comprises information indicating whether
`the client is authorized to communicate with the network
`resource and information indicating what acceSS privileges
`the client is authorized to have with respect to the network
`resource; receiving a request from the client to communicate
`with the network resource; determining, at the network
`device, whether the client is authorized to communicate with
`the network resource based on the authorization informa
`tion; and reconfiguring the network device to permit the
`client to communicate with the network resource only when
`the client is authorized to communicate with the network
`resource based on the authorization information.
`One feature of this aspect is that creating and Storing
`client authorization information comprises the Steps of cre
`ating and Storing in the network device a set of authorization
`information for each client that communicates with the
`network device.
`According to another feature of this aspect is that creating
`and Storing client authorization information comprises the
`Steps of creating and Storing in the network device an
`authentication cache for each client that communicates with
`the network device.
`In another feature, creating and Storing client authoriza
`tion information comprises the Steps of creating and Storing
`in the network device a plurality of authentication caches,
`each authentication cache uniquely associated with one of a
`plurality of clients that communicate with the network
`device, each authentication cache comprising information
`indicating whether the client is authorized to communicate
`with the network resource and information indicating what
`access privileges the client is authorized to have with respect
`to the network resource.
`According to Still another feature, determining whether
`the client is authorized to communicate with the network
`resource comprises the Step of determining whether infor
`mation in the request identifying the client matches infor
`mation in a filtering mechanism of the network device and
`the authorization information Stored in the network device.
`In another feature, determining whether the client is
`authorized to communicate with the network resource com
`prises the Steps of determining whether a Source IP address
`of the client in the request matches information in a filtering
`mechanism of the network device; and if So, determining
`whether the Source IP address matches the authorization
`information Stored in the network device.
`In another feature, determining whether the client is
`authorized to communicate with the network resource com
`prises the Steps of determining whether a Source IP address
`55
`of the client in the request matches information in an a
`filtering mechanism of the network device; determining
`whether the Source IP address matches the authorization
`information stored in the network device; and when the
`Source IP address fails to match the authorization informa
`tion Stored in the network device, determining if user
`identifying information received from the client matches a
`profile associated with the user that is Stored in an authen
`tication Server that is coupled to the network device.
`In another feature, determining whether the client is
`65
`authorized to communicate with the network resource com
`prises the Steps of determining whether client identifying
`
`45
`
`50
`
`60
`
`4
`information in the request matches information in a filtering
`mechanism of the network device; determining whether the
`client identifying information matches the authorization
`information Stored in the network device; and only when the
`client identifying information fails to match the authoriza
`tion information Stored in the network device, then: creating
`and Storing new authorization information in the network
`device that is uniquely associated with the client, requesting
`login information from the client; authenticating the login
`information by communicating with an authentication Server
`that is coupled to the network device; and updating the new
`authorization information based on information received
`from the authentication Server.
`According to another feature, requesting login informa
`tion from the client comprises Sending a Hypertext Markup
`Language login form to the client to Solicit a username and
`a user password; and authenticating the login information by
`communicating with an authentication Server that is coupled
`to the network device comprises determining, from a profile
`asSociated with a user of the client Stored in the authenti
`cation Server, whether the username and password are valid.
`In another feature, the method further comprises the Steps
`of creating and Storing an inactivity timer for each authen
`tication cache, wherein the inactivity timer expires when no
`communications are directed from the client to the network
`resource through the network device during a predetermined
`period of time; removing the updated authentication infor
`mation when the inactivity timer expires.
`In another feature, determining whether the client is
`authorized to communicate with the network resource com
`prises the Steps of determining whether a Source IP address
`in the request matches information in a filtering mechanism
`of the network device; determining whether the source IP
`address matches the authorization information Stored in the
`network device; and only when the source IP address fails to
`match the authorization information Stored in the network
`device, then: creating and Storing in the network device a
`new authentication cache that is uniquely associated with the
`client, requesting login information from the client; authen
`ticating the login information by communicating with an
`authentication Server that is coupled to the network device;
`and updating the new authentication cache based on infor
`mation received from the authentication Server.
`According to another feature, reconfiguring the network
`device comprises the Steps of creating and Storing one or
`more commands to the network device whereby one or more
`interfaces of the network device are modified to permit
`communications between the client and the network
`CSOUCC.
`In another feature, the method further involves instructing
`the client to reload the network resource that was identified
`in the request from the client when it is determined that the
`client is authorized to communicate with the network
`CSOUCC.
`According to another feature, the method further com
`prises the Steps of waiting a pre-determined period of time,
`and instructing the client to reload the network resource that
`was identified in the request from the client when it is
`determined that the client is authorized to communicate with
`the network resource.
`In another feature, the network device comprising a
`firewall that protects the network resource by selectively
`blocking messages initiated by client and directed to the
`network resource, the firewall comprising an external inter
`face and an internal interface, the firewall comprising an
`Output Access Control List at the internal interface and an
`
`

`

`S
`Input Access Control List at the external interface, wherein
`reconfiguring the network device comprises the Step of:
`substituting the IP address in a user profile information
`asSociated with a user of the client to create a new user
`profile information, wherein the user profile associated with
`the user of the client is received from an authentication
`Server that is coupled to the network device; and adding the
`new user profile information as temporary entries to the
`Input Access Control List at the external interface and to the
`Output AcceSS Control List at the internal interface.
`According to Still another feature, the method further
`involves: creating and Storing an inactivity timer for the
`authorization information, wherein the inactivity timer
`expires when no communications are directed from the
`client to the network resource through the network device
`during a pre-determined period of time; associating the
`temporary entries with the authorization information and the
`client; and removing the temporary entries and the authori
`zation information from the network device if the inactivity
`timer expires.
`In another feature, the authorization information includes
`a table of hashed entries and wherein associating the tem
`porary entries to the authorization information further com
`prises Storing the temporary entries in the table of hashed
`25
`entries.
`In another feature, the network device comprising a
`firewall that protects the network resource by selectively
`blocking messages initiated by client and directed to the
`network resource, the firewall comprising an external inter
`face and an internal interface, the firewall comprising an
`Output AcceSS Control List at the external interface and an
`Input Access Control List at the internal interface, wherein
`reconfiguring the network device comprises the Step of:
`substituting the IP address in a user profile information
`asSociated with a user of the client to create a new user
`profile information, wherein the user profile associated with
`the user of the client is received from an authentication
`Server a that is coupled to the network device; and adding the
`new user profile information as temporary entries to the
`Input AcceSS Control List at the internal interface and to the
`Output AcceSS Control List at the external interface.
`In another feature, the method further involves: creating
`and Storing an inactivity timer for the authorization
`information, wherein the inactivity timer expires when no
`communications are directed from the client to the network
`resource through the network device during a pre
`determined period of time; associating the temporary entries
`with the authorization information and the client; and
`removing the temporary entries and the authorization infor
`mation from the network device if the inactivity timer
`expires.
`In another feature, the authorization information includes
`a table of hashed entries and wherein associating the tem
`porary entries to the authorization information further com
`55
`prises Storing the temporary entries in the table of hashed
`entries.
`According to another aspect, the invention encompasses
`computer System for controlling access of a client to a
`network resource using a network device that is logically
`interposed between the client and the network resource,
`comprising: one or more processors, a Storage medium
`carrying one or more Sequences of one or more instructions
`including instructions which, when executed by the one or
`more processors, cause the one or more processors to
`perform the Steps of: creating and Storing client authoriza
`tion information at the network device, wherein the client
`
`35
`
`45
`
`50
`
`60
`
`65
`
`US 6,463,474 B1
`
`15
`
`40
`
`6
`authorization information comprises information indicating
`whether the client is authorized to communicate with the
`network resource and information indicating what access
`privileges the client is authorized to have with respect to the
`network resource; receiving a request from the client to
`communicate with the network resource; determining, at the
`network device, whether the client is authorized to commu
`nicate with the network resource based on the authorization
`information; and reconfiguring the network device to permit
`the client to communicate with the network resource only
`when the client is authorized to communicate with the
`network resource based on the authorization information.
`According to another aspect, the invention involves a
`router that is logically interposed between a client and a
`network resource and that controls access of the client to the
`network resource, comprising: one or more processors, a
`Storage medium carrying one or more Sequences of one or
`more instructions including instructions which, when
`executed by the one or more processors, cause the one or
`more processors to perform the Steps of: creating and Storing
`client authorization information at the router, wherein the
`client authentication information comprises information
`indicating whether the client is authorized to communicate
`with the network resource and information indicating what
`access privileges the client is authorized to have with respect
`to the network resource; receiving a request from the client
`to communicate with the network resource; determining, at
`the router, whether the client is authorized to communicate
`with the network resource based on the authorization infor
`mation; and reconfiguring the router to permit the client to
`communicate with the network resource only when the
`client is authorized to communicate with the network
`resource based on the authorization information.
`In other aspects, the invention encompasses a computer
`apparatus, a computer readable medium, and a carrier wave
`configured to carry out the foregoing Steps.
`BRIEF DESCRIPTION OF THE DRAWINGS
`The present invention is illustrated by way of example,
`and not by way of limitation, in the figures of the accom
`panying drawings and in which like reference numerals refer
`to Similar elements and in which:
`FIG. 1 is a block diagram that illustrates a computer
`System upon which an embodiment may be implemented;
`FIG. 2 is a block diagram of a System providing an
`authentication proxy in a network environment;
`FIG. 3 is a block diagram of the system in FIG.2 showing
`certain internal details,
`FIG. 4 is a block diagram of the system in FIG.3 showing
`certain paths of network traffic;
`FIG. 5A illustrates a display of a graphical user interface
`containing a dialog box for Soliciting a username and
`password;
`FIG. 5B illustrates a display of the graphical user interface
`informing of an authentication Success,
`FIG. 6 is a State diagram of States in which an authenti
`cation cache may execute;
`FIG. 7A is a flow diagram of a process of proxy authen
`tication;
`FIG. 7B is a flow diagram of further steps in the process
`of FIG. 7A.
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`A method and apparatus for authentication and authori
`Zation proxy mechanisms for firewalls that protect networks
`
`

`

`7
`is described. In the following description, for the purposes of
`explanation, numerous specific details are Set forth in order
`to provide a thorough understanding of the present inven
`tion. It will be apparent, however, to one skilled in the art
`that the present invention may be practiced without these
`Specific details. In other instances, well-known Structures
`and devices are shown in block diagram form in order to
`avoid unnecessarily obscuring the present invention.
`OPERATIONAL CONTEXT
`The present invention may be implemented using various
`client protocols such as Telnet, File Transfer Protocol (FTP),
`or HyperText Transfer Protocol (HTTP). For purposes of
`illustration, the invention is described in the context of an
`HTTP client protocol.
`In one embodiment, a user of a client that is part of a local
`area network (“LAN”) attempts to remotely access a server
`(“target Server') or Some other resource, Such as a peer client
`or device. The target Server and or peer are part of a
`packet-switched private network that operates using TCP/IP
`and other Internet standards (“intranet'). The client is con
`nected to the Internet through the LAN, and the intranet is
`also connected to the Internet. Alternatively, the client may
`be a Stand-alone computer connected to the Internet through
`a dial-up connection or a digital communication Service Such
`as an Integrated Services Digital Network (ISDN) connec
`tion. In another embodiment, a user of a client from within
`the intranet attempts to access a target Server or other
`resource that is not part of the Same intranet as that of the
`client.
`When the target server executes an HTTP server, the
`client can remotely access the target Server over the Internet
`by using a Web browser to specify a Web page on the target
`server. Using a Web browser to specify a Web page is
`hereafter referred to as an “HTTP request' or as “transmit
`ting HTTP packets.” A Web page of the target server may be
`accessed using identifying information, Such as a Uniform
`Resource Locator (“URL') and therefore the Web page is
`sometimes called the “target URL.”
`The HTTP packets are intercepted by a firewall that
`protects the intranet from unwanted network traffic origi
`nating from the Internet (inbound traffic) and can prevent
`users of clients from within the intranet from accessing
`undesirable web sites on the Internet (outbound traffic). For
`purposes of illustration, use of an embodiment with inbound
`traffic is described in further detail below.
`Upon intercepting the HTTP packets, the firewall
`requests, from the client, authentication information Such as
`username and password. In response to receiving the authen
`tication information, the firewall performs an authentication
`and authorization process. If the username is Successfully
`authenticated, then the firewall is dynamically configured to
`open a passageway for the HTTP packets as well as other
`types of network traffic initiated from the user on the client.
`The other types of network traffic that are permitted through
`the passageway are Specified in a user profile for that
`particular user. In this context, “open a passageway’ means
`that the firewall re-configures itself, in response to Success
`ful authentication, So that packets that would otherwise be
`barred are now allowed to pass.
`In this configuration, the firewall provides an authentica
`tion and authorization mechanism that Substitutes for an
`authentication and authorization mechanism elsewhere in
`the network. Accordingly, the mechanism described in this
`document is referred to as an “Authentication Proxy.” The
`Authentication Proxy may comprise one or more Software
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 6,463,474 B1
`
`8
`components, executed by a router. In one embodiment, the
`Authentication Proxy can be enabled on a router interface to
`intercept traffic initiated from a client that is not yet authen
`ticated. The Authentication Proxy is responsible for validat
`ing the user associated with the client and for applying the
`appropriate user profile to the router interface. The authen
`tication and authorization proceSS and the dynamic configu
`ration of the firewall are described in further detail below.
`FIG. 2 is a block diagram of a system 200 in which an
`embodiment of an Authentication Proxy can be used.
`Generally, system 200 includes a LAN 206, and a local,
`packet-Switched network that uses Internet protocols, or
`intranet, 216. The LAN 206 and the intranet are both
`connected to a global network such as the Internet. The LAN
`206 and intranet 216 are respectively located in logically
`distinct regions, Such as first region 202 and Second region
`204, which may be geographically Separate. A firewall router
`210 is logically interposed between LAN 206 and the
`intranet 216.
`LAN 206 is a local area network comprising any number
`of network devices 208a,208b, 208c interconnected by one
`or more communications channels 209. Ethernet, Token
`Ring, other protocols can characterize the communications
`channels 209.
`Firewall router 210 is a specialized router that carries out
`firewall functions. The firewall router 210 is coupled to
`intranet 216, and an authentication and authorization Server
`218 (“AAA server”). The firewall router 210 controls remote
`access to intranet 216. AAA Server 218 is a computer, or a
`group of hardware or Software components or processes that
`cooperate or execute in one or m