United States Patent [19J
`Reid
`
`I 1111111111111111 11111 111111111111111 1111111111 1111111111 111111111111111111
`US006131120A
`[11] Patent Number:
`[45] Date of Patent:
`
`6,131,120
`Oct. 10, 2000
`
`[54] ENTERPRISE NETWORK MANAGEMENT
`DIRECTORY CONTAINING NETWORK
`ADDRESSES OF USERS AND DEVICES
`PROVIDING ACCESS LISTS TO ROUTERS
`AND SERVERS
`
`[75]
`
`Inventor: William J. Reid, Dallas, Tex.
`
`[73] Assignee: Directory Logic, Inc., Dallas, Tex.
`
`[21] Appl. No.: 08/956,697
`
`[22] Filed:
`
`Oct. 24, 1997
`
`Int. Cl.7 ........................... G06F 15/173; G06F 15/16
`[51]
`[52] U.S. Cl. ........................... 709/225; 709/238; 709/249
`[58] Field of Search ..................................... 709/225, 238,
`709/249
`
`[56]
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`5/1997 Liscon et al. ........................... 709/223
`5,634,010
`6/1998 Choquier et al. ....................... 709/223
`5,774,668
`8/1998 Harrison et al. ........................ 370/338
`5,796,727
`5,825,772 10/1998 Dobbins et al. ........................ 370/396
`Primary Examiner-Krisna Lim
`Attorney, Agent, or Firm-John E. Vandigriff
`ABSTRACT
`[57]
`
`An enterprise network using a wide area network (WAN),
`and having routers and servers, uses a master directing to
`determine access rights, including the ability to access the
`WAN through the routers and the ability to access the sewer
`over the WAN.
`
`23 Claims, 8 Drawing Sheets
`
`107
`
`Directory
`Server
`
`WAN 120
`
`98
`
`1 106
`
`Directory
`Server
`
`100
`[i Directory
`1 Server
`
`D
`
`113
`
`111
`
`CISCO EXHIBIT 1007
`Page 1 of 20
`
`

`

`U.S. Patent
`
`Oct. 10, 2000
`
`Sheet 1 of 8
`
`6,131,120
`
`42
`
`54
`
`WAN 58
`
`50
`
`80
`
`88 88
`
`Figure 1
`(Prior Art)
`
`CISCO EXHIBIT 1007
`Page 2 of 20
`
`

`

`U.S. Patent
`
`Oct. 10, 2000
`
`Sheet 2 of 8
`
`6,131,120
`
`Application OSI MODEL
`
`Example
`
`Directory
`Services
`
`Application -
`Layer 7
`
`I
`
`N/A
`
`I
`
`Packet Content
`
`I
`
`DAP / LDAP
`
`I
`
`Internet
`
`I
`
`Ethernet
`
`I
`
`Coax
`
`Presentation -
`Layer 6
`
`Session -
`Layer 5
`
`Transport -
`Layer 4
`
`Network -
`Layer 3
`
`Data Link -
`Layer 2
`
`Physical -
`Layer 1
`
`E-mail
`
`N/A
`
`Packet Content
`
`LDAP
`
`Internet
`
`Ethernet
`
`Twisted Pair
`
`Figure 2
`(Prior Art)
`
`CISCO EXHIBIT 1007
`Page 3 of 20
`
`

`

`U.S. Patent
`
`Oct. 10, 2000
`
`Sheet 3 of 8
`
`6,131,120
`
`Application OSI Model Network Device
`
`Directory
`Services
`
`Application -
`Layer 7
`
`N/A
`
`Packet
`Content
`
`DAP / LDAP
`
`I
`
`Internet
`
`I
`
`Ethernet
`
`Coax
`
`Presentation -
`Layer 6
`
`Session -
`Layer 5
`
`Transport -
`Layer 4
`
`Network -
`Layer 3
`
`Data Link -
`Layer 2
`
`Physical -
`Layer 1
`
`Figure 3
`(Prior Art)
`
`Router/
`Server
`
`I
`
`Telnet
`
`Internet
`
`Ethernet
`
`Twisted Pair
`
`CISCO EXHIBIT 1007
`Page 4 of 20
`
`

`

`U.S. Patent
`
`Oct. 10, 2000
`
`Sheet 4 of 8
`
`6,131,120
`
`105
`Directory
`Server
`
`WAN 120
`
`98
`
`1 106
`
`Directory
`Server
`
`100 Ii Directory
`1111 Server
`
`Figure 4
`
`CISCO EXHIBIT 1007
`Page 5 of 20
`
`

`

`U.S. Patent
`
`Oct. 10, 2000
`
`Sheet 5 of 8
`
`6,131,120
`
`WAN 220
`
`212
`
`Figure 5
`
`CISCO EXHIBIT 1007
`Page 6 of 20
`
`

`

`U.S. Patent
`
`Oct. 10, 2000
`
`Sheet 6 of 8
`
`6,131,120
`
`312
`
`Figure 6
`
`CISCO EXHIBIT 1007
`Page 7 of 20
`
`

`

`U.S. Patent
`
`Oct. 10, 2000
`
`Sheet 7 of 8
`
`6,131,120
`
`Mobile User dials into
`WAN
`
`400
`
`401
`
`402
`
`403
`
`404
`
`405
`
`Terminal Server
`Authenticates
`
`Connect servers and
`printers
`
`User starts web
`browser to find server
`or printer
`
`Direct Browser to
`directory
`
`User locates server
`or printer
`
`6
`
`Figure 7
`
`CISCO EXHIBIT 1007
`Page 8 of 20
`
`

`

`U.S. Patent
`
`Oct. 10, 2000
`
`Sheet 8 of 8
`
`6,131,120
`
`Directory Application
`
`Device Application
`
`Push/ Pull
`Application
`
`~
`
`Directory
`Services
`
`Application -
`Layer 7
`
`Pull / Pull
`Application
`
`N/A
`
`Packet
`Content
`
`Presentation
`- Layer 6
`
`Session -
`Layer 5
`
`Router/
`Server
`
`,___
`
`Telnet I FTP
`
`OAP/ LDAP
`
`Transport -
`Layer 4
`
`Telnet I FTP/
`LDAP
`
`Internet
`
`Ethernet
`
`Coax
`
`Network -
`Layer 3
`
`Data Link -
`Layer 2
`
`Physical -
`Layer 1
`
`Internet
`
`Ethernet
`
`Twisted Pair
`
`Figure 8
`
`CISCO EXHIBIT 1007
`Page 9 of 20
`
`

`

`6,131,120
`
`1
`ENTERPRISE NETWORK MANAGEMENT
`DIRECTORY CONTAINING NETWORK
`ADDRESSES OF USERS AND DEVICES
`PROVIDING ACCESS LISTS TO ROUTERS
`AND SERVERS
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer networks for
`managing enterprise network access and providing enter(cid:173)
`prise network security.
`
`BACKGROUND OF THE INVENTION
`
`25
`
`2
`where to pass, reject, encrypt, or log communications, and
`requires that these communications adhere to a defined
`security policy. Firewall 82 normally functions in four areas:
`access control; authentication; optional encryption/
`5 decryption; and routing. Firewalls manufactured by Check
`Point Software Technologies Ltd. and Raptor Systems, Inc.
`each have these capabilities.
`Access control is the firewall mechanism to grant access
`to a class of users or to a class of users that use specific
`10 protocols, such as HTTP (the Internet access protocol).
`Access control is established by setting up user definitions,
`server and gateway definitions, and establishing protocols.
`Access control in a firewall is rule-based in that a security
`rule defines the relationship between the definitions.
`Authentication is a mechanism to verify the authenticity
`of both the sender and the message. Broadly, authentication
`may encompass three types of technology: (1) password
`based; (2) token based; and (3) biometric. Authentication
`grants access privileges to specific users to access specific
`20 network resources and/or specific network applications.
`Encryption/decryption is an optional mechanism to trans(cid:173)
`form a message so that the encrypted message can only be
`read with the aid of same additional information (a key)
`known to the sender and the intended recipient alone. In
`secret key encryption, the same key is used to encrypt a
`message and then to decrypt it. In public key encryption, two
`mathematically related keys are used, one to encrypt the
`message and the other to decrypt the message.
`Routing is a firewall mechanism to determine which
`network resource(s) should receive the message. In a typical
`firewall, a user, or user groups, can be routed to one or more
`destinations on the basis of certain rules. Because these rules
`require set-up and maintenance, the routing is typically
`35 controlled with broad rules for large groups of people
`systems.
`Firewalls are installed to address the threats of hostile
`external network intrusion but have limited abilities to
`reduce or eliminate internal network vulnerabilities or social
`engineering attacks as discussed below. Firewalls are gen(cid:173)
`erally rules based products where a typical rule may be
`"Marketing users can get to the Internet Server only with
`HTTP".
`Network Management
`An enterprise network is a network for an enterprise,
`including multiple LANs, routers and servers, typically
`geographically separated. The networks of the Enterprise
`network can be connected together over a wide area net(cid:173)
`work. Enterprise network management that has evolved
`50 from the mainframe environment is still centered mainly on
`the operating systems and is mostly manual and resource
`intensive. Numerous tools have been developed to aid in
`network management. Routers are normally configured and
`managed with a Telnet tool. Telnet also is used for remote
`55 control of routers, firewalls, and servers.
`Simple Network Management Protocol (SNMP) is used
`to manage network nodes and to monitor operation. Servers
`are generally manually configured with users manually
`coded into a user control program. Other tools include
`60 capacity planning, fault management, network monitoring,
`and performance measurement.
`A router or routing/switching device is used in enterprise
`networks to route user messages and files to and from
`internal LAN 60 and an external WAN 58. The routing
`65 device can recognize that the user workstation 86 has issued
`a destination address not located on LAN 60 for a message
`or for a file transfer and, therefore, that the message or file
`
`40
`
`45
`
`The marketplace for many companies has expanded from
`a national to a world marketplace. Large international com- 15
`panies have expanded into global companies and smaller
`companies have become international competitors. This
`market expansion has been driven by technology that has
`made both voice and data communication easier.
`Technological advances in recent years have allowed
`computer users to maintain access to their corporate or home
`informational networks, regardless of where they work or
`where they travel, through "remote offices", "mobile
`computing", and "telecommuting." Remote offices refers to
`parts of a company organization than are geographically
`spaced from the main or base office, and may include foreign
`manufacturing plants, regional sales offices, or vendor orga(cid:173)
`nizations. Mobile computing refers to the use of transport(cid:173)
`able self-contained computers, such as a laptop computer,
`including means for establishing a telecommunications link 30
`to a server or network of other computers. Telecommuting
`refers to the use of a telecommunications link, particularly
`through a computer, to enable a working individual to
`conduct his or her business from any desired location, rather
`than having to physically travel to a particular place of work.
`FIG. 1, generally at 50, shows a prior art system that a
`remote user currently may use to communicate with a home
`network. The system 50 has remote users 52 and 54 that
`communicate through a wide-area network (WAN) to a
`company or home network 60. WAN 58 may include dedi(cid:173)
`cated or non-dedicated network links. A typical dedicated
`network would include a frame relay network elements and
`a typical non-dedicated network would include a TCP/IP
`network elements.
`Remote users can communicate with WAN 58 in a num(cid:173)
`ber of different ways. As shown in FIG. 1, user 52 connects
`to the WAN 58 through a modem 62, a public switched
`telephone network (PSTN) 64, and a server 66. User 52 can
`be a mobile or a stationary user. User 54, shown as a
`stationary user with a desktop computer, connects to WAN
`58 through a router 56 and a dedicated local loop 59. Local
`loop 59 connections normally are provided by a local
`exchange carrier (LEC) such as Southwestern Bell or Bell
`Atlantic. WAN 58 could be a private company network of
`leased lines or frame relay connections, or it could be a
`public network, such as the Internet.
`Home network 60 has a destination server 80 and firewall
`82, and as shown in FIG. 1, a Local Area Network (LAN)
`84 with a LAN server 86 and a number of workstations 88.
`There can be many LANs, servers, and other resources in the
`company or home network, including fax servers, printers,
`file servers, and database servers.
`Firewall 82 is either a device or an application that
`controls the access between internal LAN 84 and external
`public entrusted networks such as the Internet or a PSTN.
`Firewall 82 tracks and controls communication, deciding
`
`CISCO EXHIBIT 1007
`Page 10 of 20
`
`

`

`6,131,120
`
`10
`
`40
`
`3
`needs to be forwarded to external WAN 58. Similarly, the
`routing device can recognize a destination address on WAN
`58 for a resources on its internal LAN 60, and therefore the
`device will forward that WAN 58 message or file to the
`internal network served by the router.
`An analogy to this data network routing is the operation
`of the PSTN (Public Switched Telephone Network). When
`a seven-digit number is dialed, if the first three digits are a
`valid local exchange, the call will remain in the local
`exchange. Similarly, when the NetID of destination IP
`address is the same as the NetID of the local network the
`data packets will remain on the LAN. If a ten-digit number
`is dialed, if the first three digits are for a valid area code, the
`call will be routed to the long distance network. Similarly,
`when the NetID of a destination IP address is different from
`the NetID of the local network, the data packets will be 15
`forwarded to the WAN.
`Routing devices generally use one or more methods for
`obtaining routing instructions. First, routers have static
`routing instructions that are manually coded into the routing
`instructions. This manual coding may be by user interaction 20
`with a router operating system, such as Cisco lOS, or by
`downloading the coding over the network through Telnet or
`SNMP. Second, the router may learn routing instructions
`through routing protocols such as RIP or IGRP. These
`protocols communicate with other routers on the network 25
`and share routing information.
`Servers
`Computers with network interfaces and special multi-user
`software are used as LAN and WAN servers. A LAN server
`84 may often be called a file server. Examples of network 30
`servers are WINS (Windows Internet Naming Server), DNS
`(Domain Name Server) and DHCP (Dynamic Host Control
`Protocol) server, Internet server, and Intranet server.
`Security
`As enterprise-wide data networks have expanded, the 35
`need for network security has increased. Firewall and
`encryption technologies, as described in the prior art, have
`been developed to address some of the network security
`needs. However, the majority of network security problems
`is not being addressed by current technological solutions.
`The largest reported losses in network security come from
`internal theft and sabotage. Internal networks are normally
`open so that many users have root level control, which
`allows operators to do everything on servers including
`copying files, planting viruses, and erasing all information. 45
`Disgruntled employees can take advantage of such an open
`network to perform illegal acts.
`The next largest reported loss is referred to as "social
`engineering." Social engineering uses social interaction with
`inside employees to obtain network access information. 50
`Covert social engineering actives are typically undertaken
`when significant theft or espionage is planned, so it normally
`results in substantial losses.
`The other area of reported losses is hostile external
`network intrusion. A firewall is useful for protecting a 55
`network in this area.
`Directory Services
`Directory services products are generally focused on
`either LAN or WAN environments. The largest installed
`base of directory services is Novell's NDS (Netware Direc(cid:173)
`tory Services) with over 10 million units installed. NDS is
`a product focused primarily at the LAN level and used to
`provide computer workstations 86 with access to shared
`resources such as files servers or printers in a LAN 60. The
`Novell product and other similar directory products, are
`proprietary from product manufacturers and are not under
`the management of any open standards body.
`
`4
`One enterprise level directory technology (X.500) has
`been used to integrate phone directory information, e-mail,
`and fax addressing across an enterprise. A directory is a
`standard database providing distributed, scalable, client/
`5 server-based repositories of data that are read much more
`frequently than modified (for example, user definitions, user
`profiles, and network resource definitions). Users applica(cid:173)
`tions can access these directories through directory access
`protocols (DAPs). In network environments, exemplary
`DAPs includes X.500 directory access protocols and Light(cid:173)
`weight Directory Access Protocol (LDAP).
`X.500 is a directory service defined by a set of interna-
`tional standards published jointly by the International Stan(cid:173)
`dards organization (ISO) and the International Telecommu(cid:173)
`nications Union (ITC, formerly CCITT) standards bodies.
`Originally developed in 1988 to be a general e-mail
`directory, the standards have developed to envision a general
`global information service. Directory services have been
`applied, as the name implies, to provide users with a
`directory of available services.
`Architectural View of Directories
`FIG. 2 is a prior functional diagram showing the relation-
`ship between the X.500 directory services and the ISO
`network layers. The top ISO networking layer is an
`application, such as word processing, fax or e-mail. The
`bottom layer of the ISO model is the physical layer, such as
`a twisted-pair of wire or fiber optic cable. The current X.500
`directory services is an application program that works to
`manage other application layer programs such as e-mail,
`phone directories and faxing.
`FIG. 3 is a functional block diagram showing the protocol
`application at the ISO network layers. The protocol devel(cid:173)
`oped for the X.500 application to communicate with other
`applications, like e-mail, was DAP. Recently the LDAP
`protocol was defined at the network layer to allow commu(cid:173)
`nication between routers, firewalls and other network level
`devices.
`For an application to have a unique operation at the lower
`layers, such as the network layer level, another application
`program is required to add the specific functionality at the
`lower layers. For example, to encrypt e-mail, one needs to
`obtain a product, such as ArmorMail from UL Enterprises,
`Inc. of Huntsville, Ala. E-mail is an Application layer
`program and encryption occurs directly before the Link
`layer. The ArmorMail product creates the bridge between
`that e-mail application and the Link layer.
`FIG. 2 shows the OSI (open system interconnect) refer-
`ence model that describes a communications in the seven
`hierarchical layers that are shown. Each of these layers
`provides services to the layer above and invokes services
`from the layer below. Typically, end users of the commu-
`nications system interconnect to the application layer, which
`may be referred to as a distributed operating system because
`it supports the interconnection and communication between
`end users that are distributor. The OSI model allows the
`hiding of the difference between locally connected and
`remotely connected end users, so the application layer
`appears as a global operating system. Normally, in a dis(cid:173)
`tributed operating system, the global supervisory control for
`60 all of the layers resides in the application layer.
`Each of the layers contributes value to the communica(cid:173)
`tions system. The application layer uses the presentation
`layer, and is concerned with the differences that exist in the
`various processors and operating systems in which each of
`65 the distributed communications systems is implemented.
`The presentation service layer uses the session layer, and
`manages the dialogue between two communicating partners.
`
`CISCO EXHIBIT 1007
`Page 11 of 20
`
`

`

`6,131,120
`
`5
`The session layer assures that the information exchange
`conforms to the rules necessary to satisfy the end user needs.
`The session layer uses the transport layer, and creates a
`logical pipe between the session layer of its system and that
`of the other system. The transport layer uses the network 5
`layer to create a logical path between two systems. The
`transport layer is responsible for selecting the appropriate
`lower layer network to meet the service requirement of the
`session layer entities. This connection is generally though of
`as a point-to-point connection. The network layer uses the 10
`data link layer, and establishes a connection between the
`entities and this is based on a protocol for the connection.
`The data link layer uses the physical layer. The data link
`layer is responsible for building a point-to-point connection
`between two system nodes that share a common communi- 15
`cation system. The data link layer is only aware of the
`neighboring nodes on a shared channel. Each new circuit
`connection requires a new link control. The physical layer is
`responsible for transporting the information frame into a
`form suitable for transmission onto a medium.
`
`20
`
`6
`CONCEPT OF THE INVENTION
`An enterprise directory residing on a directory server
`stores the names, workstations, router/gateways, servers, IP
`addresses locations, passwords, and encryption keys for
`individuals. Periodically, the directory server downloads to
`each router/gateway across the WAN router/gateway access
`lists (RALs), thereby controlling all network access across
`the WAN. Also periodically, the directory server downloads
`user control files (UCFs) to servers in the network, thereby
`controlling all server access across the WAN. This directory(cid:173)
`based invention thus provides enhanced network control,
`and enhanced network security.
`The directory uses the concepts of objects and object
`attributes. The users, router/gateways, and servers are
`objects. The IP address, password, privileges, and location
`are attributes of each user, server, and router/gateway.
`Another attribute of each router/gateway is the RAL. The
`RAL defines the operation of the router/gateway (i.e.,
`defines which IP addressees will be routed to which
`designation). Because the directory knows the location and
`IP address of each user, and the location and IP address of
`each router/gateway, a directory application can periodically
`populate the RAL in each router/gateway on the network
`using LDAP. Entries in the directory thereby control the
`entire network and the network router/gateway configura-
`tion management is automated.
`Network servers can be both physical and logical devices.
`A physical server located in an accounting department may
`contain a number of logical servers such as payroll, accounts
`30 receivable, accounts payable, etc. Access to these logical
`servers is controlled by user authentication and user privi(cid:173)
`leges contained in the UCF on that server. The directory
`contains both the users and servers as objects. Directory user
`attributes include the authentication criteria and privileges
`35 for each server in the network. Directory attributes for each
`server includes the name of the UCF and the UCF contents.
`A directory application would then periodically populate the
`UCFs in each server with the directory user information.
`Entries in the directory then control access to ail server
`40 across the enterprise.
`Because the user and user server access are tightly
`coupled and easily managed in the directory, the company
`can greatly restrict root level access, which typically allows
`server files to be modified, deleted, or copied. Such access
`45 is a major target for disgruntled employees. The ability to
`instantly change users and user access control directly
`affects the greatest source of network loss for many corpo(cid:173)
`rations. Passwords are a user attribute in the directory.
`Because the user and user passwords are tightly coupled and
`50 easily managed in the directory, the company can easily
`automate a password control program. The directory also
`manages e-mail, so the new password can be automatically
`distributed by secure e-mail. Effective password manage(cid:173)
`ment can aid in reducing the second greatest network threat
`55 of security loss, i.e., loss due to social engineering.
`Hostile external intrusion is the third area of network
`security. The present invention can replace the user authen(cid:173)
`tication function of the firewall with the distributed user
`authentication of the directory services. Each router/gateway
`in the system will pass information only for the designated
`users. Logical servers have authentication services specific
`to that server. That individual server authentication can be
`password, token, or biometric. This distributed authentica(cid:173)
`tion provides greatly enhanced security over a firewall-
`65 protected network.
`The present invention provides access control by direc(cid:173)
`tory management of RALS, and also provides user authen-
`
`25
`
`SUMMARY OF THE INVENTION
`
`The present invention extends the concept of directory
`services to the management and control of enterprise net(cid:173)
`works by integrating directory technology, router/gateway
`management, and server management to form an enterprise
`network management and network security solution. By
`integrating directory services to perform these extended
`functions, a firewall can be deleted or omitted and a stronger
`implementation of firewall functions can be integrated into
`other network elements controlled by a master directory.
`From an architectural standpoint, the present invention
`provides supervisory control in the network and data link
`layers, rather than in the application layers as such control
`is traditionally provided.
`An enterprise directory residing on a directory server
`stores the names, workstations, router/gateways, servers, IP
`addresses locations, passwords, and encryption keys for
`individuals. Periodically, the directory server downloads to
`each router/gateway across the WAN router/gateway access
`lists (RALs), thereby controlling all network access across
`the WAN. Also periodically, the directory server downloads
`user control files (UCFs) to servers in the network, thereby
`controlling all server access across the WAN. This directory(cid:173)
`based invention thus provides enhanced network control,
`and enhanced network security.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 illustrates a prior art network.
`FIG. 2 illustrates a prior art architectural block diagram.
`FIG. 3 illustrates a prior art architectural protocol block
`diagram.
`FIG. 4 is a functional block illustrating exemplary archi(cid:173)
`tecture and topology embodying the directory management
`of an embodiment of the present invention.
`FIG. 5 is a functional block illustrating detailed operation
`of the network IP management of the present invention.
`FIG. 6 is a functional block illustrating an exemplary 60
`architecture and topology embodying the directory manage(cid:173)
`ment according to another embodiment of the present inven(cid:173)
`tion.
`FIG. 7 is a flow chart illustrating a method according to
`the present invention.
`FIG. 8 is an architectural block diagram according to the
`present invention.
`
`CISCO EXHIBIT 1007
`Page 12 of 20
`
`

`

`15
`
`20
`
`35
`
`7
`tication capabilities that are associated with server access
`lists. The methods and means for authentication are cur(cid:173)
`rently by Microsoft NT servers or Sun Microsystems serv(cid:173)
`ers. This server-based authentication is generally adequate
`for small networking environments but may not be adequate
`for large enterprise networks.
`To define enhanced security greater that the current
`server-based security, this invention uses certificates defined
`with the public key structure of X-509. X-509 is a subset of
`X-500 so that the X-509 public key structure is an integral
`part of the X-500 directory.
`Certificates are a strong user authentication concept,
`exceeding firewall authentication, and can be integrated into
`directory services. Certificates represent flexible enabling
`technology, which allows clients and servers to authenticate
`themselves to each other, and set up an encrypted channel
`for the duration of a communication session. Certificates can
`be used to secure the communication link, the user identity,
`integrity of the data and confidentiality of the information.
`A corporation can issue certificates to its employees,
`customers, suppliers, contractors, and other business part(cid:173)
`ners. These certificates can then be used to grant/deny access
`to sensitive network resources on the WAN.
`A certification authority (CA) is a third-party authority
`responsible for issuing certificates to identify a community
`of individuals, systems or other entities which make use of
`a computer network. By digitally signing the certificates it
`issues, the CA vouches for the identity and trustworthiness
`of certificate owners. Network users possess the CA's own,
`self-signed public key certificate ( often referred to as the
`"root key"), and use it to verify other users' certificates. In
`doing so, they have assurance that others are who they say
`they are, and know that the CA (whom they recognize and
`trust) vouches for them.
`The invention integrates the directory attributes of public/
`private keys associates the keys with employees, vendor, and
`customer directory objects to provide a level of security and
`protection unavailable in prior art. By providing such gen(cid:173)
`eral and generic control of enterprise security, the present
`invention allows the directory to define security policy on a
`user basis, whether this user is internal or external to the
`network, and provides as many options as there are users
`times the number of network controllable elements.
`
`DETAILED DESCRIPTION
`
`The present invention is a management system and
`method for an enterprise network. The invention can provide
`security by integrating directory technology with router/
`gateway management and server management.
`FIG. 4 is a functional block diagram illustrating an
`exemplary architecture and topology of an enterprise net(cid:173)
`work 98 according to the present invention. A master
`directory, preferably implemented with X.500 or other
`standards, is located on a server 100 at a central location on
`an enterprise network on a LAN 101. Distributed directories
`may be located on remote servers 105 in the enterprise
`network on LAN 106. Master directory 100 and distributed
`directories 105 contain objects and object attributes. The
`distributed directories may be synchronous with the master
`directory. In the embodiment of the present invention, the
`objects may be individual's names, workstations, servers,
`and network routers/gateways. The individual's names may
`be the names of employees, vendors, or customers. The user
`attributes are preferably the IP address, location, password,
`and encryption keys. The user IP address contains the user
`location; the NetID field of the IP address identifies the LAN
`
`6,131,120
`
`5
`
`8
`on which the user is located and therefore the location. The
`router/gateway attributes preferably are IP address, location,
`and router access list (RAL). The server attributes preferably
`are IP address, location, and the name of the user control file
`(UCF).
`Relying on the user location, by designating the address
`of the LAN to which the user is resident, the directory
`services will download the RALs to the router/gateway to
`allow or deny access for each user to the WAN, depending
`10 upon the access privileges of that user contained in the
`directory. For example, master directory 100 may contain
`the users of LAN 111, and the NetID of the users' TCP/IP
`addresses will designate that they are associated with router/
`gateway 112. The RAL for router/gateway 112 resides in
`master directory 100 and is downloaded through router/
`gateway 102 and WAN 120 into router/gateway 112. After
`this download, only the users of LAN 111 that have privi(cid:173)
`leges to use WAN 120 as set in master directory 100 will be
`able to be forwarded by router/gateway 112 to WAN 120.
`Complete control of WAN access is thereby controlled by
`directory entries.
`To download the RAL to each router/gateway, a directory
`support application program (RAL-AP) is enabled. The
`RAL-AP scans the directory and determines the router/
`25 gateway association of each user in the directory. RAL-AP
`then generates the RALs for each router/gateway in the
`network. In the embodiment of FIG. 4, the RAL-AP would
`be an application in directory 100. The RAL-AP first pushes
`the RAL for router/gateway 102 by locating the IP address
`30 of the router/gateway 102 in the directory and pushes the
`data with the LDAP protocol. Using WAN 120, the RAL-AP
`pushes the RAL to each respective router/gateway found in
`the directory. In the embodiment of FIG. 4, router/gateways
`107 and 112 would be similarly configured.
`Similarly, user control files (UCFs) are attributes of
`servers in the directory. User privileges, set in the directory,
`define which servers each user can access. These UCFs are
`downloaded to each server in the directory structure. For
`example, server 113, resident on LAN 112, may contain the
`40 payroll records files, accounts receivable records files, and
`accounts payable records files all individually organized as
`logical servers inside physical server 113. Each of these
`logical servers will have a UCF associated with that server.
`The name of each logical server control file and the contents
`45 of that UCF are resident in master directory 100.
`Periodically, master directory 100 will reconstruct the indi(cid:173)
`vidual server's UCF based on the latest user privileges
`defined in the master directory 100 and download that UCF
`to the appropriate